I have already read a few topics in this community about passwordless login with account linking extension, and I am aware of the limitation for the account linking extension mentioned here: Account Link Extension
However, I am trying to get clear whether what I am seeing is expected behaviour, as it would seem to suggest that I fundamentally cannot enable BOTH passwordless AND account linking at the same time.
This is the situation:
- We have the Account Linking extension enabled
- We have 2 authentication methods enabled overall: passwordless (email, code) and google authenticator. Both are enabled for our frontend App and the Account Linking App created by the extension. Database (email/password) is disabled.
We have been testing how the Account Linking process works with various orders of signup:
1. Signup with google first. Then attempt to perform passwordless login with the same email.
Outcome is that passwordless/start sends an email with a code, but when calling the oauth/token endpoint, it fails with error:
{
"error": "invalid_request",
"error_description": "Redirection is not available on /oauth/token endpoint."
}
The user HAS been created in auth0, but we have no token. Running the passwordless process a second time successfully gets an access token. Of course, the accounts have not been linked. Conclusion is that the redirect for account linking is failing on the first attempt as user is created, but this doesn’t happen on subsequent passwordless login. Overall, this would break our user flow (due to the error), even ignoring the fact that the accounts were not linked.
2. Signup with passwordless first. Then attempt to authenticate with Google account having same email.
Outcome is that the user is successfully redirected to the account linking screen, however on clicking continue, the user is then taken the the database (email/password login) screen, which of course is not enabled, so the user cannot login to link accounts.
Again, overall this breaks our user flow and the user will be left not understanding what they are supposed to do.
So, it seems that with our 2 enabled connections, account linking doesn’t work at all, but furthermore introduces error situations that break the normal flows. We may want to introduce other types of authentication in the future, where account linking would be useful, even if it cannot work specifically with passwordless.
Can anyone confirm this is “expected” behaviour, and offer any fixes that would allow passwordless and account linking to be enabled at the same time?