I’m seeing this too - getting {“error”:“bad.connection”,“error_description”:“Public signup is disabled”} on the /passwordless/start endpoint for emails that exist in the user database when the public signup option is disabled. Looks like this has been a problem for [checks other issue…] at least two years without any official response or fix.
Update: I’ve figured out that if I log in with a user while signups are enabled, I can then continue to login with that user once signups are disabled. The confusing part is that the email already exists as a user in the user database connected to the application being logged into. My best guess is that there’s a “passwordless user” concept that’s distinct from “normal” users that already exist in the database. I’ve seen mention in a couple other places like Is it possible to do Invite-Only Passwordless authentication? - #2 by prashantT that a “passwordless user” can only be created via the API so that seems to confirm this theory.
In any case, the distinction between normal users and passwordless users, the way the latter needs to be created, and how disabling signups won’t work for users provisioned in the dashboard aren’t at all clear from the docs.
I moved this to a new topic as it was a seperate issue from the topic you initially posted in. I also answered on twitter, but feel free to continue the conversation here as it allows for more long-form discussion.
It seems the main issue here was that there was no distinction made between the two users with the same email, one being from a passwordless connection and one being from an email/password(database) connection.
For clarity, these user profiles would be handled separately, similarly to how a users coming from a database would have a seperate profile to a user coming from a social connection like google or facebook.
We do support an account linking feature that can bridge that gap, but it is not setup by default.
How could be leverage docs to make this distinction more clear?
Thanks a lot for following-up Dan! My own confusion (and I assume that of the other folks who’ve opened similar issues) comes from a misunderstanding of what a “connection” is and the way it relates to a user database as being a distinct type of connection.
More specifically, this wording in the docs is confusing (at least to me):
When a user authenticates via Passwordless, the user is attached to the connection using Auth0 as the Identity Provider (IdP). Since you can’t force users to use the same mobile phone number or email address every time they authenticate, users may end up with multiple user profiles in the Auth0 datastore; you can link multiple user profiles through account linking.
Maybe it’s the phrasing “the user is attached to the connection” which seems to suggest a passwordless user is somehow related to an existing connection (presumably the user database).
I don’t want to be so presumptuous as to assume everyone is confused by this, but since there are other open community issues with similar questions I’d suggest clarifying this relationship more clearly right on that first docs page. Something like…
A passwordless connection is another type of connection separate from any existing database, social, or Enterprise connections. Even though a user from an Auth0 user database or social provider might share the same email address, the identity associated with their passwordless connection is distinct. As with linking multiple email addresses or mobile phone numbers used for the passwordless connection, account linking can also be used to associate a passwordless identity with identities from other types of connections.
Also note that passwordless users cannot currently be created from the Dashboard and will need to be created from the Management API if signup is disabled or users need to be created directly.