We’re using auth0-react at our application and found out a great way to customise passwordless user experience by creating our very custom login form where user can input their email (I’m reporting this issue at this repository because auth0-react is powered by auth0-spa-js) and receive login link without being redirected to auth0 to log in. For that we can use auth0-js and WebAuth class with passwordlessStart. It worked perfectly in the beginning, the code indeed sent login link to the email. The problem is that when I get redirected to the app after a successful login (by clicking the link at the email), I get isAuthenticated to be false but also I notice a hash URL with auth_token parameter #auth_token=1234. I never seen it before and my guess is that auth0-js and auth0-spa-js authentication flows are incompatible (auth0-spa-js handles ?code= query parameter instead of the hash parameter). At the same time when we use the regular passwordless authentication, it works perfectly.
What was the expected behavior?
Either of this:
- auth0-spa-js (including auth0-react) would accept URL credentials generated with
passwordlessStart(the #auth_token= thing). - auth0-spa-js should have similar function but I couldn’t find it.
- Find some workaround to make both libraries compatible: use auth0-js for log in, use auth0-spa-js (or auth0-react) to authorise. I tried to replace
#auth_token=1234by?code=1234and it didn’t help.
Reproduction
- Use auth0-js and WebAuth class with
passwordlessStartto authenticate (standard documentation). - Log in by clicking a link.
- Use auth0-spa-js (or auth0-react) to authorise. You’ll get isAuthenticated equal to false and
#auth_token=1234at URL