Hi,
I am using passwordless to authenticate users in a mobile app.
Using /oauth/token with grant_type=password, one is able to use a passwordless username/password with a default_directory.
However, using grant_type=http://auth0.com/oauth/grant-type/password-realm, one is not allowed to use realm sms/email… How consistent is that ? That restricts us using passwordless either with sms or email but not both…
I know the official guide-line is to push toward universal-login, but in case of a native mobile app, this is a really poor user experience and a no go for our business case…
Could anyone argue why there is this restriction ? And saying that there is “no support” for it doesn’t seem to me like a valid argument. I expect from a company offering security services a robust, full-thought api and not an api offering half features and allowing “unsupported cases”…
For consistency one should allow grant_type=http://auth0.com/oauth/grant-type/password-realm to work with sms/email or disallow using grant_type=password with passwordless (which would probably break a lot of applications including ours).