I have searched for some time while to no avail on this topic. This is the closest answer I’ve found.
We are using an Angular SPA application and the auth0-spa-js library. We have a passwordless connection with Universal Login setup. What I’d like to do is immediately get the user an magic link email that they can click and immediately log into the application, bypassing the Universal Login step where they have to manually type in their email.
The process would look something like a button that says “Click here to generate email”. When they click it, they get a message that tells them to check their email. Then they click the link in that email and are back where they started, except they are also fully authenticated.
The topic link above seems to partially address this, but it’s using the Auth0-js library, not the auth0-spa-js library. It also seems to need an explicit verification of the code from the generated email.
So… Can Auth0-js and auth0-spa-js work together, or are they really intended to be one or the other?
Will a magic link work if I initiate it via auth0-js with passwordlessStart, but use handleRedirectCallback from auth0-spa-js ?
If I find the time I can experiment, but I could get time allotted to me to build this solution if I knew this was a solid path to take
Any expertise is greatly appreciated. Please and thank you!
I am not sure about this one, I think I may be missing some of the concept though.
How would the API know which user to send the magic link to? As you can see in the endpoint doc, the API call to send the magic link requires an email address field for who the recipient is.
If you are doing this from a programmatic sense (or as an admin) then all you would have to do is utilize the endpoint I mentioned above.
Does this make sense?
As far as using auth0.js and auth0-spa-js is concerned, you will not want to use the two libraries together. They use different grant types and are intentionally seperate
How would the API know which user to send the magic link to?
I have the email of the user, and I can pass it in to any library/api calls.
If you are doing this from a programmatic sense (or as an admin) then all you would have to do is utilize the endpoint I mentioned above.
The problem is that we are using auth0-spa-js, which does not have a passwordlessStart method. We only have “loginWithRedirect” and “loginWithPassword”. Since you said we shouldn’t use both libraries, does that mean I’m stuck?
I am not sure about just using a post request with the passwordless/start endpoint, then handling it with auth0-spa-js. In theory I think this would work but I haven’t had the time to set it up and try it.
Thanks for your replies. I already use the login_hint option to pre-fill the email. The extra click is what is undesirable. It should in theory be possible to, with only two clicks, no typing, and never seeing the Universal Login page get into the application. One click to initiate passwordless (without leaving the initial page, followed by a toast explaining they should check their email), and a second click in the email they receive.
One day I’ll get around to trying the passwordless initialization with auth0-spa-js handleAuthentication.
It would be nice to have a Utility Auth0 library to make more direct decisions about the authentication flow that could be used along side the other “simple” libraries.
I reached out to the team on this one. It looks like the issue with using auth0.js and auth0-spa.js together is that the state will break. They said if you inject the state you could get around this, but they would not recommend doing this.
I sent the whole thread over, maybe we can get some more insight. I’ll update here if I hear anything.
