Error trying Passwordless Authentication with Magic Links

thibaud.godard · January 31, 2020, 3:40pm

Hi,
I’m trying to use Passwordless Authentication with Magic Links on a regular web application.
First I tried to use curl to send an email with a code:
curl --request POST --url ‘https://dev-4tddokfo.eu.auth0.com/passwordless/start’ --header ‘content-type: application/json’ --data ‘{“client_id”: “4PYhqSCQ1AFefPomYTj6Cec7pwkYV7g0”, “client_secret”: “MY_CLIENT_SECRET”, “connection”: “email”, “email”: “thibaud.godard@ysance.com”,“send”: “code”}’
I receive an email with a code and I can put this code in my login page to log in my app. It’s work. So I think my app is well configured.

Then I tried to add a form in my “admin page” (and stop to use curl), to send an email to somebody to invite him with a LINK.
Python server:
conn = http.client.HTTPSConnection(“dev-4tddokfo.eu.auth0.com”)
payload = “{"client_id": "4PYhqSCQ1AFefPomYTj6Cec7pwkYV7g0", "client_secret": "MY_SECRET", "connection": "email", "email": "{EMAIL}","send": "link"}”.format(EMAIL=email)

headers = {‘content-type’: “application/json”}

conn.request(“POST”, “/dev-4tddokfo.eu.auth0.com/passwordless/start”, payload, headers)

res = conn.getresponse()

data = res.read()

When I do that, I don’t receive any email and I have this error when I print data: {“error”:“bad.tenant”,“error_description”:“error in tenant - tenant validation failed: dev-4tddokfo.eu.auth0.com”}

I followed this documentation:

I don’t understand why?

I also tried to use curl like this:
curl --request POST --url ‘https://dev-4tddokfo.eu.auth0.com/passwordless/start’ --header ‘content-type: application/json’ --data ‘{“client_id”: “4PYhqSCQ1AFefPomYTj6Cec7pwkYV7g0”, “client_secret”: “MY_CLIENT_SECRET”, “connection”: “email”, “email”: “thibaud.godard@ysance.com”,“send”: “code”}’
I received email but when I click on the link, I have this error:
{

message: “400 Bad Request: The browser (or proxy) sent a request that this server could not understand. KeyError: ‘code’”
}

Thanks !

karen.bermudez · January 31, 2020, 5:26pm

Hello @thibaud.godard! Welcome to our Community!

At this current point we do not support using passwordless authentication in embedded situations. We recommend using universal login to achieve a passwordless solution either with a link or a code.

Thank you!

thibaud.godard · January 31, 2020, 5:36pm

Hello @karen.bermudez,

I need an enterprise account to get help on this subject ?

I already tried with universal login, it’s work.

Thank you

karen.bermudez · January 31, 2020, 5:54pm

Hi @thibaud.godard

No, we do not support it with any kind of subscription.

Thank you!

nicolas_sabena · January 31, 2020, 6:46pm

Actually, embedded passwordless login in web apps is now supported. This document details this flow: https://auth0.com/docs/connections/passwordless/guides/embedded-login-webapps

As for the error, I’m not familiar with the Python http client, but it looks as if you are putting the domain name in the path:

conn.request(“POST”, “/dev-4tddokfo.eu.auth0.com/passwordless/start”, payload, headers)

Can you try without it?

conn.request(“POST”, “/passwordless/start”, payload, headers)

thibaud.godard · February 1, 2020, 11:47am

Hey thank you @nicolas_sabena ! I follow your advise, I now receive an email with a link ! When I click on the link I’m redirected on “consent” page, then I accept and I have an other error:
{

message: “400 Bad Request: The browser (or proxy) sent a request that this server could not understand. KeyError: ‘code’”
}

I’m working on it, any advise ?

Thank you for your help !

tenrisabo · February 3, 2020, 8:00am

One of the biggest skepticism around passwordless authentication is the idea that using a channel like email to send a code or link can be unsafe because it can be compromised.

thibaud.godard · February 3, 2020, 9:14am

I’m trying auth0 on localhost on my laptop. How it can be compromised ? There is nothing to compromise, it’s not a real website.