"Failed Silent Auth" Due to "Consent Required"

We are developing Authentication in our app which consists of a React SPA frontend and a .NET Core backend. After collecting a little information from our users on the frontend, we are passing the data to the backend and trying to create a user with the Management API from the backend. The entire flow in our apps will be passwordless, so during the createAsync method to create the user, we pass:

Connection = “email” (makes them passwordless)
Email = “foo@bar.com
EmailVerified = true

We set the EmailVerified to true because at this point, we don’t want the user to have to verify their email to the system and the way that our system is built, we trust that it will be right. As you can see, it appears to work, we have our user created as passwordless and it says that their email is verified and we get no email from Auth0. So far, so good.

Next in the process, the backend tries to send this new user a magic link email through the Authentication API so that they can be associated with and log into a particular app in our lineup. We set up the magic link email with these particular parameters:

    "scope":"openid profile",
    "response_type": "token id_token",

They receive the passwordless magic link email and it looks like this:

After Clicking on the magic link, they are first asked to Authorize the App:

And it then redirects to the correct page as expected. But looking in the Application tab in the DevTools, it does not look like any new cookies are created. And then looking at the User History in the Auth0 portal, we see this:

The reason for the Failed Silent Auth appears to be Consent Required. It appears that we are having success signing up and logging in, but that Silent Auth is failing. Logging out appears to execute successfully as well. When we do the passwordless process from the frontend instead of the backend, we get some new cookies and everything works fine, but I don’t see them when we do this from the backend using the Management API. Any thoughts what we might be missing?

Hi @wspence,

Are you developing on localhost? You can skip consent for first party apps.

I may have stumbled onto something here. Setting the scope on the magic link email to include “offline_access” may have done the trick, I think it was unable to get refresh tokens. I’ll report back soon.

You can skip the consent dialogue entirely, so this won’t be an issue if you don’t need it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.