Generate magic link without sending it

zeligfryd · April 25, 2023, 11:46am

Hello,

I would like to achieve the following functionality in my application: it should be able to send various emails to users, and these emails should contain a magic link to login to my application.
Using the customisable email template is not enough for the purpose I want to achieve.

First option
If there is a way to obtain a magic link without sending it to the user, I can simply include it in an email and send it to the user.

Second option
I would generate my own custom magic link, and after verification I would generate and sign a JWT token, using the certificate that is used by the Auth0 application, and then move on with getting a session for my authenticated user.
I found out that I can’t get the RS256 private key, but if I changed the signing algorithm of my application to HS256, I could use my application’s client secret to sign the JWT. Is this correct?

Based on my research, I understand that there is no way to get a magic link without actually sending it to the user. Is this right?

If so, would something in the direction of my second solution work?

Thank you in advance for your help!

dan.woda · May 2, 2023, 2:40pm

No, that is not possible.

Creating your own JWT won’t create a session the same way as a magic link. For example, it doesn’t create a cookie session. It’s possible to create a JWT, although you wouldn’t want to use a symmetric signing algo if the user could possibly have access to it.

That’s correct, but you may not want to do this because of the implications of symmetric signing. i.e. you can’t validate the token in a client-side app without exposing your signing key.

Correct.

system · May 16, 2023, 2:40pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.