How to match passwordless request with magic link

iOSBrett · October 6, 2020, 1:44am

Hi,
I am implementing a passwordless authentication in my iOS App using just URLSession and custom login screen. I have read all the docs over the past couple of days and don’t think I am missing anything. My question is how do I match up the user who requested the password less login with the magic link they receive in their email? I know it is an unlikely situation that there are two users on the same iOS device, who both request a Auth0 magic link within 5 minutes of each other. However as I am writing a health App I need to be very careful.

My flow:

User clicks on Login button
Login screen displayed
User enters email address “bob@gmail.com” and clicks next
I call /passwordless/start API with their email as a parameter
Auth0 sends response to the App with email address “bob@gmail.com” and send the Bob a magic link to his gmail account
Bob opens his email and sees a long magic link that his email address as a parameter
Bob clicks on the link which calls Auth0 which returns a universal link callback that opens in my iOS App.
The universal link contains the parameters auth_token, token_type, scope, and expiry.

My question is how do I know that this Universal link is actually for Bob and not someone else as there is no email address parameter in the universal link callback ?

dan.woda · October 6, 2020, 8:59pm

Hi @iOSBrett,

Welcome to the Community!

Is there a token? Can you look at the claims in the ID token to determine who the user is?

iOSBrett · October 7, 2020, 4:21am

Thanks Dan

Yes I ended up with this approach. I called the /userInfo endpoint to get their email and then I ensure they match. Is that the same thing as you were talking about ?

Thanks for the reponse.

dan.woda · October 7, 2020, 10:23pm

Are you calling the user info endpoint and using the id token? Typically you would use one or the other, but not usually both.

iOSBrett · October 8, 2020, 1:27am

I’m using the access_token I get back from callback(magic) link in the email
Is that an id token ? It is quite short and doesn’t look like a JWT type token.

dan.woda · October 8, 2020, 5:12pm

It is an opaque access token. It is only for use by auth0 APIs, like the user info endpoint.

You can use it to get the user profile. Is that what you are doing? Like this example:

iOSBrett · October 11, 2020, 1:00am

I understand more of what is going on now, yes that is what I am doing to match the emails.
I have another issue, which I will start a new thread for.

Thanks again for your help Dan.

dan.woda · October 12, 2020, 9:18pm

Sounds good. Let us know what we can do to help.

system · October 27, 2020, 9:18pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How To: Send Magic Links with Auth0 Help	2	6775	November 9, 2019
Send magic login link to the users Help management-api , users	3	1901	December 21, 2022
Is it possible to mix passwordless methods, link for web app and code for mobile app? Help login-experience , new-universal-login-experience	2	906	March 22, 2023
Questions about passwordless connections Help connections , passwordless-email-connection , login-experience	0	945	April 25, 2023
Sending Login Link to Users by email Help jwt , auth0 , passwordless , login , magic-link , passwordless-email	2	3580	December 21, 2022

How to match passwordless request with magic link

Related Topics