How to match passwordless request with magic link

Hi,
I am implementing a passwordless authentication in my iOS App using just URLSession and custom login screen. I have read all the docs over the past couple of days and don’t think I am missing anything. My question is how do I match up the user who requested the password less login with the magic link they receive in their email? I know it is an unlikely situation that there are two users on the same iOS device, who both request a Auth0 magic link within 5 minutes of each other. However as I am writing a health App I need to be very careful.

My flow:

  • User clicks on Login button
  • Login screen displayed
  • User enters email address “bob@gmail.com” and clicks next
  • I call /passwordless/start API with their email as a parameter
  • Auth0 sends response to the App with email address “bob@gmail.com” and send the Bob a magic link to his gmail account
  • Bob opens his email and sees a long magic link that his email address as a parameter
  • Bob clicks on the link which calls Auth0 which returns a universal link callback that opens in my iOS App.
  • The universal link contains the parameters auth_token, token_type, scope, and expiry.

My question is how do I know that this Universal link is actually for Bob and not someone else as there is no email address parameter in the universal link callback ?

Hi @iOSBrett,

Welcome to the Community!

Is there a token? Can you look at the claims in the ID token to determine who the user is?

Thanks Dan :slight_smile:

Yes I ended up with this approach. I called the /userInfo endpoint to get their email and then I ensure they match. Is that the same thing as you were talking about ?

Thanks for the reponse.

Are you calling the user info endpoint and using the id token? Typically you would use one or the other, but not usually both.

I’m using the access_token I get back from callback(magic) link in the email
Is that an id token ? It is quite short and doesn’t look like a JWT type token.

It is an opaque access token. It is only for use by auth0 APIs, like the user info endpoint.

You can use it to get the user profile. Is that what you are doing? Like this example:

I understand more of what is going on now, yes that is what I am doing to match the emails.
I have another issue, which I will start a new thread for.

Thanks again for your help Dan.

1 Like

Sounds good. Let us know what we can do to help.