I am implementing a passwordless authentication in my iOS App using just URLSession and custom login screen. I have read all the docs over the past couple of days and don’t think I am missing anything. My question is how do I match up the user who requested the password less login with the magic link they receive in their email? I know it is an unlikely situation that there are two users on the same iOS device, who both request a Auth0 magic link within 5 minutes of each other. However as I am writing a health App I need to be very careful.
- User clicks on Login button
- Login screen displayed
- User enters email address “firstname.lastname@example.org” and clicks next
- I call /passwordless/start API with their email as a parameter
- Auth0 sends response to the App with email address “email@example.com” and send the Bob a magic link to his gmail account
- Bob opens his email and sees a long magic link that his email address as a parameter
- Bob clicks on the link which calls Auth0 which returns a universal link callback that opens in my iOS App.
- The universal link contains the parameters auth_token, token_type, scope, and expiry.
My question is how do I know that this Universal link is actually for Bob and not someone else as there is no email address parameter in the universal link callback ?