I’m using the auth0-php sdk. I can log in without issue when it comes to the normal email/password method. But I get issues with passwordless logins. Here is my current set up in case anyone can help:
- I create an SdkConfiguration object with domain, clientId, clientSecret, redirectUri, and cookieSecret data. This gets returned as an Auth0 object which I refer to as $auth0.
- I can get the URL to the login page by simply doing $auth0->login(). This works fine.
- I also want to give users the option to log in with an email code so I have a separate button my page to do that. Here’s what I tried:
I get the user’s email from a form that they fill. After they hit the submit button, I take their email and call this:
$auth0->authentication()->emailPasswordlessStart($email, 'code');
However, this doesn’t automatically direct me to the Auth0 code verification page. So after this, I generate a state code using bin2hex(random_bytes(16)) and build a url string like this:
$url = 'https://' . $auth0_domain . '/authorize' .
'?response_type=code' .
'&client_id=' . $client_id .
'&redirect_uri=' . urlencode($redirect_uri) .
'&scope=openid%20profile%20email' .
'&connection=email' .
'&login_hint=' . urlencode($email) .
'&state=' . $state;
The problem with this though, I get two email verification codes. I found that BOTH “emailPasswordlessStart” I mentioned earlier and the URL (after visiting it) sends an email verification code. So I end up with two which might be messing up the state code. I decided to just comment out the “emailPasswordlessStart” line altogether. After I run this code, it takes me to the Auth0 login page and I get a verification email. I enter the code but it doesn’t log me in and says I have an “invalid state”. I’m confused because I’m checking the state I generate before sending the user to Auth0 and what it is during my callback after logging in, and it’s the same both times.
How can I fix this invalid state error?