Implicit signup with passwordless connection

We’re implementing an auth flow where the first time an email address is used, the user is automatically signed up and logged in without having to do anything. If the same email is then used again, we want to trigger the Auth0 Passwordless flow to verify identity by having the user enter a code sent to their email.

Per the discussion at Automatic login after creating Auth0 user, Auth0’s suggestion to doing this is to fetch the relevant API using Resource Owner Password flow documented at https://auth0.com/docs/flows/call-your-api-using-resource-owner-password-flow?_ga=2.51853610.2014831572.1600124447-587753172.1596042058#request-tokens

However, this is not possible, because when we create a user using the management api with the passwordless connection (connection name of email), a password cannot be defined. If you define a password anyway, you’ll get a bad request error.

So, how can we get the user’s access token and ID token when we’ve created the passwordless user using the Auth0 Management API on our backend?

Hi, @tom14,

As mentioned in your other post, this would be the equivalent of adding a backdoor to log the user in without requiring any kind of authentication. This is not a good practice, security-wise - any malicious user/admin could log in as any other user, and any leaks would make it so that the user’s identity for your application would be compromised. I strongly recommend against this, but rather recommend to confirm the user’s identity via the OTP or link that’s provided via email.