Invalid passwordless otp logs do not show the client name

mhautala · September 2, 2023, 8:48am

We are using WebAuth.passwordlessStart and WebAuth.passwordlessLogin on our customized classic Universal Login page.

When users enter invalid otp code the tenant logs show type ‘f’ events with message ’ Wrong email or verification code.’

This comes from the WebAuth. passwordlessLogin call where the code is verified. Works as excepted but the log entries do not show the client name or id.

Any way to “fix” this? One report we get from Auth0 on our catch up meetings is a report of failure type per application and now most of failures are registered under an “unrecognized app”.

dan.woda · September 6, 2023, 6:18pm

Hi @mhautala,

I tried to recreate this issue, but I am successfully seeing a client id param in the logs.

Could you please provide an example of the log you are seeing? Please omit any sensitive data.

Thank you!

mhautala · September 7, 2023, 8:09am

This is from our test env so no real user info. But I cannot see even the client id and in the dashboard logs the Application section is empty.

A screenshot of the log in the dashboard:

The raw log entry with some details obscured out with “******”.

{
  "date": "2023-08-17T13:02:27.454Z",
  "type": "f",
  "description": "Wrong email or verification code.",
  "connection": "email",
  "connection_id": "",
  "ip": "******"
  "user_agent": "******"
  "details": {
    "body": {
      "connection": "email",
      "email": "******"
    },
    "qs": {},
    "connection": "email",
    "error": {
      "message": "Wrong email or verification code.",
      "oauthError": "Wrong email or verification code.",
      "type": "invalid_user_password",
      "uri": null
    },
    "session_id": "******"
  },
  "hostname": "******",
  "auth0_client": {
    "name": "auth0.js",
    "version": "9.14.3"
  },
  "log_id": "******",
  "_id": "******",
  "isMobile": true,
  "id": "******"
}```

dan.woda · September 7, 2023, 6:17pm

Thank you. Can you please share your webAuth configuration?

mhautala · September 8, 2023, 9:09am

That hint about the webAuth configuration eventually lead to finding a fix. Somehow the configuration part was not working as expected. It looked different to what it was in a dashboards example template (when console.log debugging those).

i.e. related to this:

 const config = JSON.parse(decodeURIComponent(escape(window.atob('@@config@@'))))

Not really sure the exact root cause but simply making sure that part of code is on top of the script seemed to have effect.

And also it seems we need to update the auth0.js library we use in our custom login page
(maybe it was the only thing needed).

The effect is that the client_id is passed as params when we call the webAuth.passwordlessLogin

No application name though in the logs? Just the client id?

dan.woda · September 8, 2023, 5:25pm

Thanks for the update, let me know if you need anything else.

mhautala · September 15, 2023, 7:58am

@dan.woda Still noticed now that the user’s email or id is not in the log events when invalid otp is entered. Is this a feature or are we still doing something wrongly?

It is not end of the world but there is no way no to see the given users logs in case e.g. customer support needs those.

Also still a bit weird that the log event only has the client id and not the name (as for most log event types the application name is deducted from the id).

dan.woda · September 15, 2023, 3:58pm

I don’t see user IDs in most failed login logs. Feel free to give us some feedback on both of these things here: Feedback

system · September 29, 2023, 3:59pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.