Thank you for specific problem description and suggestions @jordan.knudsen - I can see your problem.
I checked your tenants, and for further investigation, I assumed you refer to SPA and and /passwordless/start endpoint to receive link via email. But please feel free to correct me at any point if needed, we’ll then have another look on that.
My initial conclusion (to be verified as we work on it together) is that currently Auth0 do not allow for authentication API endpoints being called directly by browser-side generated clients (SPA).
Why I came to this conclusion?
First, please take a look here for security related recommendation for public clients (like SPAs).
Second, when I run the request from within the browser console (and my Auth0 tenant is set with the https://.com* as allowed CrossOrigins URL), I got this:
So the link has not been sent/the flow hasn’t been initiated and it looks like this is blocket by Auth0 server regardless of CrossOrigins policy set in the Auth0 tenant.
Facts:
- When I run passwordless/start from outside of the browse (via native Postman), I was able to trigger link being sent to enduser’s email:
But when I click on the link, I receive the same result as you did, and it’s expected as the flow has been initiated outside of browser-based script.
- For the SPA, on my newest tenant, I’m also not able to select OTP as a grant flow - this seems to be potentially irrelevant. My bad:( @ryan.madsen please take a look at this thread.
Could I ask you to:
- Let me know more about the embedded login form you use? Is the authentication request generated on the browser or backend side?
- Which API endpoint you use to initiate the authentication flow?
- Did you make this between-tenants comparison for the same app type, authentication grant flow and the same embedded login form?
Further steps: Let’s find out what would work for your specific use case. Thanks!