The docs say " request and its response must take place in the same browser or the transaction will fail", but there’s not much details about how that works? Does it just work out of the box? That’s not the behavior I’m seeing.
I’m using the ruby API gem:
https://www.rubydoc.info/gems/auth0/Auth0/Api/AuthenticationEndpoints#start_passwordless_email_flow-instance_method
auth0_client.start_passwordless_email_flow(
@email,
'link',
{
redirect_uri: "http://127.0.0.1:3030/dashboard",
scope: "openid profile email"
}
)```
This will send an email with a link that I can open in any browser.
To restrict it seems like you have to send `state` but that doesn't seem to get forwarded on the redirect, unless you set the response type to `code`:
auth0_client.start_passwordless_email_flow(
@email,
‘link’,
{
response_type: “code”,
redirect_uri: “http://127.0.0.1:3030/dashboard”,
scope: “openid profile email”,
state: password_less_state
}
)
The `authParams` description in the API docs is vague:
https://auth0.com/docs/api/authentication#get-code-or-link
I'm trying this out on a modified version of the Rails sample app provided by Auth0. You can see my full code here: https://github.com/Druwerd/auth0-rubyonrails-sample/commit/d5b74a41ca002eee85f04ddad1d573726d12556f
Has anyone else seen this? Or can someone explain how magic link's same browser restriction works?
Thanks