Passwordless bad connection universal login new

I’m trying to set up SMS Passwordless.

I’m hitting the endpoint as follows:

https://DOMAIN.us.auth0.com/passwordless/start?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&connection=sms

Getting a {“error”:“bad.connection”,“error_description”:“Missing required property: connection”}

even though the connection is very obviously in the params. Have tried multiple variations with various params as found here: Authentication API Explorer

Documentation around this is circular and extremely frustrating

Trying to use this with Universal Login Page, New Experience – if that matters.

1 Like

Hi @dbinetti,

SMS passwordless is not supported by New Universal Login. Can you please try switching to classic and see if that solves your problem?

it does not. same issue

It looks like the params need to be in the body of a POST request.

https://auth0.com/docs/api/authentication?http#passwordless

This is Django code, but likely clear enough so that it makes sense to read as pseudo-code:

def login(request):
    params = {
        'client_id': settings.AUTH0_CLIENT_ID,
        'client_secret': settings.AUTH0_CLIENT_SECRET,
        'connection': 'sms',
    }
    login_url = requests.Request(
        'POST',
        f'https://{settings.AUTH0_DOMAIN}/passwordless/start',
        params=params,
    ).prepare().url
    return redirect(login_url)

Which returns

    "error": {
      "message": "missing client parameter",
      "oauthError": "invalid_request",
      "type": "request-error"
    },

in the logs, and

{"error":"bad.connection","error_description":"Missing required property: connection"}

in the browser.

Maybe I’m doing this wrong, but what I want to do is, from my regular web app, click a button that launches the Universal Login, and does the entire SMS send/code response flow on your servers, and then returns to me through a callback with a code/token that says “this user is authenticated”. What am I doing wrong if that’s my goal?

I am trying to do this entirely over phone and SMS. No email. JUST Passwordless sms

You are sending the required information (client id, secret, connection) as query parameters which is not what the API is expecting, so it throws an error.

You need to send those parameters as the body of a POST request, not in the URL, like a GET request.

This stack overflow question lays out the differences:

Here is a resource on how to send a post request with body data using Python’s request library.

Thank you – that was a facepalm for me.

Still, new problem:

I am trying to launch the Universal Login (classic, since New doesn’t work) which means I shouldn’t need the phone to start

OK, I think I understand what you’re trying to do. You don’t need to use the API to call the passwordless endpoints.

With this as your goal:

  • Go to the settings of the Application you would like to configure in the dashboard and toggle on SMS passwordless
  • Go to Universal Login Settings and click the Login tab.
  • Enable the Custom Login Page toggle, and select the Lock (passwordless) template. The HTML template will update with code using the Lock widget with passwordless customization options.
  • Customize the template, and click Save Changes

Now, if you select preview and select your application in the drop-down menu you should see an SMS passwordless prompt.

Let me know when you have that configured correctly and we can go from there.


Great, now you simply need to redirect the user to the login page from that application. If you want to do that with raw API calls follow this guide:

Or if you want a Django specific example take a look at our Quickstart:

Getting new errors, but I think they are due to my config. Thanks! This is what I needed…

ACtually, might not be my config. The JWT decode is showing an invalid audience.

payload	
{'aud': 'AuI7cs5VpwzVzMe0B7JT8IxnKziUMR73',
 'exp': 1631946770,
 'iat': 1631910770,
 'iss': 'https://xxx.us.auth0.com/',
 'sub': 'sms|6141eae10858457944c8ca28'}
self	

this is coming directly from my call to the token URL at /oauth/token, so I’m stuck again.

Is that the audience you’re expecting? Typically it’s the URL of the resource you’re trying to access. For example, https://test.com/api. It should be a custom API you set up an Auth0.

Can you share the authorize request you’re making? Please be sure to omit sensitive data.