Passwordless broken?

In reference to a pre-June tenant where passwordless is not disabled.

Start passwordless

Request:

POST https://tenant.eu.auth0.com/passwordless/start
{"phone_number":"xxxxxxx","connection":"sms","send":"code","client_id":"yyyyy"}

Login

POST https://tenant.eu.auth0.com/oauth/ro 
{"grant_type":"password","client_id":"yyyyyyyyyy","connection":"sms","scope":"openid offline_access","username":"xxxxxxx","password":"zzzzz"}

response:

{"error":"invalid_request","error_description":"device parameter must be specified"}

According to the docs, this error message is for grant type jwt_bearer (https://auth0.com/docs/api/authentication?shell#post-oauth-ro) not for grant type password. ‘device parameter’ has not been needed before now. Furthermore, this is being done via the iOS SDK but is easily replicated via CURL or Postman

Any help appreciated.

So, this works again if you don’t request offline_access scope but then that obviously means you no longer get a refresh token which is a different kind of breaking change. Either way, this looks broken compared to how it used to function.

Interestingly, you can get an refresh token if the grant_type is “jwt-bearer” and you include a device type. However, this grant type is not used by the iOS Swift SDK and is not the grant type supposed to be used for passwordless.

To my knowledge, the /oauth/ro endpoint with the password grant always required the device parameter if you included the offline_access as part of the scope. As you mentioned this is a legacy endpoint and there aren’t many changes being made to legacy endpoints so it’s more likely to be an omission in the documentation rather than a change. Are you sure you were able to call this endpoint with offline access specified and without a device parameter?

The theory about an omission in the documentation is also substantiated by the fact that the error message is not exactly the same as the one documented for the jwt-bearer grant.