When I use the API to send the Passwordless email, users are getting the email but they are redirected to the login form:
POST {URL}/passwordless/start
Content-Type: application/json
{
“client_id”: “YOUR_CLIENT_ID”,
“client_secret”: “YOUR_CLIENT_SECRET”, // for web applications
“connection”: “email|sms”,
“email”: “USER_EMAIL”, //set for connection=email
“phone_number”: “USER_PHONE_NUMBER”, //set for connection=sms
“send”: “link|code”, //if left null defaults to link
“authParams”: { // any authentication parameters that you would like to add
“scope”: “openid”,
“state”: “YOUR_STATE”
}
}
I tried sending different payloads in the POST request.
Is it possible to send an email programatically from server side without user interaction and when users click the link they are logged in into the application?
At this moment the Passwordless is working only when users use the Lock (passwordless) template and click Send email button.
I see this in the documentation: When using magic links from Universal Login, both the initial request and its response must take place in the same browser or the transaction will fail .
But I was wondering if is possible to send links without user interaction and get the same behavior we have as when users click the Send email button?
Yes, what you describe appears feasible. I was able to send an start a passwordless link flow (send an email) from a cURL request and open it and login in an incognito window. Can you describe how your attempts have been failing?
When I click the link in the email, I’m redirected to my FE app but @auth0/auth0-react the getAccessTokenSilently function is returning an error:
"errorMessage":"Login required"
The expected behavior is: when user clicks the link, he/she is automatically logged in into the app, which is what happens when the email is generated using the Passwordless lock form:
Additional note:
The email received when user submits the Passwordless form contains a link that is much larger than the email I receive when I use curl or POSTMAN.
Link received when user submits the Passwordless Lock form: https://{APP_URL}/passwordless/verify_redirect?scope=openid%20profile%20email&response_type=code&redirect_uri={REDIRECT_URI}&state={STATE}&nonce={NONCE}&response_mode=query&_intstate=deprecated&_csrf={CSRF}&audience={AUDIENCE}&code_challenge_method=S256&code_challenge={CODE_CHALLENGE}&auth_0_client={AUTH0_CLIENT}&protocol=oauth2&verification_code={VERIFICATION_CODE}&connection=email&client_id={CLIENT_ID}&email=test@test.com
Link received when I use CURL: https://{APP_URL}/passwordless/verify_redirect?scope=openid&response_type=token&redirect_uri={REDIRECT_URI}&verification_code=702522&connection=email&client_id={CLIENT_ID}&email=test@test.com
The POST request I’m doing with CURL is: curl -d '{ "client_id": "{CLIENT_ID}", "client_secret": "{CLIENT_SECRET}", "connection": "email", "email": "test@test.com", "send": "link" }' -H "Content-Type: application/json" -X POST {APP_URL}/passwordless/start
Do you think I’m sending the wrong payload when I use CURL?
@dan.woda The login does not work on incognito not even my normal login form. I can login in non incognito mode, will it work if I send you the HAR file using non incognito mode?
