I’ve been using passwordless login via email code for a while now. I’ve been trying to setup a new QA environment on a new tenant, though, that uses the same login method and have come across an odd issue.
I create and login as one user. Then I create another user and try to login as this new one. But it logs me in as the original user. More details below.
I enter my email and submit which causes my React app to send the passwordless start request to Auth0. The email, client_id, connection, and send parameters all look correct. I get a 200 response back and see the code email show up in my inbox. I then enter the code in my React app, submit, and it sends the passwordless verify request. Again, the email, connection, and code parameters all look correct.
I receive the 302 response as expected. The location header in the response is the correct URL. BUT - the token in the URL is for a different user than the request specified in the passwordless verify request.
I have looked through all possible settings and compared them to our properly working environment and just cannot figure out what could be causing this behavior. Additionally, I’ve looked through the logs and they verify this behavior. I see the event where the code is sent to user A, then an event that user B signed in.