I created a tenant in 2019 that allowed passwordless login and signup. When I create the connection, there is a “try” tab that allows me to test the twilio credentials I’ve entered for that connection. For my tenant created in 2019, this works fine and the signin works as expected.
However, for my tenant created after January 2, 2020, when I enter the exact same connection information, I get this error when I “try” the connection: “Error! Client authentication is required.”
I did some digging and found that there is a setting in the tenant settings > advanced tab that allows me to enable/disable “Enforce client authentication for passwordless connections.” This option is not available for tenants created after January 2, 2020 (possibly connected to the new passwordless api deployment related to that date). I believe this is the cause of the issue, but I see no way to resolve it from within my account. Anyone have any idea how to fix this so I can use passwordless connections with my new tenants?
We recently introduced a change that requires is to send client_secret when starting the flow in confidential clients (eg: regular webapps as opposed to single page apps). This lets Auth0 authenticate that the API call was made from the right app.
For new tenants, the toggle to disable this behavior is not available.
If you invoke /passwordless/start from a backend (regular web app), start sending the client secret in the body.
If you invoke it from a frontend (single page app), change the Auth0 application’s type to Single Page App. Specifically, the ‘Token Endpoint Authentication Method’ in the application’s settings should be set to ‘None’.
There’s currently a bug that does not let you TRY the passwordless connection for Regular Web Apps if the tenant has the “Enforce client authentication for passwordless connections” field enabled. This is because the call to /passwordless/start that is made from the TRY button dos not include the client secret.
New tenants always have that property enabled, and you can’t turn it off, as it’s a security risk. You should not make calls on behalf of confidential clients without providing a client secret.
It’s not a blocking issue, as the call will work for your own code if you provide the client secret.
The TRY button should work if you try it from a Native Application, which is not a confidential client, so it does not require a client secret.
We’ll be fixing the TRY button in the next few weeks.
If you need SSO you would use the Universal Login flow, and not call the /passwordless/start + /oauth/token endpoints directly. So, even if the ‘Try’ button does not work for your app, the flow will work.
@andres.aguiar,
I’ll explain what I’m trying to do from the beginning because I kind of skipped what we’re trying to do (
i create an SSO integration with Salesforce, i have an application that i want the user enter their code (through email/SMS),
i wanted to use your API - {{auth0_domain}}/passwordless/start, but it force me to enter the
“client_secret”, but the SSO does not have a secret.
i cant use the Universal Login flow - because it force me to open a tab(new window), and i want to implement behind the scene.
So what you recommend me to do if i want to use passwordless with SSO with the API?
