Passwordless, Delegation and API Authorization

I have a client (first party, native, iOS) that:

  • uses a Passwordless connection (SMS)
  • uses Delegation (Firebase)
  • is NOT flagged as OIDC conformant

This client needs to retrieve an access token for use with a separate API

This appeared to be working (prior to Jun '17) but now appears to be broken in that I am only able to retrieve a simple access token (/oauth/ro) not a JWT access token with audience, scopes etc. (/oauth/token - “error_description”: “Passwordless authentication is not allowed on this endpoint.”)

  • Is it possible to fix this so that it working as before
  • If so, what, are the steps needed to do this

Thanks in advance.

I’m in the same boat. I built a demo of my app last April, using SDK 7 and delegating token with Firebase with passwordless login. Everything works great, then I went to create a prod environment and discover that delegation is prohibited withe new accounts after June. No documentation on migrating or how to update process is provided. Post after post on this forum regarding this issue, no responses for days… really not sure about Auth0 anymore.

A workaround I am considering that will solve two out of three of my problems: Use Firebase SMS authentication
This will produce an OIDC ID token that can be used with Firebase directly and covers the passwordless.

I am then looking at a mechanism to exchange the Firebase ID token for an Auth0 API access token along these lines: draft-ietf-oauth-token-exchange-03

It does seem odd that both passwordless an API auth are advertised prominently as features yet they appear to be (at present and for the last couple of months) fundamentally incompatible with each other.