We successfully tried using the code verification. Seems that we’re missing something with the magic link. It’s pretty frustrating as we do not have any log or whatsoever in the dashboard.
In addition, can you also try to use a curl command for this and see if the results are different: Authentication API Explorer
Also keep in mind, with magic link transactions, both the initial request and its response must take place in the same browser or the transaction will fail.
If you are still having issues after trying those things, please feel free to Direct Message your tenant name along with a HAR file while trying to click on the link and I can further investigate on my end.
Thank you for answering my questions and sending over the HAR file as well as your Tenant name. After further investigation, I was able to find out that Auth0 is restricting the use of the /passwordless/start endpoint from confidential applications when Auth0 cannot authenticate that the call is made on behalf of the application.
OAuth uses the term ‘confidential’ for applications that can store secrets. In Auth0, those are 'Regular Web Applications’, which serve web pages from a backend app. Single Page Applications and Native Applications are considered ‘public’ applications, and are not affected by this change.
Can you please check the application type for this passwordless login function, if it is “Regular Web Application”, the client secret is required, if it is “Single Page Application” then the client secret is not required. As you can see in the API parameter description:
“ client_secret: REQUIRED The client_secret of your application, required for Regular Web Applications. ” (Authentication API Explorer)
If your application type is SPA, then as mentioned before: Single Page Applications and Native Applications are considered ‘public’ applications, and are not affected by this change.
If you are using Regular Web Application, and if you are calling the /passwordless/start endpoint from a page using JavaScript (e.g. auth0.js on the page) from Regular Web Applications, this will not be possible, as you cannot specify a client secret in a call made using JavaScript. If this is currently the case for your application, you will need to change your applications so that /passwordless/start is called from the backend of your web application, rather than from the frontend.
Thanks for the investigation. Unfortunately, our app type is SPA, so if i’m reading you correctly, we do not need a client_secret and should not be bound to the restriction of the /passwordless/start endpoint.
So we still need to figure out why auth0 cannot authenticate that the call is made on behalf of the application.
@benjaminn - Sorry for the delay. Looking at the HAR file you sent over, it looks like it is the capture of what happens when user clicks on the passwordless link but can you also send another one of what happens when the user tries to login via the login form - since that is where it sounds like the login is failing?
I also noticed that your call to passwordlessStart({..}) is missing the required param send Since you are trying to “send: link” can you please add that- see our doc here - Auth0.js v9 Reference.
I’ve sent you another HAR file as requested. Incidentally, i cannot login using my valid credentials. Logs output entries like this:
*Type Failed* Login (wrong password)
*Description* Wrong email or verification code.
*Connection* email
*Application* All Applications [REDACTED]
*User* [REDACTED]
Could it be related to the passed state?
Regarding the passwordlessStart func, the options object contains a key:value with { send: 'link', email: ... }. It’s ok on that side, request returns a 200.
After discussing it internally and looking at your tenant, the issue seems to be that you are using the New Universal Login (UL) experience. The new UL does not support Passwordless login - see our documentation on new UL experience: New Universal Login Experience. If you would like to use Passwordless Login, you must use our “Classic Universal Login” experience - please see: Configure Universal Login with Passwordless.
Hope this helps! Let us know if you have any further questions.