Passwordless email link, verification fail on custom domain

Hi,

We’re trying to setup the passwordless feature with the email link but we’ve hit a wall with the login.

A request is sent from the custom-domain.com using the auth0-js SDK:

const startPasswordless = async options => {
    return new Promise((resolve, reject) => {
      if (!auth0Client) {
        return reject('Client not initialized yet');
      }
      auth0Client.passwordlessStart(
        {
          ...options,
          connection: 'email',
          authParams: {
            scope: 'openid profile email',
          },
        },
        (err, result) => {
          if (err) {
            return reject(err);
          } else {
            resolve(result);
          }
        }
      );
    });
  };

Email is correctly sent and contains a link like this:

https://auth.custom-domain.com/passwordless/verify_redirect?scope=openid%20profile%20email&response_type=token&redirect_uri=https%3A%2F%2Fpreview.custom-domain.com&state=[REDACTED]&verification_code=820185&connection=email&client_id=[REDACTED]&email=[REDACTED]

Clicking the link opens up auth0 custom domain login page with no error code, just the login form. Login seems to fail here.

The app is correctly added to the passwordless connection. Application URIs are configured like this:

• Application Login URI: https://preview.custom-domain.com/login
• Allowed Callback URLs: https://preview.custom-domain.com
• Allowed Logout URLs: https://preview.custom-domain.com
• Allowed Web Origins: https://preview.custom-domain.com, https://auth.custom-domain.com
• Allowed Origins (CORS): https://*.custom-domain.com, https://custom-domain.com

We successfully tried using the code verification. Seems that we’re missing something with the magic link. It’s pretty frustrating as we do not have any log or whatsoever in the dashboard.

Any ideas?

Hello @benjaminn - Thank you for posting on Auth0 community!! Welcome!

In order to help me troubleshoot, can you please answer the following questions:

1. Can you please share what version of auth0-js SDK you are using?

2. What email provider are you using?

3. Are you following this guide we have on Passwordless Authentication with Magic Link - Passwordless Authentication with Magic Links?

In addition, can you also try to use a curl command for this and see if the results are different: Authentication API Explorer

Also keep in mind, with magic link transactions, both the initial request and its response must take place in the same browser or the transaction will fail.

If you are still having issues after trying those things, please feel free to Direct Message your tenant name along with a HAR file while trying to click on the link and I can further investigate on my end.

Hi @ruchi,

1. v9.13.2 of the sdk
2. sendinblue as for the email provider
3. we followed the guide yes and this one too: Authentication API Explorer

Same results for the curl command. Email is correctly received, link seems ok but same effect, back to universal login page.

All the transactions are made in the same browser.

I’ve sent you a DM with the HAR file and the tenant name.

Hope you can help, thx!

Hi @benjaminn -

Thank you for answering my questions and sending over the HAR file as well as your Tenant name. After further investigation, I was able to find out that Auth0 is restricting the use of the /passwordless/start endpoint from confidential applications when Auth0 cannot authenticate that the call is made on behalf of the application.

OAuth uses the term ‘confidential’ for applications that can store secrets. In Auth0, those are 'Regular Web Applications’, which serve web pages from a backend app. Single Page Applications and Native Applications are considered ‘public’ applications, and are not affected by this change.

Can you please check the application type for this passwordless login function, if it is “Regular Web Application”, the client secret is required, if it is “Single Page Application” then the client secret is not required. As you can see in the API parameter description:
“ client_secret: REQUIRED The client_secret of your application, required for Regular Web Applications. ” (Authentication API Explorer)

If your application type is SPA, then as mentioned before: Single Page Applications and Native Applications are considered ‘public’ applications, and are not affected by this change.

If you are using Regular Web Application, and if you are calling the /passwordless/start endpoint from a page using JavaScript (e.g. auth0.js on the page) from Regular Web Applications, this will not be possible, as you cannot specify a client secret in a call made using JavaScript. If this is currently the case for your application, you will need to change your applications so that /passwordless/start is called from the backend of your web application, rather than from the frontend.

Details please see:
https://auth0.com/docs/migrations/guides/passwordless-start

Hope this helps and please let me know if you have any other questions/concerns.

Hi,

Thanks for the investigation. Unfortunately, our app type is SPA, so if i’m reading you correctly, we do not need a client_secret and should not be bound to the restriction of the /passwordless/start endpoint.

So we still need to figure out why auth0 cannot authenticate that the call is made on behalf of the application.

I’m out of a solution .
Any other ideas? cc @konrad.sopala @dan.woda

@benjaminn - Sorry for the delay. Looking at the HAR file you sent over, it looks like it is the capture of what happens when user clicks on the passwordless link but can you also send another one of what happens when the user tries to login via the login form - since that is where it sounds like the login is failing?
I also noticed that your call to passwordlessStart({..}) is missing the required param send Since you are trying to “send: link” can you please add that- see our doc here - Auth0.js v9 Reference.

Let me know if that helps!

Hey @ruchi!

I’ve sent you another HAR file as requested. Incidentally, i cannot login using my valid credentials. Logs output entries like this:

*Type Failed* Login (wrong password)
*Description* Wrong email or verification code.
*Connection*  email
*Application* All Applications [REDACTED]
*User*        [REDACTED]

Could it be related to the passed state?

Regarding the passwordlessStart func, the options object contains a key:value with { send: 'link', email: ... }. It’s ok on that side, request returns a 200.

Thanks again for your help,

Hello, any updates ?

Hey there!

Let me ping @ruchi

Apologies for the delay, @benjaminn!

After discussing it internally and looking at your tenant, the issue seems to be that you are using the New Universal Login (UL) experience. The new UL does not support Passwordless login - see our documentation on new UL experience: New Universal Login Experience. If you would like to use Passwordless Login, you must use our “Classic Universal Login” experience - please see: Configure Universal Login with Passwordless.

Hope this helps! Let us know if you have any further questions.

Hi!

Thanks for the update. I’ve switched to classic login, but i’m still having issues. I’ve switched to support.

I’ll post an update here if we find a solution.

Best,

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.