We get lots of reports from users, who are using corporate e-mail domains, failing to sign up and login with the passwordless login mechanism on our application. They receive our login e-mail, but when they click the link, they’re not able to complete the process. It’s like the token had expired immediately.
If I look into the logs, I see several instances of “Failed Login (wrong password)” (but also “Success Exchange” and “Success Login”) so I’m not sure what is happening. A friend tells me that some corporate e-mail services attempt to pre-visit links to make sure they’re not malicious, which uses up the token by the time it reaches the user. Is that something that’s happening here?
In nearly all cases, the user is able to sign in with a personal e-mail address (like their gmail account), so it certainly seems that might be the culprit. How can I know for sure? Are there other culprits to investigate? And if corporate e-mails don’t play nice with Auth0, what’s the best way to address this?