Passwordless login NOT WORKING

I have been working with a passwordless login page for months with no trouble, bot today it is not working:

When tries to call this URL:
https://login.eu.auth0.com/lo/wsfed?disable_signup=false&name=email&email=&authParams=&totp=&brute_force_protection=true&store=&strategy_instance=email&wctx=tK5Ewi8Sps1gqf6vh_xyFn1CbyxtouTn&wtrealm=urn%3Aauth0%3Acheftonic%3Aemail&wa=wsignin1.0

Returns a 404 with a message: Cannot GET /wsfed

I need to solve this ASAP, as my we can’t login!!

Our users are also getting this today
OS:
Windows 7 Enterprise SP1
Browsers:
Chrome 64.0.3282.186 (Official Build (64-bit)
Firefox 58.0.2 (64-bit)

Hi Carlos,

I’ve responded to the support ticket you’ve opened. We can continue our correspondence there.

Once I’ve resolved it I’ll update your question with a public facing answer should the issue turn out not to be specific to your tenant.

Thank you for your patience.

Could you please share a HAR file (please remove any sensitive details such as passwords) so we can have a closer look at the requests?

Please upload it to a cloud storage service (e.g. Google drive), and share the link with us. Feel free to restrict access to the link for only @auth0.com email addresses using Sharelock.io.

We are seeing the exact same error. It started to happen when choosing “continue as user” when using passwordless with SMS after having previously logged in. Today it also happens after choosing “use a different account” after the confirmation code is entered.

This is the URL that it fails on for us:

https://login.eu.auth0.com/lo/wsfed?disable_signup=false&name=sms&twilio_sid=<SID>&twilio_token=<TOKEN>&from=&syntax=md_with_macros&template=<OUR SMS TEMPLATE>&totp=&messaging_service_sid=<SERVICE_SID>&brute_force_protection=true&store=&strategy_instance=sms&wctx=<SOME_ID>&wtrealm=urn%3Aauth0%3A<OUR_TENANT>%3Asms&wa=wsignin1.0

Ours is
https://login.eu.auth0.com/lo/wsfed?disable_signup=false&name=email&email=&authParams=&totp=&brute_force_protection=true&store=&strategy_instance=email&wctx=&wtrealm=urn%3Aauth0%3A%3Aemail&wa=wsignin1.0

This happens on a hosted login page using https://cdn.auth0.com/js/lock/11.3/lock.min.js

It definitely looks like that webservice - https://login.eu.auth0.com/lo/wsfed - is down or unreachable.

Here is our (sanitized) HAR file: https://sharelock.io/1/IXfMxljOzqG0eqirtfoKJqSVxXBROjkasZeqpXMGNno.XzPJ4o/adybucsJ7vo8RLIiWoLDJpc8piGvwLWWatKAvrjVKfvTfaaG2j/GmHUUnFzwjW2zaBjn84zL9O_A0XcCpSDqjmtrx5EER8bV3dq6P/bjTKE5aZElwVtGiwxfoAkon9fyLtV19FOEg5Ilij-EKcwl.n8u/TWNWtuIjFs1B5FGWZ1w

Just to be curious: Which data did you sanitize?

We’ve identified the problem and it seems an edge case with passwordless has arisen as a result of a few recent changes that were necessary to enable new features.

We’ve applied a workaround to your (Carlos and pparsons1) tenants in the meantime while we work on fixing this. Max, could you please share your tenant name privately via Sharelock so we can fix yours too?

Richard, could you please explain further what this ‘edge case’ is? As a users, we’d like to be as standard and mainstream as possible so we don’t encounter with these surprises.

In short: How can we avoid this edge case?

Thanks
Carlos

We’re still investigating the cause but it’s likely related to some changes we made to our internal state handling. It should be fixed for everyone now. Please let us know otherwise.

We are getting the same issue, but it is specific to passwordless SMS when you click the “Last time you logged in with” link. Instead of logging in, we get a 404 with the text

Cannot GET /wsfed
.

Here is the sanitized url that is failing for us: https://login.au.auth0.com/lo/wsfed?disable_signup=false&name=sms&twilio_sid=<twilio_sid>&twilio_token=<twilio_token>&from=syntax=md_with_macros&template=Your%20verification%20code%20is%3A%20%40%40password%40%40&totp=&messaging_service_sid=&brute_force_protection=true&store=&strategy_instance=sms&wctx=&wtrealm=urn%3Aauth0%3A%3Asms&wa=wsignin1.0

Hi, it looks like the “last time you logged in with” link is now just disabled, is that right? Is that while you are fixing it or is something else stopping that from being displayed ( I have set rememberLastLogin: true)?

@mike25 are you still experiencing this issue? There was a fix issued Thursday. Please let me know.

Hi Kim,

Thanks for getting back to me. Sorry for the delay in my response.

Yes, we are still having an issue. The “Last time you logged in with” link still doesn’t show when using Auth0LockPasswordless and an sms connection. We have a separate login flow which does display the “Last time you logged in with” link, but it uses the Auth0Lock widget and social login types.

Perhaps you could review my widget configuration here to see if something is wrong there (This is within a hosted login page and uses lock 11.4.0):

var lock = new Auth0LockPasswordless(config.clientID, config.auth0Domain, {
  auth: {
    redirectUrl: config.callbackURL,
    responseType: (config.internalOptions || {}).response_type ||
      config.callbackOnLocationHash ? 'token' : 'code',
    params: config.internalOptions
  },
  assetsUrl:  config.assetsUrl,
  allowSignUp: true,
  rememberLastLogin: true,
  language: language,
  languageDictionary: languageDictionary,
  allowedConnections: [ 'sms'],
  params: {
      scope: 'openid profile' 
    },
  prefill: loginHint ? { email: loginHint, username: loginHint } : null,
  closable: false,
});