Problem statement
I am calling /passwordless/start from the backend to generate a link/code that is sent to the email. Everything works fine when I choose to send “code” but when a link is sent to the email it goes to page with an error as shown in the attachment:
“Something Went Wrong. The link must be opened on the same device and browser from which you submitted your email address. Start over from this device or browser.”
Solution
There are a few options to fix this.
- We do allow the passwordless magic link to be opened from any browser, but you’ll need to update a tenant settings flag to enable this (details below). By default, this ability is blocked on new tenants because allowing the magic link to be opened from any browser is a CSRF vulnerability.
You can make a request like the following to update your tenant settings:
curl -H “Authorization: Bearer YOUR-MGMT-API-TOKEN” -X PATCH -H “Content-Type: application/json” -d ‘{“universal_login”:{“passwordless”:{“allow_magiclink_verify_without_session”:true}}}’ https://dev-jkhf7ekd17pkqdaa.us.auth0.com/api/v2/tenants/settings
Note, if you call /passwordless/start from the backend, you should include the auth0-forwarded-for header with the end-user IP address to avoid hitting the rate limit on that endpoint.
Docs: Embedded Passwordless Login in Regular Web Applications
- You can call /passwordless/start from the browser in an embedded passwordless flow. Then, the user can click on the magic link in the same browser as it was generated to avoid the error.
Docs: Embedded Passwordless Login in Native Applications
- You can implement magic link passwordless with Classic Universal Login so that the call to /passwordless/start happens from the browser. As above, the user can then click on the magic link in the same browser as it was generated to avoid the error.