Passwordless Magic Link

min.soo.kim · June 15, 2022, 8:01pm

Is the auth0.js the only library to be used with password-less with magic link? Is there an example of password-less with magic link that use libraries other than auth0.js?

I’m trying to find a way where I can access refresh_token using password-less with magic link.

dan.woda · June 24, 2022, 6:02pm

Hi @min.soo.kim,

Welcome to the Auth0 Community!

You should be able to use most SDKs to get a passwordless magic link set up. The SDKs initiate the request and handle the response in the client, regardless of which login method you are using.

The passwordless setup part happens on the Auth0 server.

This doc demonstrates how to set up passwordless.

And this doc shows how to get a refresh token, although much of the code here will be handled by the SDK. Do you know which SDK you would like to use?

min.soo.kim · July 12, 2022, 1:46am

Thank you so much for the info, Dan.

If I could bug you just a little bit more, I came across the following article: Unable to retrieve a refresh token using the passwordless link method

Where the author states that

https://auth0.com/docs/best-practices/token-best-practices#refresh-token-usagePasswordless flow is not part of Oauth2.0 grant flows. Hence, it is not supported.

Is this true? That password-less with magic link cannot be used to access refresh token?

dan.woda · July 12, 2022, 10:45pm

It appears possible according to this post: How to get `refresh_token` for embedded passwordless auth in a native app.

What are you seeing returned when you request one?

min.soo.kim · July 16, 2022, 6:36pm

Before answering the question, may I provide a bit more context? Here’s the code snippet from our FE which uses auth0-js package:

...
import { WebAuth } from "auth0-js";
...
export const AuthProvider = (props: AuthProviderProps) => {
    const [auth0] = useState<WebAuth>(new WebAuth({
        domain: domain,
        clientID: clientId,
        responseType: responseType,
        redirectUri: redirectUri,
        audience: audience,
        scope: "openid profile email offline_access",,
        })
    ));

    ....

    const renewSession: RenewSession = async () => {
        const { err, res } = await new Promise(resolve => auth0.checkSession({}, (err, res: AuthResult) => resolve({ err, res })));
    }
    ...
  };
}
...

So to answer your question, inside res from const { err, res } = await new Promise(resolve => auth0.checkSession({}, (err, res: AuthResult) => resolve({ err, res })));, the properties look like this:

{
    "accessToken": "...",
    "idToken": "...",
    "idTokenPayload": {
        "https://cos.goldn.com/": {
            "userId": "..."
        },
        "nickname": "...",
        "name": "...",
        "picture": "...",
        "updated_at": "2022-07-16T17:52:29.948Z",
        "email": "...",
        "email_verified": true,
        "iss": "...",
        "sub": "...",
        "aud": "...",
        "iat": 1657994279,
        "exp": 1658030279,
        "at_hash": "...",
        "nonce": "..."
    },
    "appState": "...",
    "refreshToken": null,
    "state": "...",
    "expiresIn": 86400,
    "tokenType": "Bearer",
    "scope": "openid profile email offline_access"
}

And even though I followed the instruction and set the scope to include offline_access and enable them in my API, the value of refreshToken is still null