Passwordless SMS: trying to log back in with an active session, "no phone_number or verification code"

Hi there,

We recently discovered an issue in our mobile applications (react-native), and can’t quite understand what’s going on. We’re using passwordless with SMS/Twillio.

Users trying to log back in get a message that says: “no phone_number or no verification_code provided” (eg, get redirected back with that error)

This seems to happen when a client clears the local storage of their device, and tries to re-login. I’d go further and state that it’s probably only when the client still has an unexpired session on auth0 (eg, the app loses the tokens it had, but the browser still has cookies for auth0, which remove the need to login/authorize our apps.)

This happens to our devs, as we often clear storage off devices/emulators. I’m assuming it could happen in production to actual users, but I haven’t seen or heard about it (mainly because our users wouldn’t be re-installing the app every so often).

Our call to Auth0({}).webAuth({}).authorize() has included {"prompt":"login"} since we started using auth0.

If I remove that argument, we go back to “normal behaviour” (eg, “it works”), getting redirected to the app with the proper tokens.

This affects our 2 tenants. We noticed on our development tenant while developing, and we replicated the behaviour on our production tenant.

Clearing local data is something we’ve done quite a bit, but this behaviour seems new, and affects things we haven’t touched in a while.

Our best guess is that {"prompt":"login"} (now?) tries to force the client/browser to the auth0 side callback page that expects a POST of the phonenumber and/or verification code, but since the user is already logged in, they were never prompted for that information (hence, no phone_number provided)

Here’s the error in the logs, if that helps.

{
  "date": "2019-02-07T08:57:37.737Z",
  "type": "f",
  "description": "no phone_number or no verification_code provided",
  "connection_id": "",
  "client_id": "CLIENT_ID",
  "client_name": "My Application Name",
  "ip": "14.207.228.198",
  "user_agent": "Mozilla/5.0 (Linux; Android 6.0.1; vivo 1606 Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/62.0.3202.84 Mobile Safari/537.36 VivoBrowser/5.7.0.2",
  "details": {
    "body": {},
    "qs": {
      "scope": "openid profile offline_access",
      "audience": "AUDIENCE",
      "response_type": "code",
      "client_id": "CLIENT_ID",
      "prompt": "login",
      "clientId": "CLIENT_ID",
      "redirect_uri": "com.example.app://MY_AUTH0_TENANT.eu.auth0.com/android/com.example.app/callback",
      "state": "RANDOM",
      "code_challenge_method": "S256",
      "code_challenge": "RANDOM...",
      "auth0Client": "LOOKS LIKE A CLIENT ID"
    },
    "error": {
      "message": "no phone_number or no verification_code provided",
      "oauthError": "access_denied",
      "type": "oauth-authorization"
    },
    "session_id": "SOME_RANDOM_STRING"
  },
  "hostname": "MY_AUTH0_TENANT.eu.auth0.com",
  "user_id": "sms|RANDOMSTRING",
  "user_name": "+15555555555",
  "audience": "MY_AUDIENCE",
  "scope": [
    "openid",
    "profile",
    "offline_access"
  ],
  "auth0_client": {
    "name": "react-native-auth0",
    "version": "1.3.1"
  },
  "log_id": "XXX"
}

Hey there @ljm-tw!

Thanks for such a detailed case description. Let me establish the reasoning behind the behaviour to see where exactly the problem is. I’ll get back to you once I have any updates!

I have also been facing exactly same issue from past 2 days with Auth0 without any Auth0 login configuration changes.
Looking forward to prompt response of Auth0 Team.

Here’s our case:

I am using Passwordless login with Auth0 which is working fine from past few weeks. Recently I have received complaints from team members that they are having trouble logging in to the system. Following are the insights:

react-native-auth0 is the client being used.
Invocation method: Auth0.webAuth.authorize({…config})
API endpoint: https:///userinfo
scope: “openid offline_access”,
Error Message:
“error”: {
“message”: “no phone_number or no verification_code provided”,
“oauthError”: “access_denied”,
“type”: “oauth-authorization”
},

This issue is being raised on android/ios platforms.
Please help me out on this issue and let me know if further details are required.

Regards,
Ashutosh Mishra

Hey everyone I reached out to our developer support team. Once I have any info to share I’ll update you with that!

Hi,

I’m trying to setup Passwordless authentication with SMS and I’m facing the same error.

Here is my authorize url :

https://goferworkondemand.eu.auth0.com/authorize?audience=https%3A%2F%2Fweb.gofer.fr%2Fgraphql&client_id=rL0Dg3IcWoRUTYC8uQ8083QcpmGC2eND&code_challenge=n9bLRBpfxTwJmadL-CIriA-RPtI2J3aTB4I5Vq0DsWQ&code_challenge_method=S256&connection=sms&redirect_uri=exp%3A%2F%2F127.0.0.1%3A19000%2F--%2Fauthorize%2Fcallback&response_type=code&scope=offline_access%20openid%20profile%20email%20update%3Acurrent_user_identities

+1, also seeing this for “magic link”:

{"error":"access_denied","errorDescription":"no email or no verification_code provided","state":"3Jlsq6F994xGUU2eLrO~ZOiC6fPP2k93"}

Example log_id: 90020190213103454082543582805344692234699492240633364482

Hey folks!

I escalated all those cases to our developer support team. Let me get back to you once I have something from them to share!

We had similar issue in Production today and wondering if any further updates on this.

Thank you,

Sachin

Hey everyone!

Our team is trying to reproduce it and establish a reasoning behind such behaviour. Once we have news to share you’ll be first to hear them!

Thank you for your response. We’ve been encountering this for the past few days & it is a blocker for users that have signed out locally in our Ionic app as they cannot successfully prompt for a new login.

Thanks for reporting that @LordParsley!

I just pinged back our developer support team to see if they found out something already.

Much appreciated @konrad.sopala.

May I ask – has anyone in this thread found a successful workaround? We can only seem to prevent it by deleting the user which is mostly not feasible.

Hi, @konrad.sopala,

Thanks for escalating this issue. This has become a blocker for us. Here is some additional information on how I’m experiencing this problem. No code/tenant configuration has changed.

I’m constructing an AuthorizationUrl via the BuildAuthorizationUrl() method provided by the AuthnticationApiClient as shown below

        string url = _authenticationApiClient.BuildAuthorizationUrl()
            .WithResponseType(AuthorizationResponseType.Code)
            .WithClient("Client identifier")
            .WithRedirectUrl("the endpoint that I should be redirected to.")
            .WithScope("openid")
            .WithValue("prompt","login") 
            .WithValue("login_hint", "email address passed as login hint") 
            .Build().ToString();

        return Redirect(url);

The behavior before I experienced the issue was that the redirect would take me to the Auth0 login page as expected by passing through the prompt=login parameter. Once I completed that stage I would then be redirected back to the redirect Url specified.

But now, I not presented with the login page instead an error is being returned back indicating a failure at the authorization endpoint.

The Auth0 logs for the tenant show the following. (See main error in bold)

{
“date”: “2019-02-14T17:16:37.061Z”,
“type”: “f”,
“description”: “no email or no verification_code provided”,
“connection_id”: “”,
“client_id”: “SENSITIVE INFORMATION”,
“client_name”: “SENSITIVE INFORMATION”,
“ip”: “SENSITIVE INFORMATION”,
“user_agent”: “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36”,
“details”: {
“body”: {},
“qs”: {
“response_type”: “code”,
“client_id”: “SENSITIVE INFORMATION”,
“redirect_uri”: “SENSITIVE INFORMATION”,
“scope”: “openid”,
“prompt”: “login”,
“login_hint”: “SENSITIVE INFORMATION”
},
“error”: {
“message”: “no email or no verification_code provided”,
“oauthError”: “access_denied”,
“type”: “oauth-authorization”
},
“session_id”: “mFL-1ZS4AlqRJHWVLwtxs4kF8JVAZ-cM”
},
“hostname”: “SENSITIVE INFORMATION”,
“user_id”: “SENSITIVE INFORMATION”,
“user_name”: “SENSITIVE INFORMATION”,
“audience”: “https://SENSITIVE INFORMATION/userinfo”,
“scope”: [
“openid”
],
“log_id”: “90020190214171637061851047972789516372534476022451535874”
}

This issue happens across different tenants (including production ones) and Auth0 customers in the last several days. There are no feasible workarounds and there is no solution either. I think this issue must be escalated and become top priority for Auth0 engineering team. So far it looks like a clear regression on Auth0 side and the more we wait, the more chances for us would be to use and recommend rival Authentication-as-a-Service products for our new projects.

In development environment, removing the cookies from browser works.
For production grade we moved to API based login and dumped the hosted pages. We implemented the native pages in mobile app and leveraged over the APIs to do the authentication.

Auth0 Engineering team is taking quite some time to revert on this.

Many thanks, @akmishra ! Will try your cookie workaround on my end & assess a custom plugin to the native libs.

Are there any updates to this? We are now several days on from this being reported with no updates of note…

Hi @konrad.sopala,

Do you have any updates please. The cookie fix mentioned by @LordParsley does not work for us and implementing a custom login screen via the use of the login APIs is not a recommended best practice if we want to leverage all the security benefits that have been provided by hosting the login page with the Auth0 tenant. Please can you provide an update.

Many Thanks for your help.

@anjam.tahir I agree with you.

• On iOS, one cannot clear the cookie data of the SafariViewController because it is outside the app sandbox.
• Implementing a native wrapper isn’t ideal & I’m fairly sure Auth0 advises against it because the JS interface is vulnerable (?) whereas a hosted page is sandboxed. (In any case, I don’t think we have the time.)
• I’ve tried revoking application access & device access on a user. The only thing that seems to work is deleting the user in the Auth0 dashboard.
• Unless I’m missing something, I can’t do a logout call using http?

Thanks again.