Hi there,
We recently discovered an issue in our mobile applications (react-native), and can’t quite understand what’s going on. We’re using passwordless with SMS/Twillio.
Users trying to log back in get a message that says: “no phone_number or no verification_code provided” (eg, get redirected back with that error)
This seems to happen when a client clears the local storage of their device, and tries to re-login. I’d go further and state that it’s probably only when the client still has an unexpired session on auth0 (eg, the app loses the tokens it had, but the browser still has cookies for auth0, which remove the need to login/authorize our apps.)
This happens to our devs, as we often clear storage off devices/emulators. I’m assuming it could happen in production to actual users, but I haven’t seen or heard about it (mainly because our users wouldn’t be re-installing the app every so often).
Our call to Auth0({}).webAuth({}).authorize()
has included {"prompt":"login"}
since we started using auth0.
If I remove that argument, we go back to “normal behaviour” (eg, “it works”), getting redirected to the app with the proper tokens.
This affects our 2 tenants. We noticed on our development tenant while developing, and we replicated the behaviour on our production tenant.
Clearing local data is something we’ve done quite a bit, but this behaviour seems new, and affects things we haven’t touched in a while.
Our best guess is that {"prompt":"login"}
(now?) tries to force the client/browser to the auth0 side callback page that expects a POST of the phonenumber and/or verification code, but since the user is already logged in, they were never prompted for that information (hence, no phone_number provided)
Here’s the error in the logs, if that helps.
{
"date": "2019-02-07T08:57:37.737Z",
"type": "f",
"description": "no phone_number or no verification_code provided",
"connection_id": "",
"client_id": "CLIENT_ID",
"client_name": "My Application Name",
"ip": "14.207.228.198",
"user_agent": "Mozilla/5.0 (Linux; Android 6.0.1; vivo 1606 Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/62.0.3202.84 Mobile Safari/537.36 VivoBrowser/5.7.0.2",
"details": {
"body": {},
"qs": {
"scope": "openid profile offline_access",
"audience": "AUDIENCE",
"response_type": "code",
"client_id": "CLIENT_ID",
"prompt": "login",
"clientId": "CLIENT_ID",
"redirect_uri": "com.example.app://MY_AUTH0_TENANT.eu.auth0.com/android/com.example.app/callback",
"state": "RANDOM",
"code_challenge_method": "S256",
"code_challenge": "RANDOM...",
"auth0Client": "LOOKS LIKE A CLIENT ID"
},
"error": {
"message": "no phone_number or no verification_code provided",
"oauthError": "access_denied",
"type": "oauth-authorization"
},
"session_id": "SOME_RANDOM_STRING"
},
"hostname": "MY_AUTH0_TENANT.eu.auth0.com",
"user_id": "sms|RANDOMSTRING",
"user_name": "+15555555555",
"audience": "MY_AUDIENCE",
"scope": [
"openid",
"profile",
"offline_access"
],
"auth0_client": {
"name": "react-native-auth0",
"version": "1.3.1"
},
"log_id": "XXX"
}