SMS Passwordless & Avoiding Prompt to Authorize Client

symladmin · March 23, 2018, 9:04pm

I am setting up to use an SMS Code Passwordless Login from an Angular SPA Application Client (created in the dashboard, so by default first party - and I’ve confirmed this via the Management API). When I enter the SMS code for a new user connection and make the call to:

  angularAuth0.passwordlessLogin({
    connection: 'sms',
    phoneNumber: phoneNumber,
    verificationCode: code,
    authParams: {
      redirectUri: options.redirectUri,
      audience: options.audience,
    },

It is then prompting the user to Authorize App.

Hi , is requesting access to your tenant

Profile: access to your profile and email

The customer I am building the application for is adamant they DO NOT want ANY prompts to their users about Authorizing anything as it will only confuse their users and scare them away from using our product. I have read the documentation and am unsure why it is prompting for this in the first place. The client is a First Party client, there are no APIs involved (unless the Auth0 Management API is involved, but I’ve set “Allow Skipping User Consent” to true for all our APIs), so I’m unsure how to proceed to ensure no prompts come up.

Thanks

jerdog · March 23, 2018, 9:44pm

Is the request being initiated from localhost? If so, localhost is never considered secure. There’s some more info around this here:

symladmin · March 23, 2018, 10:15pm

No, I’m aware of the localhost issue. I am running it locally on a Windows 7 Pro machine, but have defined another name to use in the URL instead of localhost.

jerdog · March 23, 2018, 10:28pm

Are you doing the hosts fix for localhost dev? Also, you may need to set the prompt parameter to none.

jerdog · March 23, 2018, 10:31pm

Also what version of Auth0.js or lock.js the Angular library is using?

symladmin · March 26, 2018, 6:36pm

Yes, I am setting up a different name to resolve in hosts instead of using localhost. I am using Auth0.js v9. I tried adding “prompt: none”, but it didn’t make a difference.

jerdog · March 26, 2018, 7:50pm

Another thing I found is that you can also specify a different audience and disable the consent screen for that API. Please see the instructions here:

symladmin · March 26, 2018, 8:54pm

Thanks - I found my issue. There was a localhost entry in the callbacks in the tenant. I wasn’t aware if a localhost entry was setup it would always prompt - I assumed if you didn’t use the localhost entry it wouldn’t prompt, but that link you sent showed me otherwise.

jerdog · March 26, 2018, 10:15pm

That’s great to hear!

system · March 27, 2018, 10:15pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.