SMS Passwordless & Avoiding Prompt to Authorize Client

I am setting up to use an SMS Code Passwordless Login from an Angular SPA Application Client (created in the dashboard, so by default first party - and I’ve confirmed this via the Management API). When I enter the SMS code for a new user connection and make the call to:

  angularAuth0.passwordlessLogin({
    connection: 'sms',
    phoneNumber: phoneNumber,
    verificationCode: code,
    authParams: {
      redirectUri: options.redirectUri,
      audience: options.audience,
    },

It is then prompting the user to Authorize App.

Hi , is requesting access to your tenant

Profile: access to your profile and email

The customer I am building the application for is adamant they DO NOT want ANY prompts to their users about Authorizing anything as it will only confuse their users and scare them away from using our product. I have read the documentation and am unsure why it is prompting for this in the first place. The client is a First Party client, there are no APIs involved (unless the Auth0 Management API is involved, but I’ve set “Allow Skipping User Consent” to true for all our APIs), so I’m unsure how to proceed to ensure no prompts come up.

Thanks

Is the request being initiated from localhost? If so, localhost is never considered secure. There’s some more info around this here:

No, I’m aware of the localhost issue. I am running it locally on a Windows 7 Pro machine, but have defined another name to use in the URL instead of localhost.

Are you doing the hosts fix for localhost dev? Also, you may need to set the prompt parameter to none.

Also what version of Auth0.js or lock.js the Angular library is using?

Yes, I am setting up a different name to resolve in hosts instead of using localhost. I am using Auth0.js v9. I tried adding “prompt: none”, but it didn’t make a difference.

Another thing I found is that you can also specify a different audience and disable the consent screen for that API. Please see the instructions here:

Thanks - I found my issue. There was a localhost entry in the callbacks in the tenant. I wasn’t aware if a localhost entry was setup it would always prompt - I assumed if you didn’t use the localhost entry it wouldn’t prompt, but that link you sent showed me otherwise.

That’s great to hear!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.