I’ve created a native application and defined the Allowed Callback URLs corresponding to my native app.
I’ve set the grant types to Refresh Token, Implicit and Passwordless OTP.
I’ve configured the passwordless connection and I am able to receive emails.
I am requesting a passwordless link using the passwordless/start api ( Authentication API Explorer).
fetcher(`https://${AUTH0_DOMAIN}/passwordless/start`, {
method: 'post',
body: JSON.stringify({
client_id: AUTH0_CLIENT_ID,
connection: 'email',
send: 'link',
email: values.email,
authParams: {
scope: 'openid email profile offline_access'
},
}),
})
I receive an email with the following example link (
https://xxx.auth0.com/passwordless/verify_redirect?scope=openid%20email%20profile%20offline_access&response_type=token&redirect_uri=xxx&grant_type=token&verification_code=xxx&connection=email&client_id=xxx&email=xxx).
After clicking the url, my native app opens and the deep link contains: xxx://xxx.auth0.com/ios/xxx/callback#access_token=xxx&scope=openid%20profile%20email%20offline_access&expires_in=7200&token_type=Bearer
Since this is a native application I would like to use refresh tokens as recommended.
ps:
if I use a code instead of a magic link I am able to get a refresh token using oauth/token api (Authentication API Explorer)
fetcher(`https://${AUTH0_DOMAIN}/oauth/token`, {
method: 'post',
body: JSON.stringify({
client_id: Config.AUTH0_CLIENT_ID,
grant_type: 'http://auth0.com/oauth/grant-type/passwordless/otp',
connection: 'email',
realm: 'email',
username: values.email,
otp: values.code,
scope: 'openid email profile offline_access',
}),
})
This correctly returns me an access and refresh token. But this flow kills the whole usefulness of magic links since now codes need to copy/pasted manually.