@rodney @mark28 Hey there, welcome to Auth0!
I can confirm that for the New Universal Login and the Authorization Profile set to Identifier First (and only the passwordless connection enabled for the client app)
the expected behaviour of using the login_hint parameter in the
/authorize? request is receiving already the second prompt in the flow, so the one to provide a code/link received via the specified in the hint (the last used to log in) email address.
But on the other hand, I wonder if maybe using this parameter is kind of unwanted redundancy?
When I tested the flow just in my browser for a dummy web app registered in auth0 tenant with this request:
1. GET https://dev-lab-mb.eu.auth0.com/authorize?client_id=uUov3mCpjEnSejZPSCZ9btF3VW1wyowy&connection=email&response_type=code&response_mode=query&state=…&redirect_uri=https://google.com
I got this as a response:
The email field got prefilled with the one I used the last time to log in + when clicking on the email field I got a list of all email addresses used in the past. It comes form google. The form hasn’t been autosubmitted.
Alternatively, you can experiment with another OIDC supported parameter:
?prompt=select_account - I verified that it doesn’t change the flow and return the first prompt (to choose an email).
More info on OIDC compliant parameters and its implementation here.