Giters

auth0 / auth0-spa-js

Auth0 authentication for Single Page Applications (SPA) with PKCE

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

auth0-js webAuth.passwordlessStart is not compatible with auth0-spa-js

finom opened this issue · comments

commented

Describe the problem

We're using auth0-react at our application and found out a great way to customise passwordless user experience by creating our very custom login form where user can input their email (I'm reporting this issue at this repository because auth0-react is powered by auth0-spa-js) and receive login link without being redirected to auth0 to log in. For that we can use auth0-js and WebAuth class with passwordlessStart. It worked perfectly in the beginning, the code indeed sent login link to the email. The problem is that when I get redirected to the app after a successful login (by clicking the link at the email), I get isAuthenticated to be false but also I notice a hash URL with auth_token parameter #auth_token=1234. I never seen it before and my guess is that auth0-js and auth0-spa-js authentication flows are incompatible (auth0-spa-js handles ?code= query parameter instead of the hash parameter). At the same time when we use the regular passwordless authentication, it works perfectly.

What was the expected behavior?

Either of this:

  1. auth0-spa-js (including auth0-react) would accept URL credentials generated with passwordlessStart (the #auth_token= thing).
  2. auth0-spa-js should have similar function but I couldn't find it.
  3. Find some workaround to make both libraries compatible: use auth0-js for log in, use auth0-spa-js (or auth0-react) to authorise. I tried to replace #auth_token=1234 by ?code=1234 and it didn't help.

Reproduction

  1. Use auth0-js and WebAuth class with passwordlessStart to authenticate (standard documentation).
  2. Log in by clicking a link.
  3. Use auth0-spa-js (or auth0-react) to authorise. You'll get isAuthenticated equal to false and #auth_token=1234 at URL

Environment

  • Version of auth0-spa-js used: I've used all the latest versions
  • Which browsers have you tested in? Not relevant
  • Which framework are you using, if applicable (Angular, React, etc): React but also not relevant
  • Other modules/plugins/libraries that might be involved:: a plenty but nothing about auth0.
commented

Thanks for reaching out. Auth0-JS and Auth0-SPA-JS are two different SDKs with no intention to make them compatible, as they are very different.

Regarding adding support for passwordless in Auth0-SPA-JS, I would refer to this comment.

I would also like to add that passwordless support has been added in Early Access to the new Universal Login Experience, see https://auth0.com/docs/authenticate/passwordless/passwordless-with-new-universal-login.

and receive login link without being redirected to auth0 to log in.

With Auth0-SPA-JS SDK we have no intention to allow avoiding being redirected to Auth0, as we believe you should be redirected to Auth0 (well, you can use the popup functionality if you like).