This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
Auth0 passwordless auth fails if the linked clicked isn't from the first email sent #7057
Labels
z-bug
(Deprecated Label)
Mozilla's Auth0 has email passwordless auth enabled, with a feature that allows one to ask Auth0 to actually email the authentication magic link to another email address than the one initially set. This works in the following way:
alice@example.com
) and click "Enter"bob@example.com
)Now, if you click on the link sent to
alice@example.com
, Auth0 gets the user's browser to send aPOST
request to/authn_response
with a SAML AuthN response, as expected (though I did get bitten by #7056 a few times when trying it out).However, if you click on the link sent to
bob@example.com
, then your browser ends up doing aGET
request tohttps://mozilla.modular.im/_matrix/saml2/authn_response#access_token=[...]&scope=openid&expires_in=7200&token_type=Bearer&state=[...]
, which has an access token in the URI fragment.Currently I'm not sure how to use that access token, nor whether I can use it to get an AuthN response to give to Synapse.
I'm also not sure whose fault this is, since this "Need to send that to a different email?" link isn't an Auth0 thing but rather a Mozilla one afaict (which lives here: https://github.com/mozilla-iam/auth0-custom-lock).
The text was updated successfully, but these errors were encountered: