iOS native swift app + Lock.swift + passwordless + magic link
KOConchobhair opened this issue ยท 6 comments
Describe the problem
Trying to use Lock.swift passwordless with magicLink (https://github.com/auth0/Lock.swift#passwordless-method)
Magic link works and redirects to my app but it displays "WE'RE SORRY, SOMETHING WENT WRONG WHEN ATTEMPTING TO LOG IN."
What was the expected behavior?
After clicking magic link, I expected authentication is successful in my iOS app.
In my case the email gets sent, the magic link is correct, the user clicks on the magic link from within apple mail app and it jumps back to the iOS app, but then I get an error on the auth0 dashboard about my application does not have password-realm grant (and even if I enable this grant, I just get another error "Passwordless authentication is not allowed on this endpoint.")
It seems like all it needs to do is take the OTP code from the magic link and send it on using the passwordless OTP grant, no? Why is this library trying to use the password-realm grant for .magicLink scenario?
Using .code it works perfectly fine...
Reproduction
Can the behavior be reproduced using the included Lock.swift demo app?
N/A
Environment
orbit-testing.us.auth0.com
"client_id": "UdUi3cU2m4K1g4w9T1hOEuYKongCIizQ",
configured as Native, with Passwordless OTP grant enabled
connection: email
- Version of
Lock.swiftused: - Version of iOS:
- Version of Xcode:
"auth0_client": {
"env": {
"iOS": "14.3",
"swift": "5.x",
"core": "1.33.0"
},
"name": "Lock.swift",
"version": "2.22.1"
},
Like why is PasswordlessLinkTransaction using CredentialAuth when it could be using the following line of code (from PasswordlessInteractor.login)
request = authentication.login(email: identifier, code: passcode, ...)
Hi @KOConchobhair, have you configured Lock with OIDC Conformant mode set to true?
@Widcket Take a look at this code (assuming I'm tracing it thru correctly)
PasswordlessLinkTransaction goes to CredentialAuth which if oidcConformant is true, calls auth0 using the password-realm grant. if false, it uses legacy-ro grant. Neither of which make sense for a magic link with an OTP code...(or at least dont make sense anymore in 2021)
It should instead be using the passwordless OTP grant (which is what $0.passwordlessMethod = .code does)
If I compare this library to Lock.Android, you can see over there it's implemented correctly and here it seems it's just not.
@KOConchobhair indeed, it should be using the passwordless OTP grant. It is probably like this for legacy reasons. Will dig into this.
