Merge pull request #271 from auth0/passwordless-v2

Add OIDC passwordless

README.md

@@ -88,7 +88,7 @@ account.setOIDCConformant(true);
 //Use the account in the API clients
 ```
 
-Passwordless authentication *cannot be used* with this flag set to `true`. For more information, please see the [OIDC adoption guide](https://auth0.com/docs/api-auth/tutorials/adoption).
+For more information, please see the [OIDC adoption guide](https://auth0.com/docs/api-auth/tutorials/adoption).
 
 
 ### Authentication with Universal Login
@@ -436,7 +436,7 @@ authentication
 
 #### Passwordless Login
 
-This feature requires your Application to have the *Resource Owner* Legacy Grant Type enabled. Check [this article](https://auth0.com/docs/clients/client-grant-types) to learn how to enable it. Note that Passwordless authentication *cannot be used* with the [OIDC Conformant Mode](#oidc-conformant-mode) enabled.
+This feature requires your Application to have a specific Grant Type enabled. If the [OIDC Conformant flag](#OIDC-Conformant-Mode) is enabled, the required Grant Type is *Passwordless OTP*. If instead the flag is disabled, the required Grant Type is *Resource Owner*. Check [this article](https://auth0.com/docs/clients/client-grant-types) to learn how to enable it.
 
 Passwordless it's a 2 steps flow:
 

auth0/src/main/java/com/auth0/android/Auth0.java

@@ -31,6 +31,7 @@
 
 import com.auth0.android.auth0.BuildConfig;
 import com.auth0.android.authentication.AuthenticationAPIClient;
+import com.auth0.android.authentication.PasswordlessType;
 import com.auth0.android.util.Telemetry;
 import com.squareup.okhttp.HttpUrl;
 
@@ -208,6 +209,14 @@ public void doNotSendTelemetry() {
  * <li>{@link AuthenticationAPIClient#signUp(String, String, String)}</li>
  * <li>{@link AuthenticationAPIClient#signUp(String, String, String, String)}</li>
  * <li>{@link AuthenticationAPIClient#renewAuth(String)}</li>
+ * <li>{@link AuthenticationAPIClient#passwordlessWithSMS(String, PasswordlessType, String)}</li>
+ * <li>{@link AuthenticationAPIClient#passwordlessWithSMS(String, PasswordlessType)}</li>
+ * <li>{@link AuthenticationAPIClient#passwordlessWithEmail(String, PasswordlessType)}</li>
+ * <li>{@link AuthenticationAPIClient#passwordlessWithEmail(String, PasswordlessType, String)}</li>
+ * <li>{@link AuthenticationAPIClient#loginWithPhoneNumber(String, String)}</li>
+ * <li>{@link AuthenticationAPIClient#loginWithPhoneNumber(String, String, String)}</li>
+ * <li>{@link AuthenticationAPIClient#loginWithEmail(String, String)}</li>
+ * <li>{@link AuthenticationAPIClient#loginWithEmail(String, String, String)}</li>
  * </ul>
  *
  * @param enabled if Lock will use the Legacy Authentication API or the new OIDC Conformant Authentication API.

auth0/src/main/java/com/auth0/android/authentication/AuthenticationAPIClient.java

@@ -58,6 +58,7 @@
 import static com.auth0.android.authentication.ParameterBuilder.GRANT_TYPE_AUTHORIZATION_CODE;
 import static com.auth0.android.authentication.ParameterBuilder.GRANT_TYPE_MFA_OTP;
 import static com.auth0.android.authentication.ParameterBuilder.GRANT_TYPE_PASSWORD;
+import static com.auth0.android.authentication.ParameterBuilder.GRANT_TYPE_PASSWORDLESS_OTP;
 import static com.auth0.android.authentication.ParameterBuilder.GRANT_TYPE_PASSWORD_REALM;
 import static com.auth0.android.authentication.ParameterBuilder.ID_TOKEN_KEY;
 import static com.auth0.android.authentication.ParameterBuilder.SCOPE_OPENID;
@@ -320,7 +321,8 @@ public AuthenticationRequest loginWithOAuthAccessToken(@NonNull String token, @N
  /**
  * Log in a user using a phone number and a verification code received via SMS (Part of passwordless login flow)
  * The default scope used is 'openid'.
- * Requires your Application to have the <b>Resource Owner</b> Legacy Grant Type enabled. See <a href="https://auth0.com/docs/clients/client-grant-types">Client Grant Types</a> to learn how to enable it.
+ * How the user is logged in depends on the {@link Auth0#isOIDCConformant()} flag. If this flag is set to true, your Application requires to have the <b>Passwordless OTP</b> Grant Type enabled.
+ * If this flag is set to false, the <b>Resource Owner</b> Legacy Grant Type must be enabled instead.
  * Example usage:
  * <pre>
  * {@code
@@ -335,25 +337,38 @@ public AuthenticationRequest loginWithOAuthAccessToken(@NonNull String token, @N
  * }
  * </pre>
  *
- * @param phoneNumber where the user received the verification code
- * @param verificationCode sent by Auth0 via SMS
- * @param connection  to end the passwordless authentication on
+ * @param phoneNumber  where the user received the verification code
+ * @param verificationCode  sent by Auth0 via SMS
+ * @param realmOrConnection to end the passwordless authentication on
  * @return a request to configure and start that will yield {@link Credentials}
  */
  @SuppressWarnings("WeakerAccess")
- public AuthenticationRequest loginWithPhoneNumber(@NonNull String phoneNumber, @NonNull String verificationCode, @NonNull String connection) {
- Map<String, Object> parameters = ParameterBuilder.newAuthenticationBuilder()
- .set(USERNAME_KEY, phoneNumber)
- .set(PASSWORD_KEY, verificationCode)
- .setGrantType(GRANT_TYPE_PASSWORD)
+ public AuthenticationRequest loginWithPhoneNumber(@NonNull String phoneNumber, @NonNull String verificationCode, @NonNull String realmOrConnection) {
+ ParameterBuilder builder = ParameterBuilder.newAuthenticationBuilder()
  .setClientId(getClientId())
- .setConnection(connection)
- .asDictionary();
- return loginWithResourceOwner(parameters);
+ .set(USERNAME_KEY, phoneNumber);
+
+ if (auth0.isOIDCConformant()) {
+ Map<String, Object> parameters = builder
+ .setGrantType(GRANT_TYPE_PASSWORDLESS_OTP)
+ .set(ONE_TIME_PASSWORD_KEY, verificationCode)
+ .setRealm(realmOrConnection)
+ .asDictionary();
+ return loginWithToken(parameters);
+ } else {
+ Map<String, Object> parameters = builder
+ .setGrantType(GRANT_TYPE_PASSWORD)
+ .set(PASSWORD_KEY, verificationCode)
+ .setConnection(realmOrConnection)
+ .asDictionary();
+ return loginWithResourceOwner(parameters);
+ }
  }
 
  /**
  * Log in a user using a phone number and a verification code received via SMS (Part of passwordless login flow).
+ * How the user is logged in depends on the {@link Auth0#isOIDCConformant()} flag. If this flag is set to true, your Application requires to have the <b>Passwordless OTP</b> Grant Type enabled.
+ * If this flag is set to false, the <b>Resource Owner</b> Legacy Grant Type must be enabled instead.
  * By default it will try to authenticate using the "sms" connection.
  * Example usage:
  * <pre>
@@ -381,7 +396,8 @@ public AuthenticationRequest loginWithPhoneNumber(@NonNull String phoneNumber, @
  /**
  * Log in a user using an email and a verification code received via Email (Part of passwordless login flow).
  * The default scope used is 'openid'.
- * Requires your Application to have the <b>Resource Owner</b> Legacy Grant Type enabled. See <a href="https://auth0.com/docs/clients/client-grant-types">Client Grant Types</a> to learn how to enable it.
+ * How the user is logged in depends on the {@link Auth0#isOIDCConformant()} flag. If this flag is set to true, your Application requires to have the <b>Passwordless OTP</b> Grant Type enabled.
+ * If this flag is set to false, the <b>Resource Owner</b> Legacy Grant Type must be enabled instead.
  * Example usage:
  * <pre>
  * {@code
@@ -396,26 +412,39 @@ public AuthenticationRequest loginWithPhoneNumber(@NonNull String phoneNumber, @
  * }
  * </pre>
  *
- * @param email where the user received the verification code
- * @param verificationCode sent by Auth0 via Email
- * @param connection  to end the passwordless authentication on
+ * @param email  where the user received the verification code
+ * @param verificationCode  sent by Auth0 via Email
+ * @param realmOrConnection to end the passwordless authentication on
  * @return a request to configure and start that will yield {@link Credentials}
  */
  @SuppressWarnings("WeakerAccess")
- public AuthenticationRequest loginWithEmail(@NonNull String email, @NonNull String verificationCode, @NonNull String connection) {
- Map<String, Object> parameters = ParameterBuilder.newAuthenticationBuilder()
- .set(USERNAME_KEY, email)
- .set(PASSWORD_KEY, verificationCode)
- .setGrantType(GRANT_TYPE_PASSWORD)
+ public AuthenticationRequest loginWithEmail(@NonNull String email, @NonNull String verificationCode, @NonNull String realmOrConnection) {
+ ParameterBuilder builder = ParameterBuilder.newAuthenticationBuilder()
  .setClientId(getClientId())
- .setConnection(connection)
- .asDictionary();
- return loginWithResourceOwner(parameters);
+ .set(USERNAME_KEY, email);
+
+ if (auth0.isOIDCConformant()) {
+ Map<String, Object> parameters = builder
+ .setGrantType(GRANT_TYPE_PASSWORDLESS_OTP)
+ .set(ONE_TIME_PASSWORD_KEY, verificationCode)
+ .setRealm(realmOrConnection)
+ .asDictionary();
+ return loginWithToken(parameters);
+ } else {
+ Map<String, Object> parameters = builder
+ .setGrantType(GRANT_TYPE_PASSWORD)
+ .set(PASSWORD_KEY, verificationCode)
+ .setConnection(realmOrConnection)
+ .asDictionary();
+ return loginWithResourceOwner(parameters);
+ }
  }
 
  /**
  * Log in a user using an email and a verification code received via Email (Part of passwordless login flow)
  * By default it will try to authenticate using the "email" connection.
+ * How the user is logged in depends on the {@link Auth0#isOIDCConformant()} flag. If this flag is set to true, your Application requires to have the <b>Passwordless OTP</b> Grant Type enabled.
+ * If this flag is set to false, the <b>Resource Owner</b> Legacy Grant Type must be enabled instead.
  * Example usage:
  * <pre>
  * {@code
@@ -831,8 +860,9 @@ public DelegationRequest<Map<String, Object>> delegationWithIdToken(@NonNull Str
  }
 
  /**
- * Start a passwordless flow with an <a href="https://auth0.com/docs/api/authentication#get-code-or-link">Email</a>
- * Requires your Application to have the <b>Resource Owner</b> Legacy Grant Type enabled. See <a href="https://auth0.com/docs/clients/client-grant-types">Client Grant Types</a> to learn how to enable it.
+ * Start a passwordless flow with an <a href="https://auth0.com/docs/api/authentication#get-code-or-link">Email</a>.
+ * How the user is logged in depends on the {@link Auth0#isOIDCConformant()} flag. If this flag is set to true, your Application requires to have the <b>Passwordless OTP</b> Grant Type enabled.
+ * If this flag is set to false, the <b>Resource Owner</b> Legacy Grant Type must be enabled instead.
  * Example usage:
  * <pre>
  * {@code
@@ -867,7 +897,8 @@ public ParameterizableRequest<Void, AuthenticationException> passwordlessWithEma
  /**
  * Start a passwordless flow with an <a href="https://auth0.com/docs/api/authentication#get-code-or-link">Email</a>
  * By default it will try to authenticate using "email" connection.
- * Requires your Application to have the <b>Resource Owner</b> Legacy Grant Type enabled. See <a href="https://auth0.com/docs/clients/client-grant-types">Client Grant Types</a> to learn how to enable it.
+ * How the user is logged in depends on the {@link Auth0#isOIDCConformant()} flag. If this flag is set to true, your Application requires to have the <b>Passwordless OTP</b> Grant Type enabled.
+ * If this flag is set to false, the <b>Resource Owner</b> Legacy Grant Type must be enabled instead.
  * Example usage:
  * <pre>
  * {@code
@@ -893,7 +924,8 @@ public ParameterizableRequest<Void, AuthenticationException> passwordlessWithEma
 
  /**
  * Start a passwordless flow with a <a href="https://auth0.com/docs/api/authentication#get-code-or-link">SMS</a>
- * Requires your Application to have the <b>Resource Owner</b> Legacy Grant Type enabled. See <a href="https://auth0.com/docs/clients/client-grant-types">Client Grant Types</a> to learn how to enable it.
+ * How the user is logged in depends on the {@link Auth0#isOIDCConformant()} flag. If this flag is set to true, your Application requires to have the <b>Passwordless OTP</b> Grant Type enabled.
+ * If this flag is set to false, the <b>Resource Owner</b> Legacy Grant Type must be enabled instead.
  * Example usage:
  * <pre>
  * {@code
@@ -927,7 +959,9 @@ public ParameterizableRequest<Void, AuthenticationException> passwordlessWithSMS
  /**
  * Start a passwordless flow with a <a href="https://auth0.com/docs/api/authentication#get-code-or-link">SMS</a>
  * By default it will try to authenticate using the "sms" connection.
- * Requires your Application to have the <b>Resource Owner</b> Legacy Grant Type enabled. See <a href="https://auth0.com/docs/clients/client-grant-types">Client Grant Types</a> to learn how to enable it.
+ * How the user is logged in depends on the {@link Auth0#isOIDCConformant()} flag. If this flag is set to true, your Application requires to have the <b>Passwordless OTP</b> Grant Type enabled.
+ * If this flag is set to false, the <b>Resource Owner</b> Legacy Grant Type must be enabled instead.
+ * See <a href="https://auth0.com/docs/clients/client-grant-types">Client Grant Types</a> to learn how to enable it.
  * Example usage:
  * <pre>
  * {@code

auth0/src/main/java/com/auth0/android/authentication/ParameterBuilder.java

@@ -54,6 +54,7 @@ public class ParameterBuilder {
  public static final String GRANT_TYPE_JWT = "urn:ietf:params:oauth:grant-type:jwt-bearer";
  public static final String GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code";
  public static final String GRANT_TYPE_MFA_OTP = "http:https://auth0.com/oauth/grant-type/mfa-otp";
+ public static final String GRANT_TYPE_PASSWORDLESS_OTP = "http:https://auth0.com/oauth/grant-type/passwordless/otp";
 
  public static final String SCOPE_OPENID = "openid";
  public static final String SCOPE_OFFLINE_ACCESS = "openid offline_access";