Passwordless login and state #590
Comments
|
@Floppy - What you're describing here is, more-or-less, what state validation is meant to prevent: a different machine trying to log in that did not initiate the process. If you're having problems with the link, try the emailed code instead (remove Auth0 Dashboard > Connections > Passwordless > Email > Settings > OTP Expiry I'm not sure you want that set to several days, though, and I'm curious how your users are waiting that long to log in. If that's really the case, wouldn't a more direct login flow be better suited for what you're doing? |
|
Yeah, I understand that this is precisely what |
Description
When using passwordless login, we're having problems with
statein the OAuth flow. Our passwordless flow isn't instant, for various business reasons, and when a users gets the passwordless link to log in, it's entirely possible it might be a few days later.Problem is that while we can set an
auth0_statecookie when they request the passwordless link, I'm really not confident that they'll be using the same browser or even the same machine by the time they get the link, so Wordpress login would fail withInvalid State.Ideally I don't want a state validation in my passwordless flow, but the plugin requires
statevalidation, understandably. I'm not sure what to do. Ideally I'd be able to disable state validation, but I know that's been rejected before.Prerequisites
Environment
Reproduction
Request a magic link with a mismatched (or missing) state parameter &
auth0_cookie.The text was updated successfully, but these errors were encountered: