-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passwordless login and state #590
Comments
@Floppy - What you're describing here is, more-or-less, what state validation is meant to prevent: a different machine trying to log in that did not initiate the process. If you're having problems with the link, try the emailed code instead (remove Auth0 Dashboard > Connections > Passwordless > Email > Settings > OTP Expiry I'm not sure you want that set to several days, though, and I'm curious how your users are waiting that long to log in. If that's really the case, wouldn't a more direct login flow be better suited for what you're doing? |
Yeah, I understand that this is precisely what |
Description
When using passwordless login, we're having problems with
state
in the OAuth flow. Our passwordless flow isn't instant, for various business reasons, and when a users gets the passwordless link to log in, it's entirely possible it might be a few days later.Problem is that while we can set an
auth0_state
cookie when they request the passwordless link, I'm really not confident that they'll be using the same browser or even the same machine by the time they get the link, so Wordpress login would fail withInvalid State
.Ideally I don't want a state validation in my passwordless flow, but the plugin requires
state
validation, understandably. I'm not sure what to do. Ideally I'd be able to disable state validation, but I know that's been rejected before.Prerequisites
Environment
Reproduction
Request a magic link with a mismatched (or missing) state parameter &
auth0_cookie
.The text was updated successfully, but these errors were encountered: