auth0.js icon indicating copy to clipboard operation
auth0.js copied to clipboard
verified publisher icon auth0

Passwordless login not working - 403 Client Authentication error

Open pakaplace opened this issue 3 years ago • 5 comments

Describe the problem

I've setup Auth0LockPasswordless (v11.33) within my web application. I've enabled passwordless login from my application dashboard, and under Authentication > Passwordless.

Upon clicking "Submit" to continue with passwordless email authentication, I get a 403 error from /serverless/start

Here is my code:

      const lock = new Auth0LockPasswordless(
        process.env.NEXT_PUBLIC_AUTH0_CLIENT_ID ?? "",
        process.env.NEXT_PUBLIC_AUTH0_DOMAIN ?? "",
        {
          theme: {
            logo: "https://example.com/logo.png",
          },
          allowedConnections: ["email", "google-oauth2"],
          passwordlessMethod: "code",
          closable: false,
          container: "auth-container",
          auth: {
            responseType: "token id_token",
            redirectUrl: `${process.env.NEXT_PUBLIC_APP_URL}/${Routes.LOGIN}`,
            params: {
              state: router.query.prev?.toString() || "/dashboard",
              scope: "openid profile email",
            },
          },
        }
      );
image

Here is the payload being sent to /serverless/start it includes my client-id

{"client_id":MY_CLIENT_ID_REDACTED,"connection":"email","email":"[email protected]","send":"code","authParams":{"response_type":"code","redirect_uri":"http://localhost:3000/api/auth/login","scope":"openid profile email","state":"/analysis"}}

What was the expected behavior?

When I used universal login, passwordless was working. Now it is not.

Environment

Please provide the following:

  • Version of Auth0.js used: 11.33
  • Which browsers have you tested in? Chrome
  • Other modules/plugins/libraries that might be involved:

pakaplace avatar Jun 03 '22 16:06 pakaplace

Hi @pakaplace,

Can you elaborate on where you're seeing a call to /serverless/start?

As a starter, I've tried to reproduce an issue with the Passwordless flow using our Lock library and a known working setup, and I don't get any issues.

stevehobbsdev avatar Jun 10 '22 10:06 stevehobbsdev

Sorry, serverless was a typo. I meant /passwordless. POST to Request URL: https://dev-2XXXXX.us.auth0.com/passwordless/start returns {"error":"unauthorized_client","error_description":"Client authentication is required"}

My localhost and staging domains were all added to my application URIs.

pakaplace avatar Jul 11 '22 18:07 pakaplace

?

pakaplace avatar Jul 20 '22 18:07 pakaplace

Seeing the same error.

suhjohn avatar Jul 21 '22 21:07 suhjohn

@pakaplace Thanks for your patience here. What type of Auth0 client application have you set up? As you're using Next.js, is it a Regular Web Application type? You should be able to see this if you go into your Auth0 dashboard, and go into the settings for your application.

The Client authentication is required error means that the request is expecting you to send a client secret, which you can't do using a browser library such as Lock. Have you also seen this community thread on the issue, and is any of that relevant to your situation?

If my assumption above is correct about it being a Regular Web App, you're kind of mixing two worlds here and I'm not sure you'll be able to achieve what you need. Is there a particular reason you're not using our Next Auth0 SDK and using the Passwordless features provided by our hosted Universal Login feature (as opposed to embedding it directly into your app)?

stevehobbsdev avatar Jul 22 '22 10:07 stevehobbsdev

Closing for now, but happy to continue the conversation if there's anything we can help with.

stevehobbsdev avatar Sep 09 '22 10:09 stevehobbsdev