Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Auth0 passwordless auth fails if the linked clicked isn't from the first email sent #7057

Closed
babolivier opened this issue Mar 10, 2020 · 2 comments
Labels
z-bug (Deprecated Label)

Comments

@babolivier
Copy link
Contributor

babolivier commented Mar 10, 2020

Mozilla's Auth0 has email passwordless auth enabled, with a feature that allows one to ask Auth0 to actually email the authentication magic link to another email address than the one initially set. This works in the following way:

  • Click the "Sign in with SSO" button on https://chat.mozilla.org
  • Choose to login with an email, enter an email address (let's say alice@example.com) and click "Enter"
  • Confirm ("Send me an email to continue")
  • On the success screen, click the "Need to send that to a different email?" link:

image

  • Get the authentication portal to send a magic link to another email address (let's say bob@example.com)

Now, if you click on the link sent to alice@example.com, Auth0 gets the user's browser to send a POST request to /authn_response with a SAML AuthN response, as expected (though I did get bitten by #7056 a few times when trying it out).
However, if you click on the link sent to bob@example.com, then your browser ends up doing a GET request to https://mozilla.modular.im/_matrix/saml2/authn_response#access_token=[...]&scope=openid&expires_in=7200&token_type=Bearer&state=[...], which has an access token in the URI fragment.

Currently I'm not sure how to use that access token, nor whether I can use it to get an AuthN response to give to Synapse.

I'm also not sure whose fault this is, since this "Need to send that to a different email?" link isn't an Auth0 thing but rather a Mozilla one afaict (which lives here: https://github.com/mozilla-iam/auth0-custom-lock).

@babolivier
Copy link
Contributor Author

Apparently I could reproduce this failure on 100% of my attempts yesterday but it's working today. Oh well.

I'll keep this issue open for a few days in case it comes back and close it if it doesn't.

@neilisfragile neilisfragile added mozilla z-bug (Deprecated Label) labels Mar 16, 2020
@babolivier
Copy link
Contributor Author

I think the best we can do on this is #7058

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
z-bug (Deprecated Label)
Projects
None yet
Development

No branches or pull requests

2 participants