Using the Auth0 REST API for Passwordless Login

08 August 2019 Identity 3 mins read

Auth0's documentation is a little wrong - here's a method to use Passwordless login through the REST API so you can build it in to your own application.

Overview

One of the first things to think of when building a new application is how your users are going to login and get authenticated.

Passwordless is the latest craze and there's a reason for it - the need to remember multiple passwords is going and the ease of logging in to your email account to retrieve a code or receiving an SMS on your phone merges the password and double opt in process.

Auth0 is a popular identity management service that offers a free tier to get you started implementing the service for a new system.

Connecting with the API

Going with the assumption that you've read up on Auth0 and looked through the Developer Documentation the next step is to implement the APIs in to your own application to authenticate users.

As you would have guessed - we're going to be using the Passwordless Endpoint. Imagining being a dev you're just looking for the code to get right in to it.

We're sticking to the first endpoint that is on the Passwordless documentation and that's passwordless/start. This API call will send the code to your email inbox for you to verify in your application.

POST https://YOUR_DOMAIN/passwordless/start
Content-Type: application/json
{
  "client_id": "YOUR_CLIENT_ID",
  "connection": "email|sms",
  "email": "EMAIL", //set for connection=email
  "phone_number": "PHONE_NUMBER", //set for connection=sms
  "send": "link|code", //if left null defaults to link
  "authParams": { // any authentication parameters that you would like to add
    "scope": "openid",
    "state": "YOUR_STATE"
  }
}

Performing this API call will respond with an id and whether the email has been verified or not. You'll receive an email shortly using the Auth0 system which will contain the code that you will feed to the next API call.

The next part of the documentation states for you to verify with the /passwordless/verify endpoint but this doesn't actually work and doesn't verify with the same parameters. Instead the best option is to use the /oauth/token endpoint. This will respond with an access token which you can store and make API calls related to the user.

POST https://DOMAIN.auth0.com/oauth/token
Content-Type: application/json
{
    "client_id": "YOUR_CLIENT_ID",
    "connection": "email",
    "password": "CODE_FROM_EMAIL",
    "username": "[email protected]",
    "scope": "openid offline_access",
    "response_token": "token",
    "sso": "false",
    "grant_type": "password"
}

I found this endpoint to provide the relevant information needed to move on with using the Auth0 user system.

Postman

To make things a little easier I've compiled the two endpoints in to a Postman Collection to download. This can be downloaded from Github

Share On:
Sandeep Bansal
Marketing Cloud Technical Architect
Follow me on LinkedIn