First Draft Passwordless Auth on DB Connections with Authentication API#1497
First Draft Passwordless Auth on DB Connections with Authentication API#1497avanscoy wants to merge 2 commits into
Conversation
Summary
|
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
| | --- | --- | | ||
| | User exists | At login, Auth0 issues tokens for the existing user. | | ||
| | User not found, `allow_signup: true`, signup enabled | At signup, Auth0 creates an account and issues tokens. | | ||
| | User not found, signup not allowed | If a user is blocked, Auth0 returns a generic invalid-OTP error such as `invalid_request` or `Invalid or expired OTP code`, regardless of the code entered. | |
There was a problem hiding this comment.
I think the description here might be off. User not found is different than blocked probably? Below we say blocked is a 403 and OTP error is 400 i think
|
|
||
| ## Default behavior on passwordless database connections | ||
|
|
||
| Implicit signup and login is default behvaior. It applies automatically to any connection that uses passwordless options, as long as: |
There was a problem hiding this comment.
| Implicit signup and login is default behvaior. It applies automatically to any connection that uses passwordless options, as long as: | |
| Implicit signup and login is default behavior. It applies automatically to any connection that uses passwordless options, as long as: |
|
|
||
| ## Default behavior on passwordless database connections | ||
|
|
||
| Implicit signup and login is default behvaior. It applies automatically to any connection that uses passwordless options, as long as: |
There was a problem hiding this comment.
we should clarify here that the default behavior is automatic only for universal login. api callers have to pass allow_signup: true (you mention that over there)
|
|
||
| Implicit signup and login allows a user to move through the passwordless flow whether or not they have an account. After a user verifies with a one-time password (OTP), Universal Login either logs the user into an existing account or offers to create an account on the spot if an account doesn't exist. You no longer need a separate path for **Sign up** vs. **Log in**. | ||
|
|
||
| Implicit signup and login removes an error without next steps when a user who enters an unrecognized identifier completes the OTP challenge and then gets an error with no further steps. |
There was a problem hiding this comment.
This is a little wordy/confusing. maybe something like:
"Previously, unrecognized identifiers led users through an OTP challenge straight into a dead-end error. Implicit signup fixes this workflow by removing the dead end entirely."
| Review the following behaviors: | ||
|
|
||
| - **Implicit signup**: A user attempts to log in with an identifier without an account. After OTP verification, the user gets a confirmation screen and can create the account. | ||
| - **Implicit login**: A user attempts to sign up with an identifier that already has an account. After OTP verification, the user simply logs in without a "account already exists" error. |
There was a problem hiding this comment.
| - **Implicit login**: A user attempts to sign up with an identifier that already has an account. After OTP verification, the user simply logs in without a "account already exists" error. | |
| - **Implicit login**: A user attempts to sign up with an identifier that already has an account. After OTP verification, the user simply logs in without an "account already exists" error. |
|
|
||
| ## Actions | ||
|
|
||
| Implicit signup creates a real user in the connection, so the same Actions that run during a standard signup also runs for implicit signup. The [Pre-User Registration](/docs/customize/actions/flows-and-triggers/pre-user-registration-flow) and [Post-User Registration](/docs/customize/actions/flows-and-triggers/post-user-registration-flow) triggers fire, followed by [Post-Login](/docs/customize/actions/flows-and-triggers/login-flow). You don't need separate Action logic for implicitly-created users. |
There was a problem hiding this comment.
| Implicit signup creates a real user in the connection, so the same Actions that run during a standard signup also runs for implicit signup. The [Pre-User Registration](/docs/customize/actions/flows-and-triggers/pre-user-registration-flow) and [Post-User Registration](/docs/customize/actions/flows-and-triggers/post-user-registration-flow) triggers fire, followed by [Post-Login](/docs/customize/actions/flows-and-triggers/login-flow). You don't need separate Action logic for implicitly-created users. | |
| Implicit signup creates a real user in the connection, so the same Actions that run during a standard signup also run for implicit signup. The [Pre-User Registration](/docs/customize/actions/flows-and-triggers/pre-user-registration-flow) and [Post-User Registration](/docs/customize/actions/flows-and-triggers/post-user-registration-flow) triggers fire, followed by [Post-Login](/docs/customize/actions/flows-and-triggers/login-flow). You don't need separate Action logic for implicitly-created users. |
| 6. Your application calls the [`POST /oauth/token`](/docs/api/authentication/passwordless/get-token) endpoint with the `auth_session` and the user-entered code. | ||
| 7. The Auth0 Authorization Server verifies the code against the `auth_session` and responds with an ID token and access token (and optionally, a refresh token). | ||
|
|
||
| The flow is stateless from your application's perspective. The only value you carry between the two calls is the `auth_session` string returned in step 1. Auth0 determines whether the request is a login or a signup, and whether MFA is required — you don't need to track any of that yourself. To learn more, read [How Auth0 determines login vs. signup](#how-auth0-determines-login-vs-signup). |
There was a problem hiding this comment.
| The flow is stateless from your application's perspective. The only value you carry between the two calls is the `auth_session` string returned in step 1. Auth0 determines whether the request is a login or a signup, and whether MFA is required — you don't need to track any of that yourself. To learn more, read [How Auth0 determines login vs. signup](#how-auth0-determines-login-vs-signup). | |
| The flow is stateless from your application's perspective. The only value you carry between the two calls is the `auth_session` string returned in step 4. Auth0 determines whether the request is a login or a signup, and whether MFA is required — you don't need to track any of that yourself. To learn more, read [How Auth0 determines login vs. signup](#how-auth0-determines-login-vs-signup). |
|
|
||
| User->>App: Enters identifier (email or phone) | ||
| App->>Auth0: POST /otp/challenge | ||
| Auth0-->>User: Sends OTP (email or SMS) |
There was a problem hiding this comment.
should we include voice?
There was a problem hiding this comment.
Got it in the next commit
…ed passwordless auth
Description
API-based Passwordless Authentication on Database Connections is now available. This doc set contains two new pages and updates the existing article to account for the implicit signup and login capabilities.
References
Testing
Checklist
CONTRIBUTING.md.