Auth0LockPasswordless with 3rd party client not working

[susonwaiba]

Checklist

• I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

I was looking over 3rd party client auth following auth0's documentation.

https://auth0.com/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications

Documentation suggests to use Auth0Lock instead of Auth0LockPasswordless.

I tried with both and seems like Auth0Lock works.
And Auth0LockPasswordless doesnot work.

Reproduction

1. Create a 3rd party client
2. Promot connection to use to domain level
3. Update universal login page as per documentation.

...
17: var lock = new Auth0Lock(config.clientID, config.auth0Domain, {
....
30: __useTenantInfo: config.isThirdPartyClient
...

4. Check preview and select 3rd party client.
5. First party and 3rd party clients works.
6. Now, update line 17 to use Auth0LockPasswordless
7. First party client works and 3rd doesnot work

Additional context

Lock version

11.35, 13.0

Which browsers have you tested in?

Chrome

[susonwaiba]

This line seems to filter out passwordless connection in UI:-

lock/src/core/tenant/index.js

Line 52 in 5746a37

const connectionTypes = Object.keys(o.connections).filter(name => name != 'passwordless'); // disabled until lock supports passwordless connections within the same engine

After removing filter, I was able to see email field and was able to submit email to receive email OTP code.
But on submitting OTP, API responses with below:-

POST: {domain}/co/authenticate
Payload:

{
  "client_id": "",
  "username": "",
  "otp": "123",
  "realm": "email",
  "credential_type": "http://auth0.com/oauth/grant-type/passwordless/otp"
}

Response:

{
    "error": "unauthorized_client",
    "error_description": "Cross origin login not allowed."
}

I did try adding origin URL to client but seems not working.
I have also promoted email (passwordless connection) to domain level.

[ankita10119]

@susonwaiba

Thanks for digging into this and for clearly documenting your findings, that helped a lot

You’re absolutely right in what you observed. The filtering of the passwordless connection in Lock is what leads to the initial no_connection behavior. However, even if that filter is removed and the UI renders correctly, the flow still fails at /passwordless/start with a 403 for third party clients

At this time, passwordless authentication is not supported end to end for third-party applications. So the behavior you’re seeing is consistent with that limitation and not due to a configuration issue on your side

Apologies for the delay in confirming this, we wanted to make sure we fully validated the behavior before responding