Authorization Code Flow

Using Passwordless Authentication on iOS with emails - Swift


This functionality has been deprecated in native. After June 2017, tenants cannot use the native Refresh Tokenpasswordless flow. The functionality will continue to work for tenants that currently have it enabled. If at some point the passwordless mode feature is changed or removed from service, customers who currently use it will be notified beforehand and given ample time to migrate.

With an email connection, the user is asked to enter their email address, to which Auth0 sends a one-time code. The user then enters the code into your application.

If the email address attached to the code matches an existing user, Auth0 authenticates the user:

Existing User Flow

If the user is new, their user profile is created for the email connection before they are authenticated by Auth0.

New User Flow

On mobile platforms, your app will receive an ID Token, the user profile, and optionally, a Refresh Token.

How it works


How to implement it

Configure an email provider

By default, Auth0 sends the email from its own SMTP provider. Auth0's built-in email infrastructure should be used for testing-level emails only. You can configure your own email provider to better monitor and troubleshoot the email service as well as be able to fully customize the emails.

You will need to use your own email provider to be able to modify the From, Subject, and Body of Passwordless emails.

Keep reading

Configure the connection

  1. Navigate to the Connections > Passwordless page in the Auth0 Dashboard, and enable the Email toggle.

Enable Email Passwordless

  1. Select your Email Syntax, and enter your email's From, Subject, and Message text.

Configure Email Passwordless

You must change the From value to a non address for your custom email to be sent. Otherwise the default email template will be sent.

  1. Enter any Authentication Parameters you would like to include in the generated sign-in link.

  2. Adjust settings for your OTP Expiry and OTP Length, and click SAVE.

If you choose to extend the amount of time it takes for your one-time password to expire, you should also extend the length of the one-time password code. Otherwise, an attacker has a larger window of time to attempt to guess a short code.

Multi-Language Support

The Message area supports multiple languages.

To choose the language, call the /passwordless/start authentication endpoint and set the value of the 'x-request-language' header. When this header is not set, the language is extracted from the 'accept-language' header, which is automatically set by the browser.

Message syntax

The Message area accepts Liquid syntax. You can use this syntax, combined with exposed parameter values, to programmatically construct elements of the message. For example, you can reference the request_language parameter to change the language of the message:

The following parameters are available when defining the message template:

Exposed Parameter Description
code The password to use
link The generated sign-in link The name of the application with which the user is signing up
request_language The requested language for message content
operation Indicates when the template has been triggered by an update to a user's email via the API. Equals change_email when triggered; otherwise, null.

Enable your apps

Click the Apps tab, and enable the apps for which you would like to use Passwordless Email.


Using Auth0 Lock

Lock is a widget that allows you to easily integrate Auth0's Passwordless Authentication into your iOS applications.

After installing and configuring Lock.iOS-OSX, you will be able to use Lock as follows.

When this code runs, it will ask the user for their email address:

Then Auth0 will send to the user an email containing the one-time code:

Lastly, the user enters the one-time password into Lock. Then, if the password is correct, the user is authenticated.

This code will call onAuthenticationBlock, where the ID Token, Refresh Token, and user profile are typically stored. Then the user will be allowed to continue to the authenticated part of the application.

Using your own UI

If you choose to build your own UI, your code will need to ask the user for their email address first. Then call the following method:

After the <passwordless login process begins, ask the user for the one-time code. Then authenticate using that code:

With an email connection, the user is asked to enter their email address, to which Auth0 usually sends a one-time code. Instead, you can configure Auth0 to send a magic link.

Send Magic Link Flow

Sample Magic Link Email

The user then clicks the button or link in the email and is automatically signed in to your application.

Magic Link User Flow

Lastly, once the user is authenticated, your app will be able to access the user profile and tokens returned by Auth0.