Passwordless + OAuth

  • Is there any way to combine the OAuth authorization code grant with passwordless?

    Basically, we want to drop someone into the authorization code grant but not use the standard FusionAuth passwordless flow.

    Right now if we set up passwordless we see the following:

    1. Generate a passwordless code, send the user an email
    2. The user clicks a link back to /oauth2/passwordless/{code}
    3. We consume the code, call the Passswordless Login API, and if good to go, we treat this as a successful credentialed login and redirect to their redirect_uri with an auth code.

    We'd like to do the same thing but with our SPA using an OIDC library, not with the FusionAuth code.

    Is this possible?

  • This is possible. Doing so allows you to weave passwordless into the normal OAuth flow so you can use standard OAuth libraries but not have your user enter a password.

    1. Start the passwordless login on the server side (using the API).
    2. Get the passwordless code.
    3. Send this url to the client: [FusionAuthURL]/oauth2/passwordless/[passwordlesscode]?redirect_uri=[redirect URI]&response_type=code&client_id=[client_id].
    4. Have the client request this url.
    5. It'll be just as if the user had authenticated via the /oauth2/authorize endpoint and the user had entered their credentials. You'll get back an authorization code which can then be exchanged for an access token/JWT.