Passwordless login and the OIDC workflow

dan

I have a two-part question about passwordless login.

I’ve read it’s not advised to start the passwordless process using the API and finish using the OpenID Connect workflow, but I was able to get it to work by setting up the state on the /api/passwordless/start/ with (client_id, redirect_uri, response_type, and scope). It seems to work fine to format a link with that code to /oauth2/passwordless/CODE?tenant_id=X. With that link the login seems to work fine with the OpenID Connect workflow and all the tokens and cookies get set up properly (which is why I’d rather do this vs. validating with the API)

First question: Am I going to have problems doing it this way? Is there something I’m missing? Why is it not advisable?

Second question: If I set additional key/value pairs in state in the initial api request, is there any way to get to those after completing the process with OpenID Connect? I’d like to log who initiated the passwordless request through the API, as an example.

dan

That should work ok. The only reason not to do it this way - is because you’re sort of emulating the OAuth frontend’s usage of this API which in theory is subject to change.

Re: state, additional key value pairs will be stored, however if our front end is consuming the URL, you won’t have access to the API response which will contain that state information.