FR: Authentication with only email (no password) #365
Comments
|
Now supported 🎉 https://firebase.google.com/support/release-notes/js#4.12.0
https://firebase.google.com/support/release-notes/ios#4.11.0
|
|
Thank you very much! |
|
@bojeil-google @mono0926 could we configure/customize the template who is send to the user ? |
|
Currently this is not possible to prevent abuse. |
|
Thank you very much for the email only authentication and example. I am struggling with the desktop experience and how to transition the user back to the app to complete the authentication flow. I understand the flow must be completed in-app, but I am struggling to address the risk that the user may jump to their desktop to confirm their email address. Appears right now the only resolution would be to set up a webpage warning the user to click the email verification on the mobile device they began the authentication on... Is this correct? Appreciated greatly. |
|
The feature was designed to allow completion on any device. It is not restricted to a single device. But if you want to restrict it, you can set up a landing webpage to warn the user to open the link on the same device. |
|
Hi, I am specifically referring to passwordless email sign-in only. Thank you |
|
Not sure I understand. If they open the link on a desktop device, they will be redirected to the continue URL that you own and passed. You would complete sign in there (you would need to ask the user for their email again for security reasons). The user will basically start the flow on a mobile device and ends up getting signed in on a desktop browser. |
|
Thanks for the reply. I must be missing the linkage between the webpage the
dynamic link sends the desktop user to and completing the sign-in that
started on the mobile device.
I suppose I should look at using the JS components to sign in a user who
started on mobile but moved to desktop to verify their email address? I
believe this is relevant documentation:
https://firebase.google.com/docs/auth/web/email-link-auth
If not, could you please let me know a bit more detail?
Really appreciate the confirmation that I'm headed the right way, or not...
On Thu, Jun 14, 2018, 6:24 PM bojeil-google ***@***.***> wrote:
Not sure I understand. If they open the link on a desktop device, they
will be redirected to the continue URL that you own and passed. You would
complete sign in there (you would need to ask the user for their email
again for security reasons). The user will basically start the flow on a
mobile device and ends up getting signed in on a desktop browser.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#365 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AGFU6B2X3pyA4QfXteybSK7_bpQiHZVWks5t8wy9gaJpZM4Q9Hps>
.
--
*Ryan Park, CPA, CA *
Founder, Out of the Park Apps
http://www.ootpapps.com
*Install the #1 Parental Control app on Android for **free now** & **please
rate it 5 stars** - *https://goo.gl/5KL2BI
|
|
I am not sure what to add but this option in the documentation specifies the landing page if the link is opened from a regular browser: On that page you can call the following logic to complete sign in: |
|
Thank you I will take a look at this, much appreciated
On Thu, Jun 14, 2018, 6:51 PM bojeil-google ***@***.***> wrote:
I am not sure what to add but this option in the documentation specifies
the landing page if the link is opened from a regular browser:
url: 'https://www.example.com/finishSignUp?cartId=1234',
On that page you can call the following logic to complete sign in:
if (firebase.auth().isSignInWithEmailLink(window.location.href) {
// Get email...
// ...
// sign in.
firebase.auth().signInWithEmailLink(email, window.location.href)
}
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#365 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AGFU6ODI2zdC85amtGyt1DconE70Di5Iks5t8xMmgaJpZM4Q9Hps>
.
--
*Ryan Park, CPA, CA *
Founder, Out of the Park Apps
http://www.ootpapps.com
*Install the #1 Parental Control app on Android for **free now** & **please
rate it 5 stars** - *https://goo.gl/5KL2BI
|
|
Seems I'm stumped. I set up the JS approach as described and got it
working, however, even when the email is validated through the webpage, the
flow will break when we go back to the mobile app. How can I pass the email
link back to the mobile app? It is required to sign in with
signInWithEmailLink(email,link).
Is there a way to persist the email link on the mobile device in the case
they start the process on mobile, verify on the web, and return to the
mobile to login? This does not appear to be documented anywhere, though
there is acknowledgement that verification may occur on a different device.
So hopefully this use case is supported.
On Fri, 15 Jun 2018 at 07:11 Ryan Park ***@***.***> wrote:
Thank you I will take a look at this, much appreciated
On Thu, Jun 14, 2018, 6:51 PM bojeil-google ***@***.***>
wrote:
> I am not sure what to add but this option in the documentation specifies
> the landing page if the link is opened from a regular browser:
> url: 'https://www.example.com/finishSignUp?cartId=1234',
>
> On that page you can call the following logic to complete sign in:
>
> if (firebase.auth().isSignInWithEmailLink(window.location.href) {
> // Get email...
> // ...
> // sign in.
> firebase.auth().signInWithEmailLink(email, window.location.href)
> }
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> <#365 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AGFU6ODI2zdC85amtGyt1DconE70Di5Iks5t8xMmgaJpZM4Q9Hps>
> .
>
--
*Ryan Park, CPA, CA *
Founder, Out of the Park Apps
http://www.ootpapps.com
*Install the #1 Parental Control app on Android for **free now** & **please
rate it 5 stars** - *https://goo.gl/5KL2BI
--
*Ryan Park, CPA, CA *
Founder, Out of the Park Apps
http://www.ootpapps.com
*Install the #1 Parental Control app on Android for **free now** & **please
rate it 5 stars** - *https://goo.gl/5KL2BI
|
|
If the flow ends up on a device different than the original device, you are expected to ask the user to provide the email. This is well documented for security reasons. Please read the documentation: If they start on a mobile device and expect to end on a mobile device, you can persist the email using |
|
Hi, the email address is not the issue, it's the email link with the
one-time generated code, it's needed to sign in using the
method signInWithEmailLink(email, emailLink). Please keep in mind I'm
taking about ppasswordless sign-in. The emailLink is what I'm missing...
Could you please explain how to continue the flow on the mobile device, if
they started on mobile, went to desktop and returned to login in app. What
would I supply as the emailLink argument? Normally this argument is
obtained from the Intent firing the app, but of course, in this flow that
won't exist as the user validated their email on the web, then manually
opened the app and tried to login with their email.
Keep in mind, verifying the email in the webpage does not create a session
in app. They still need to log in the app with their email and I need the
email link too per the method signInWithEmailLink(email, emailLink).
This does not appear to be covered in the documentation.
I really appreciate it
On Tue, Jun 19, 2018, 4:15 PM bojeil-google, ***@***.***> wrote:
If the flow ends up on a device different than the original device, you
are expected to ask the user to provide the email. This is well documented
for security reasons. Please read the documentation:
https://firebase.google.com/docs/auth/web/email-link-auth#security_concerns
If they start on a mobile device and expect to end on a mobile device, you
can persist the email using SharedPreferences in Android or NSUserDefaults
in iOS, etc.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#365 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AGFU6PHFcbnahN1z0h-6HPmXqwHraisMks5t-YYggaJpZM4Q9Hps>
.
--
*Ryan Park, CPA, CA *
Founder, Out of the Park Apps
http://www.ootpapps.com
*Install the #1 Parental Control app on Android for **free now** & **please
rate it 5 stars** - *https://goo.gl/5KL2BI
|
|
Hey @ootpapps, your questions are better suited for stackoverflow. The GitHub repo is not the right place for a tutorial. I don't understand what is confusing you. If the email link is redeemed in a web flow, then the user is signed in in the web page even if the user started from a mobile app. The opposite is true, if the user starts from a web site and opens the link on a mobile device with the app installed, the user completes sign in in the mobile app. The web page remains not signed in. The summary is that the user will get signed in once in the mobile app or webpage that processed the link, where |
|
Unfortunately, you must have misunderstood my original post.
Going back to the documentation for passwordless sign-in, if you start on
mobile, you must verify on mobile to complete the authentication flow given
handleCodeInApp must be true:
- handleCodeInApp: Set to true. The sign-in operation has to always be
completed in the app unlike other out of band email actions (password reset
and email verifications). This is because, at the end of the flow, the user
is expected to be signed in and their Auth state persisted within the app.
So there we have it, if the user starts on mobile, but verifies the email
on desktop, the flow breaks and the only option is to show the user a
splash page telling them to re-do the flow on the same mobile device (this
was my original post).
I suppose I should have trusted the documentation but I couldn't believe
the user had to verify the email on the same mobile device, I accept this
as a limitation now. I understand why now, the emailLink needed to sign-in
contains a OTP (one-time password), thus the only way to get this is from
the Intent's data that is created from the deep-link.
Thanks anyway!
On Tue, Jun 19, 2018, 6:51 PM bojeil-google, ***@***.***> wrote:
Hey @ootpapps <https://github.com/ootpapps>, your questions are better
suited for stackoverflow. The GitHub repo is not the right place for a
tutorial.
For mobile flows, the emailLink is the FDL deep link (you can use FDL
client libraries to help retrieve it, or just get it yourself using native
APIs, the mobile documentation covers it) and the email is either
previously saved if the flow started on that device or you ask the user for
it.
I don't understand what is confusing you. If the email link is redeemed in
a web flow, then the user is signed in in the web page even if the user
started from a mobile app. The opposite is true, if the user starts from a
web site and opens the link on a mobile device with the app installed, the
user completes sign in in the mobile app. The web page remains not signed
in.
The summary is that the user will get signed in once in the mobile app or
webpage that processed the link, where signInWithEmailLink is called.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#365 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AGFU6A69oPl0WCMuz4_RJmdqmEL-1RlNks5t-aqpgaJpZM4Q9Hps>
.
--
*Ryan Park, CPA, CA *
Founder, Out of the Park Apps
http://www.ootpapps.com
*Install the #1 Parental Control app on Android for **free now** & **please
rate it 5 stars** - *https://goo.gl/5KL2BI
|
|
I think Im having same issue, and im asking here instead of stack overflow because is not about help is about decide or clarify the doc. Imagine I have a normal website, (There is no phone app).
Am I wrong? in case that i am right, I think this should be on the doc, I think I lost 1 week of development because I thought my desk could get signed in too. |
Dear Firebase community,
I'd like to request for Authentication with only email (no password). I have some services users only vary rarely need to login and I don't want my users to set passwords. Just an email with a URL to login every time they want to login will do.
I think a lot of people would like this feature and there is currently a hack possible to achieve this, but I feel it'd be much better if this was an official option from Firebase.
Best regards,
-Luca Ban
The text was updated successfully, but these errors were encountered: