My SPA Client is using the Auth0.js Passwordless Start/Verify flow to authenticate users. My auth callback page is receiving the below Payload Validation Error. I have verified the user exists for the SMS connection in the Auth0 Dashboard and that the SPA Client has the SMS connection enabled.
Error:
https://localhost:9001/auth/callback#error=access_denied&error_description=
Payload%20validation%20error%253A%20'None%20of%20the%20valid%20schemas%20were%20met'
.%20Inner%20errors%253A%20%5B%20Payload%20validation%20error%253A%20'Missing%20required%20property%253A%20blocked'
.%20(also)%20Payload%20validation%20error%253A%20'Missing%20required%20property%253A%20email_verified'
.%20(also)%20Payload%20validation%20error%253A%20'Missing%20required%20property%253A%20email'
.%20(also)%20Payload%20validation%20error%253A%20'Missing%20required%20property%253A%20verify_email'
.%20(also)%20Payload%20validation%20error%253A%20'Missing%20required%20property%253A%20phone_number'
.%20(also)%20Payload%20validation%20error%253A%20'Missing%20required%20property%253A%20phone_verified'
.%20(also)%20Payload%20validation%20error%253A%20'Missing%20required%20property%253A%20verify_phone_number'
.%20(also)%20Payload%20validation%20error%253A%20'Missing%20required%20property%253A%20password'
.%20(also)%20Payload%20validation%20error%253A%20'Missing%20required%20property%253A%20verify_password'
.%20(also)%20Payload%20validation%20error%253A%20'Missing%20required%20property%253A%20user_metadata'
.%20(also)%20Payload%20validation%20error%253A%20'Missing%20required%20property%253A%20app_metadata'
.%20(also)%20Payload%20validation%20error%253A%20'Missing%20required%20property%253A%20username'
.%20(also)%20Payload%20validation%20error%253A%20'Missing%20required%20property%253A%20client_id'
.%20(also)%20Payload%20validation%20error%253A%20'Missing%20required%20property%253A%20groups'
.%20%5D.&state=statehash
Auth0 Initialization:
this.auth0 = new auth0.WebAuth({
audience: `https://${authSettings.domain}/userinfo`,
clientID: authSettings.checkoutClientId,
domain: authSettings.domain,
redirectUri: authSettings.checkoutCallbackUrl,
responseType: 'token id_token',
scope: 'openid email profile'
});
Passwordless Start:
this.auth0.passwordlessStart({
connection: 'sms',
send: 'code',
phoneNumber: phoneNumber,
authParams: {
responseType: 'token id_token',
scope: 'openid email profile'
}
}
Passwordless Verify:
this.auth0.passwordlessVerify({
connection: 'sms',
phoneNumber: phoneNumber,
verificationCode: confirmationCode,
type: 'sms',
authParams: {
responseType: 'token id_token',
scope: 'openid email profile'
}
}
The "missing required parameters" don't even make sense for a call to passwordless/verify.
Turns out the error was actually being thrown inside a custom Auth0 Rule but was only surfacing via the auth callback.
Specifically, we had a rule that called auth0.users.updateAppMetadata
and auth0.users.updateUserMetadata
which apparently do not work with Passwordless SMS connections.