janakamarasena
commented
10 months ago A state parameter has been added to the magic link with https://github.com/wso2-extensions/identity-local-auth-magiclink/pull/47 which allows the client app to correlate the received magic link token with the authentication flow. This still requires the user to click the magic link in the same device/browser.
Currently, one way to work around the limitation of same device/browser requirement is for the implementer to create a central service to receive the magic link and to poll this service from the client app with the state until a time out or the result is received.
The overall mentioned problem is due to a limitation of the current way the magic link authenticator is implemented. As there is a workaround and due to this not being a API based auth specific problem the severity of the issue is reduced.
Describe the issue:
How to reproduce: 1 - configure username & password and magic link as 1st step sign-in options of an application 2 - Try to do magic link-based authentication from a web app perspective 3 - After selecting the magic link step and submitting the username, the user receives an email with a magic link-related call 4 - As step 2 and 3 can happen in two browsers, unable to proceed with step 3 as it doesn't have all the information to complete the login flow.
Expected behaviour: The flow after receiving the magic link in the email should be self-contained. For that, the flow should be available in the email.
Note: Also check the possible security risks associated with sending the callbacks in the email link with the other information.