1

Context:

I've written an application that distributes a widget that would be installed on a consumer's web application (like Intercom, Hotjar etc.) and I'd like to make use of passwordless authentication to authenticate my users.

From what it seems like, Firebase passwordless auth sends a link to the user's email address, and upon clicking it they'll be redirected. Given that this is a widget, as far as it seems like to me, redirecting to the consumer's application is not possible as it doesn't make sense to whitelist said app in the firebase console.

Redirecting to the main app (where you'd get the widget's code) doesn't make sense either because the user will be authenticated in the main app, not the widget.

The ideal solution in my perspective seems to be sending the OTP code instead which the user can copy/paste into a text field in the widget itself.

What I've tried so far:

I've read the docs thoroughly, tried implementing passwordless authentication which has lead to my above-mentioned conclusions. Since you can't really edit the email template I'm starting to feel that this use-case does not align with what Firebase Passwordless auth was made for.

What I'm looking for:

I want to reduce the sign-in friction for my users, and I'd also like to verify their email addresses so that I can send them notifications/news-letters, etc. later on.

The other authentication providers like the OAuth2 based ones revolve around the fact that the user has registered with that particular service. Anonymous authentication allows users to sign-in but does not ensure that each user has a unique email address. Email/Password authentication has high-friction.

I'm looking for a passwordless authentication that is similar to how auth0 does it, but auth0 has a more verbose limit on the free plan compared to firebase auth.

Any help, advice or pointers would be helpful!

Resources:

Firebase Passwordless Auth: https://firebase.google.com/docs/auth/web/email-link-auth

auth0 Passwordless Auth: https://auth0.com/passwordless/

CoodleNoodle
  • 324
  • 3
  • 17

1 Answers1

2

From reading the documentation on Authenticate with Firebase Using Email Link and Passing State in Email Actions, I don't think this is a completely supported scenario. But you may be able to emulate it by:

  1. Setting up your own handler page for the link in the email.
  2. Having that page display the oobCode from the link.
  3. Set up a page on the widget where the user enters the code.
  4. Recreate the link from that code and other app-specific information.
  5. Create the credentials by calling credentialWithLink.

This is pretty involved though, so you'll have to make the trade-off yourself on whether is is worth the effort. A much simpler flow is to:

  1. Send the link.
  2. Have them open the link on their other device, which verifies their account.
  3. Provide a button in the widget that reloads their profile, and checks if the email address in their account is verified.
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thank you Frank for the time and effort! Could you clarify what you mean by "open the link on their other device"? Are you referring to something like a user gets the email sent via PC then clicks on the link in their inbox on a mobile? How would this solve the issue? Because per the docs, until you click the link and are redirected you are not authenticated right? – CoodleNoodle Jul 17 '20 at 15:40
  • Oops... sorry, I got mixed up between signing in with an email link, and verifying an email address. They both use a similar flow, but indeed the approach #2 won't work in that case. It'd be between the first approach in my answer, and creating a custom provider in that case. Unless you want to send a text/SMS message, which is closer to the flow you're looking for. – Frank van Puffelen Jul 17 '20 at 16:09
  • All good, so when it comes to making your own auth system, is it possible to utilize firebase's own mail server? Like for example, I generate the code on my backend and then send it via firebase's mail server? – CoodleNoodle Jul 17 '20 at 16:19
  • Nope, you'll have to provide your own mail server, as allowing you to use ours would be a huge abuse vector. Common solutions are to use gmail, or one of the big SMTP providers (search for them, as I don't want to recommend anyone over someone else). – Frank van Puffelen Jul 17 '20 at 17:37