RFC for Magic sign-in link via email #17888
Replies: 7 comments 3 replies
-
For passwordless entry, I would also love to have the OTP option, so instead of a link, the user would get a 6 (or more) digit number to log in. |
Beta Was this translation helpful? Give feedback.
-
Heya! Thanks for opening this feature request! This feature request has received over 15 votes from the community. This means we'll move this feature request to the Under Review state! The Core team will schedule a meeting to review this request as soon as possible. The discussion will then be approved or denied. You may or may not be invited to join this meeting with the core team. For more information, see our Feature Request Process. |
Beta Was this translation helpful? Give feedback.
-
Thanks @adanielyan! The front-end steps make a ton of sense. I think the last piece of the puzzle for this feature to be a success is figuring out the exact API spec. Couple of questions on that:
|
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
Must have:
|
Beta Was this translation helpful? Give feedback.
-
Summary
Add a "Magic sign-in link" option to the available authentication methods. Users must be able to choose a Magic sign-in option in addition to any other enabled option to sign in. This authentication method should work for both the Directus app and authentication through API. This authentication should be an extension of default (database) authentication. That is, the auth method on the account will be "default". As a result only accounts with a "default" authentication method will be able to use Magic link auth, although it may change in the future when/if authentication by any method (regardless of what method was used to create an account) is supported by Directus.
Basic Example
Example 1
Example 2
Motivation
Magic link authentication is becoming increasingly popular and are considered a safe way to authenticate user without password. It would be good to support this authentication method.
Detailed Design
Use case 1
Send me a magic link
button.Use case 2
Steps 4-10 are same as in
Use case 1
, but the redirect URL in step 6 will be the app's page URL submitted to the Magic Link generation API endpoint.Requirements List
Must Have:
Should Have:
Could Have:
Won't Have:
Drawbacks
To implement this approach the token refresh API endpoint will have to accept GET requests, as you cannot send a POST request from an email. While this may sound as a security risk, in reality it is not, as the refresh tokens can only be used once, and are discarded after a new refresh token is generated. But there may be other negative consequences that I cannot think of at the moment.
Alternatives
Using 3rd party OAuth providers, such as Auth0 to enable Magic link authentication.
Adoption Strategy
TBD
Unresolved Questions
No response
Beta Was this translation helpful? Give feedback.
All reactions