Lock.Android: Passwordless with Magic Link

In order to avoid asking the user to input the one-time password sent for passwordless authentication in Android apps, we introduced the ability to send a link that the user can tap to login without any manual input involved.

These links include the same code that would be used in the traditional passwordless flow, but with the correct configuration, these links will open right into your application.

Auth0 Dashboard Configuration

Go to your application settings and click Show Advanced Settings at the bottom of the page. Then in the "Device Settings" tab, you will need to provide both the Android Application's Package Name and certificate Key Hash.

  • App Package Name: This is the package name, as declared in the app's manifest. It's also available in the app/build.gradle file as the applicationId attribute. If both values are not the same, use the one for the applicationId. An example would be com.example.android.myapp

  • Key Hashes: These are the SHA256 fingerprints of our Android app’s signing certificates. You can include multiple of them by separating them with commas. Both the release and debug keystore fingerprints can be specified here. The section below explains how to obtain them. An example would be DE:1A:5B:75:27:AA:48:D5:A6:72:2F:76:43:95:9B:79:C6:86:1A:5B:75:27:AA:48:D5:A6:73:FE.

After you set the values make sure to click Save Changes.

Getting your Signing Certificates Fingerprint

Use the following command to generate the fingerprint via the Java keytool CLI:

keytool -list -v -keystore my-release-key.keystore

or obtain the default debug key:

keytool -list -v -keystore ~/.android/debug.keystore -alias androiddebugkey -storepass android -keypass android

The value required by the dashboard is the one listed as "SHA256". You can read more about Keystores in this official article.

Enable the Email Connection

Passwordless using Magic Link works only with the passwordless connection of type "email". Go to Dashboard > Authentication for Passwordless connections and click on Email. A popup will open and the HTML + Liquid email template will become editable. Verify that the body contains a conditional like this:

{% if send == 'link' or send == 'link_ios' or send == 'link_android' %}
Your verification link is: {{ link }}
{% elsif send == 'code' %}
Your verification code is: {{ code }}
{% endif %}

Was this helpful?

/

Configuring the SDK

Now that the Auth0 application is configured follow the instructions and set up PasswordlessLock with Lock.Android as seen in the passwordless docs.

SDK usage

Lock Passwordless authenticates users by sending them an Email with a one-time password, which in this case will be a LINK instead of a code. If you have followed the guide for Passwordless classic, you'd only need to remove the useCode() call and replace it with useLink().

Finally, launch the PasswordlessLock widget from inside your activity.

startActivity(lock.newIntent(this))

Was this helpful?

/

After requesting the LINK, the next screen will indicate that in order to log in, the user should tap on it. In case this is not possible, the user can still input the code that will be visible after clicking the link from the received email.

The Lock library is ready to be used with App Links. This is a feature available in Android 6.0 (API level 23) and higher, that allows an app to designate itself as the default handler of a given type of link, without showing the disambiguation dialog that asks the user whether to use the Browser or your app to open the link.

This works as long as the user has not already chosen a default app to handle that URI pattern in the Android device settings.

Automatic handling of links requires the cooperation of your app and the Auth0 website. The app must declare the association with the website and request that the system verifies it. The website must, in turn, provide that verification by publishing a Digital Asset Links file.

Auth0 will generate the Digital Asset Links file automatically for you when you configure the App Package Name and Key Hash as shown before. If you've followed all the steps in this article, the file should be available and will be verified the next time your android application is installed.

You could find more information about App Links in the Android docs.