是否可以通过 Firebase 无密码身份验证发送 OTP 而不是链接？

Question

Context:

I've written an application that distributes a widget that would be installed on a consumer's web application (like Intercom, Hotjar etc.) and I'd like to make use of passwordless authentication to authenticate my users.

From what it seems like, Firebase passwordless auth sends a link to the user's email address, and upon clicking it they'll be redirected. Given that this is a widget, as far as it seems like to me, redirecting to the consumer's application is not possible as it doesn't make sense to whitelist said app in the firebase console.

Redirecting to the main app (where you'd get the widget's code) doesn't make sense either because the user will be authenticated in the main app, not the widget.

The ideal solution in my perspective seems to be sending the OTP code instead which the user can copy/paste into a text field in the widget itself.

What I've tried so far:

I've read the docs thoroughly, tried implementing passwordless authentication which has lead to my above-mentioned conclusions. Since you can't really edit the email template I'm starting to feel that this use-case does not align with what Firebase Passwordless auth was made for.

What I'm looking for:

I want to reduce the sign-in friction for my users, and I'd also like to verify their email addresses so that I can send them notifications/news-letters, etc. later on.

The other authentication providers like the OAuth2 based ones revolve around the fact that the user has registered with that particular service. Anonymous authentication allows users to sign-in but does not ensure that each user has a unique email address. Email/Password authentication has high-friction.

I'm looking for a passwordless authentication that is similar to how auth0 does it, but auth0 has a more verbose limit on the free plan compared to firebase auth.

Any help, advice or pointers would be helpful!

Resources:

Firebase Passwordless Auth: https://firebase.google.com/docs/auth/web/email-link-auth

auth0 Passwordless Auth: https://auth0.com/passwordless/

Answer 1

From reading the documentation on Authenticate with Firebase Using Email Link and Passing State in Email Actions , I don't think this is a completely supported scenario. But you may be able to emulate it by:

1. Setting up your own handler page for the link in the email.
2. Having that page display the oobCode from the link.
3. Set up a page on the widget where the user enters the code.
4. Recreate the link from that code and other app-specific information.
5. Create the credentials by calling credentialWithLink .

This is pretty involved though, so you'll have to make the trade-off yourself on whether is is worth the effort. A much simpler flow is to:

1. Send the link.
2. Have them open the link on their other device, which verifies their account.
3. Provide a button in the widget that reloads their profile , and checks if the email address in their account is verified.