Auth0 passwordless auth fails if the linked clicked isn't from the first email sent

[babolivier]

Mozilla's Auth0 has email passwordless auth enabled, with a feature that allows one to ask Auth0 to actually email the authentication magic link to another email address than the one initially set. This works in the following way:

• Click the "Sign in with SSO" button on https://chat.mozilla.org
• Choose to login with an email, enter an email address (let's say alice@example.com) and click "Enter"
• Confirm ("Send me an email to continue")
• On the success screen, click the "Need to send that to a different email?" link:

• Get the authentication portal to send a magic link to another email address (let's say bob@example.com)

Now, if you click on the link sent to alice@example.com, Auth0 gets the user's browser to send a POST request to /authn_response with a SAML AuthN response, as expected (though I did get bitten by #7056 a few times when trying it out).
However, if you click on the link sent to bob@example.com, then your browser ends up doing a GET request to https://mozilla.modular.im/_matrix/saml2/authn_response#access_token=[...]&scope=openid&expires_in=7200&token_type=Bearer&state=[...], which has an access token in the URI fragment.

Currently I'm not sure how to use that access token, nor whether I can use it to get an AuthN response to give to Synapse.

I'm also not sure whose fault this is, since this "Need to send that to a different email?" link isn't an Auth0 thing but rather a Mozilla one afaict (which lives here: https://github.com/mozilla-iam/auth0-custom-lock).

[babolivier]

Apparently I could reproduce this failure on 100% of my attempts yesterday but it's working today. Oh well.

I'll keep this issue open for a few days in case it comes back and close it if it doesn't.

[babolivier]

I think the best we can do on this is #7058