Hello! I am implementing magic link functionality into a nodejs project (express.js) with my own login forms. I have run into an odd issue, when a user visits the authentication endpoint from the Microsoft Outlook Desktop App, I get an expired token error. If the user copy and pastes the URL into the browser, there is no issue. There is also no issue if they click the link via outlook on the web or through other email providers. Talking with some co-workers our best guess is it is related to Outlook verifying the link before taking the user to the URL. Has anyone else seen this issue? Is there anything I can do other than ask the user to copy and paste the URL? Thanks!

Hi Matt, we didn't see this elsewhere, but not sure we had anyone using desktop app of outlook. When you click on the link - can you please check the link itself and how it is different than the link you copy and paste that does work? Happy to jump on a quick zoom to see it together.

Also are you copy/pasting the text or are you right click copying the link? I’m curious if on click from your mailbox if any corporate link checking may be occurring. However, I think the link would already have that in it, but not the text, just the hyperlink embedded under the text.

@breezy-evening-56597 I just double checked and there isn't any difference between the URL that I appear to click on in the email and one that I copy and paste into the browser.

So just to confirm - you click on it - it tells you it's expired, then you copy the same link into a browser and it works? Or are you triggering a new link and only then copy& paste it?

Here is a screen recording of what I am experiencing. I do have it generate a new token and then only copy and paste it into a browser.

Interesting. Would you be available in 25 minutes for a zoom?

Sure! I have also figured out that it doesn't happen when I am running it on my local machine and the url points to http://localhost:3000

Matt - ok if I try on my end on your site?

Yeah, no problem.

I'm testing locally with Outlook as well and will drop you a zoom here in a minute.

@salmon-night-88354 I don't currently have enchanted links implemented.

I tested locally with outlook on mac using an outlook account. No dice on reproducing. Want to hop into this zoom? https://descope.zoom.us/j/89940475529?pwd=OUVnTnV6SlczQ3ZRTHVtQ3ZOMXdVQT09

hi @sparse-alarm-2032, first of all I really like your UI, well done! 🙂 like you said, it’s likely that outlook verifies the link before opening it in the browser, you can confirm this by looking at your express.js app access logs and see multiple requests to /authorize if that’s the case, I think that what is happening is that your express js accepts the GET request and verifies the token using our node sdk immediately, so when the “real” browser hits that page it’s already expired these security tools that validate the links don’t usually use an actual browser but just get the raw content and inspect it for malware, this means that a simple GET to your server triggers the token validation the solution here is setting the

/authenticate

endpoint that you have to serve a plain html/javascript page that upon load would trigger a background fetch to a DIFFERENT endpoint, or maybe just a POST to the same endpoint, and only that would trigger the token validation btw, all of this does not happen when using Descope Flows, because they do just that, they only run on a real browser so these GET requests from security scanners do not trigger anything I hope this helps, let me know if you have any additional questions or wanna jump on a call

@orange-belgium-27264 Thanks for this tip, I followed your advice and every seems to be working appropriately now. Cheers!