What's the alternative of oauth/ro? Does "oauth/token" even work?

Does “oauth/token” even work? I want to login using username and password with ‘Username-Passoword-Connection’. And I don’t want to use lock. what to do?

Yes, /oauth/token is supported and the recommended alternative for /oauth/ro. I didn’t use the word works because it may be a perspective thing as I’m assuming that if it had worked as you intended you would not be asking the question.

Also note that although it’s an equivalent it’s not a direct replacement. For example, the /oauth/token endpoint supports two resource owner password credentials (ROPC) grants grant_type:

  • password - you don’t pass any information about the connection you want to use; it uses the one configured as default connection in your account settings (or fails if there’s no default connection configured).
  • http://auth0.com/oauth/grant-type/password-realm - you can pass the connection you want to use as a request parameter through the use of the realm parameter where you would pass the connection name.

In conclusion, you should be able to use /oauth/token endpoint, assuming the client application is configured in a way that allows the use of those grant types. See Client Grant Types for more information on this. Another thing to have in mind is that the client application is configured to require authentication (aka token endpoint authentication method different than none) then you also need to provide the client secret in addition to the client identifier.

Reference docs on /oauth/token from the perspective of ROPC:

https://auth0.com/docs/api-auth/tutorials/password-grant