Username/password login for SPA suddenly not working

Our client was working just fine until yesterday; when I tried to login via username/password, it had this error:

Error: Grant type 'http://auth0.com/oauth/grant-type/password-realm' not allowed for the client.

The code that creates a webAuth client like so:

this.auth0 = new auth0.WebAuth({
  clientID: <CLIENT_ID>,
  domain: <DOMAIN>,
  responseType: 'token id_token',
  redirectUri: `${window.location.origin}/login`,
  leeway: 50
})

Then it has a login function (and a similar-looking signup) as follows:

this.auth0.client.login({
  realm: 'Username-Password-Authentication',
  username: <USERNAME>,
  password: <PASSWORD>
}, (err, authResult) => {
  if (err) {
    alert('Error: ' + err.description)
    return
  }
  if (authResult && authResult.idToken && authResult.accessToken) {
    this.setToken(authResult.accessToken, authResult.idToken)
    browserHistory.replace('/')
  }
})

The documentation is confusing, but from what I gather, the implementation of things seem to have changed. To enable username/password login for a Single-Page Application, it says things about an API auth (?). What does that mean? Do I have to add API support to a purely front-end page? (We do have an API, but that’s separate.)

I’d appreciate any guidance!

To my knowledge there has not been any changes in the Auth0.js side of things for sometime so it’s unlikely that the source of the issue is coming from the client-side. We recently identified an issue that for specific client applications that were not being explicitly identified as first-party application the associated grant types could be incorrectly configured following a client application change through the Dashboard. This would explain why the client.login call would fail.

The issue mentioned above is identified and will soon be addressed, however, in the meantime you can access the advanced client settings of the application in question and navigate to the grant types section in order to confirm if this is the issue affecting you. If you cannot see the password grant type for selection then you can do the following; call the PATCH client endpoint through the Management API with a JSON payload of { "is_first_party": true }. This will explicitly mark the client application as first-party which I’m assuming it’s the case of your application (if the owner or who controls the development of the application is the same entity that owns the Auth0 account then its a first-party application).

Having completed the above steps you should then be able to access the client settings again and this time the password grant should now be available for selection (assuming the root cause of the issue is the one I think it is). If this does not address the situation can you please include additional information to help troubleshoot this situation, for example, if you did not do any change at the code level, did you recently do configuration changes through the Dashboard.

PATCHing the client worked. I was able to find the Password grant type after that. Thank you!