401 Calling /token Only In JS

Hi.

I’m trying to retrieve an auth token so I can later get user info, using this guide: Get Management API Access Tokens for Production

However, I get a 401 Unauthorized when calling from my React JS client.

I had this working exactly the same code in a previous vanilla JS client, and the equivalent CURL returns a response with a token so I can’t see what’s causing this issue.

I’m posting:
{ "grant_type": "client_credentials", "client_id": xxx, "client_secret": xxx, "audience": "https://shoutapp.eu.auth0.com/api/v2/" };

to ‘https://shoutapp.eu.auth0.com/oauth/token’

and as I say, CURL works:

curl --request POST --url 'https://shoutapp.eu.auth0.com/oauth/token' --header 'content-type: application/json' --data '{"grant_type":"client_credentials","client_id": "xxx","client_secret": "xxx","audience": "https://shoutapp.eu.auth0.com/api/v2/"}'

so the credentials definitely match the machine-to-machine application but the JS call does not. There’s nothing useful in the returned error except “401 unauthorised”

Are you using the same client on both calls?

By definition a React JS application is a public client (token endpoint authentication method set to None) and can’t execute the client-credentials exchange (which is reserve for confidential clients only).

The Management API v2 is not designed to be accessed by SPAs applications, unless done on behalf of the user (for very limited scopes like read:current_user). For these cases you would request an access token using the user interactive token request /authorize.

In general, though, if you are trying to get user information the recommendation would be to use the OIDC /userinfo endpoint, with the access token obtained through an authorization request with scope=openid.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.