401 error on oauth/token with Angular

I’m playing with integration of Auth0 into an existing Angular9 application. I’ve read and followed two different approaches:

and

I’m also using a custom Database where existing users are located.

In both scenarios I’m able to call loginWithRedirect, login with the user and reach the callback url. However, on the callback URL the code automatically calls auth0 address/oauth/token in the following sequence:
- /authorize?cliend_id… (302 result → to my callback URL with code= parameter)
- /oauth/token (OPTIONS - 200 response)
- /ouath/token (POST - 401 error)

The POST method which is failing has been sent the following values:

  1. client_id: “–My client ID–”
  2. code: “–generated by Auth0–”
  3. code_verifier: “–generated by Auth0–”
  4. grant_type: “authorization_code”
  5. redirect_uri: “–the same callback URI we are currently on–”

Additional request headers:
:authority: --my auth0 domain–
:method: POST
:path: /oauth/token
:scheme: https
accept: /
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: no-cache
content-length: 223
content-type: application/json
origin:my localhost
pragma: no-cache
referer: my localhost
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36

Anyone have an idea on where the misconfiguration is located?

A possible thing to check would be to see if the client application is correctly configured in Auth0. For example, it may be requiring client authentication in the token endpoint which could explain this because the SPA will be unable to maintain a client secret and as such won’t send one in the request.

See the token endpoint authentication method setting at (Application Settings).

This issue was resolved by the Client Authentication Endpoint setting being POST by default instead of NONE. Appears to be a common issue and a bug where the SPA setting is defaulting to POST which is not correct.

1 Like

Yes, it was related to this setting. However, it was due to incorrect behavior in Auth0 portal whereby it defaulted to POST instead of NONE and could not be changed until I changed from SPA to Web App and then back to SPA.

1 Like

Thanks for sharing it with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.