401 Unauthorized Post /oauth/token using Resource Owner Flow

Express App:6001, React App:3000 .

  var data = {
    grant_type: 'password',
    client_id:'----------------------',
//    client_secret: '---------------',
    audience: 'https://dev-49v8whrc.us.auth0.com/api/v2/',
    // scope: "read:sample",
    password: req.body.password,
    username: req.body.username,
  }

axios.post('https://dev-49v8whrc.us.auth0.com/oauth/token', data, {

    headers: { 'content-type': 'application/x-www-form-urlencoded' },

  }).then((response: any) => {

    res.json(response)

    console.log(response)

  }).catch((error: any) => {

    res.json(error.response.data)

    console.log(error.response)

  });

I’m sure of the user credentials and client_id. I signed up the user using the sign-up endpoint and it works. Also tried including secret and audience keys. Unsure how I’m receiving the error, any hint in what I’m doing wrong? It also works on the debugger but not on my app ;/

Hey @ibrahimsam96,

Thanks for getting in touch with us at Auth0 Community.

I note that you have client secret commented out, this will need to be present. I tested with the curl below successfully:

curl --request POST \
  --url 'https://YOUR_DOMAIN/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=password \
  --data 'client_id=eLltTv5EmEXOBeZDrjMa4VjGVVVXgc3o' \
  --data 'client_secret=YOUR_CLIENT_SECRET' \
  --data 'audience=https://YOUR_DOMAIN/api/v2/' \
  --data username=USERNAME \
  --data password=PASSWORD

Let me know if you’re still having issues.

Warm regards.

1 Like

I’m having the same problem whether I include the secret or not.

In the Resource Owner Password Flow - Only the grant_type,client_id,username,password are required.
https://auth0.com/docs/api/authentication#resource-owner-password

What application type I should select for the above endpoint to work?. Currently in the api debugger, Machine to Machine with None for the token endpoint works but unfortunately returns an error when I run it from my app

Hi @ibrahimsam96
I used a native app in my testing, does it work if you run your parameters as a curl statement as per my example, this will help troubleshoot the issue, also ensure the password grant is enabled on your client?

Look forward to hearing from you.
Warm regards.

1 Like