Here’s the sequence I’m going through to get a basic (Quickstart) SPA application (in React) working. I’m guessing I could probably eliminate a step or two in the middle, but thought that listing my tested sequence accurately would be helpful:
- Create new Auth0 tenant (which creates default app)
- Within default app, fill in “http://localhost:3000” to the following:
- “callback URL”, “Allowed Origins”, “Logout URL”
- Veryify default settings and test login within SPA:
- Application Type: is set to “Select an application type”
- Token Endpoint Authentication Method: field is inactive (greyed out) and set to “Post”
- Advanced Setting->Grant Types: The following are checked (and unable to be changed): Implicit, Authorization Code, Refresh Token, Client Credentials
- When using “Authorization Code” flow within a SPA using Auth0 Quickstart example
- new user: User creation works fine
- code: Obtaining “code” works fine
- token failure: When you exchange “code” for “token” via /oauth/token endpoint, you get a 401/Unauthorized
- SPA: Changing “Application Type” from “Select an application type” to “Single Page Application”
- “Token Endpoint Authentication Method” remains grayed out, and set to “Post”
- Within Advanced Setting->Grant Types:
- “Client Credentials” is now grayed out, but still checked.
- Implicit, Authorization Code, and Refresh Token remain checked.
- code: Obtaining “code” works fine
- token failure: When you exchange “code” for “token” via /oauth/token endpoint, you get a 401/Unauthorized
- Native: Changing “Application Type” from “Single Page Application” to “Native”
- “Token Endpoint Authentication Method” remains grayed out, and set to “Post”
- Within Advanced Setting->Grant Types:
- “Client Credentials” is now grayed out, but still checked.
- Implicit, Authorization Code, and Refresh Token remain checked.
- code: Obtaining “code” works fine
- token failure: When you exchange “code” for “token” via /oauth/token endpoint, you get a 401/Unauthorized
- Regular Web Application: Changing “Application Type” from “Native” to “Regular Web Application”
- “Token Endpoint Authentication Method” field is now active (not greyed out), and set to “Post”
- Advanced Settings->Grant Types: Implicit, Authorization Code, Refresh Token, and Client Credentials are checked
- code: Obtaining “code” works fine
- token failure: When you exchange “code” for “token” via /oauth/token endpoint, you get a 401/Unauthorized
- SPA: Changing “Application Type” from “Regular Web Application” to “Single Page Application”
- Receive modal saying “Changing the Application Type from Regular Web Application to Single Page Application will disable the Client Credentials grant for this application”
- Clicked on “confirm”
- “Token Endpoint Authentication Method” is now grayed out, and set to “None”
- Advanced Settings->Grant Types:
- Implicit, Authorization Code, and Refresh Token are now checked.
- Client Credentials is grayed out, and not checked
- Still successfully get “code” when you login
- Now get a 200/OK when exchanging code for token at /oauth/token