401/Unauthorized when obtaining token in Authorization Code grant

Here’s the sequence I’m going through to get a basic (Quickstart) SPA application (in React) working. I’m guessing I could probably eliminate a step or two in the middle, but thought that listing my tested sequence accurately would be helpful:

  • Create new Auth0 tenant (which creates default app)
  • Within default app, fill in “http://localhost:3000” to the following:
    • “callback URL”, “Allowed Origins”, “Logout URL”
  • Veryify default settings and test login within SPA:
    • Application Type: is set to “Select an application type”
    • Token Endpoint Authentication Method: field is inactive (greyed out) and set to “Post”
    • Advanced Setting->Grant Types: The following are checked (and unable to be changed): Implicit, Authorization Code, Refresh Token, Client Credentials
  • When using “Authorization Code” flow within a SPA using Auth0 Quickstart example
    • new user: User creation works fine
    • code: Obtaining “code” works fine
    • token failure: When you exchange “code” for “token” via /oauth/token endpoint, you get a 401/Unauthorized
  • SPA: Changing “Application Type” from “Select an application type” to “Single Page Application”
    • “Token Endpoint Authentication Method” remains grayed out, and set to “Post”
    • Within Advanced Setting->Grant Types:
      • “Client Credentials” is now grayed out, but still checked.
      • Implicit, Authorization Code, and Refresh Token remain checked.
    • code: Obtaining “code” works fine
    • token failure: When you exchange “code” for “token” via /oauth/token endpoint, you get a 401/Unauthorized
  • Native: Changing “Application Type” from “Single Page Application” to “Native”
    • “Token Endpoint Authentication Method” remains grayed out, and set to “Post”
    • Within Advanced Setting->Grant Types:
      • “Client Credentials” is now grayed out, but still checked.
      • Implicit, Authorization Code, and Refresh Token remain checked.
    • code: Obtaining “code” works fine
    • token failure: When you exchange “code” for “token” via /oauth/token endpoint, you get a 401/Unauthorized
  • Regular Web Application: Changing “Application Type” from “Native” to “Regular Web Application”
    • “Token Endpoint Authentication Method” field is now active (not greyed out), and set to “Post”
    • Advanced Settings->Grant Types: Implicit, Authorization Code, Refresh Token, and Client Credentials are checked
    • code: Obtaining “code” works fine
    • token failure: When you exchange “code” for “token” via /oauth/token endpoint, you get a 401/Unauthorized
  • SPA: Changing “Application Type” from “Regular Web Application” to “Single Page Application”
    • Receive modal saying “Changing the Application Type from Regular Web Application to Single Page Application will disable the Client Credentials grant for this application”
    • Clicked on “confirm”
    • “Token Endpoint Authentication Method” is now grayed out, and set to “None”
    • Advanced Settings->Grant Types:
      • Implicit, Authorization Code, and Refresh Token are now checked.
      • Client Credentials is grayed out, and not checked
    • Still successfully get “code” when you login
    • Now get a 200/OK when exchanging code for token at /oauth/token
5 Likes