Auth0 Home Blog Docs

Access-denied/Unauthorised while using "auth0.com/oauth/token"

authentication-api
auth0
username-password-co
access-is-denied
unauthorized

#1

I have an app which cannot use redirect_uri , so we tried to implement the “auth0.com/oauth/token” api to pass the username and password but it is responding with a access_denied/Unauthorized error , i tried all the combination and it only return the same error, please help us to tackle the issue, since we are migrating from legacy api and is there any api available which can be used for username-password authenticatio.

//postman-code
curl -X POST
https://gornapp.auth0.com/oauth/token?grant_type=client_credentials&username=vbenavid%40gornapp.com&password=LifeChanger2017&client_id=xxxxxxxxxxxxxx&client_secret=xxxxxxxxxxxxxxxxxxxxx
-H ‘cache-control: no-cache’
-H ‘content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW’
-H ‘postman-token: d2db6957-5c13-70b4-8a53-f38e8633d9e7’

response

{
“error”: “access_denied”,
“error_description”: “Unauthorized”
}


#2

I’m pretty new to this so keep that in mind: Looks like you have a few things mixed together in that curl example.

/oauth/token is used to get an access token, not to authenticate a user.

If you want to get an access token as a normal user, you need to authenticate first (/authorize endpoint) to get your authorization code, and then use the authorization code to get your access token using the authorization code flow.

The client_credentials flow does not involve a username or password. Using client_credentials you are using the client ID and secret to directly (without logging in as a user) acquire an access token.

So either:

  1. authenticate as a normal user, then call /oauth/token with your authorization code, or
  2. use client creds to get an access token without logging in as a normal user

Refer to the links below:


#3

Is there any direct api which support direct username-password login without redirecting to auth0 page? This is for hybrid app where the auth0 page doesn’t redirect back to mobile app.


#4

I believe so, but don’t know the details off hand. The authentication flows are documented here:


#5

Any way thanks for the replies , The issue has been fixed by doing a server side Resource Owner Password method using the /oauth/token api .