What is a recommended way to do strictly API login (no UI) with credentials supplied in payload and retrieve an access_token back? The back-end could be a basic auth0’s managed Username-Password-Authentication DB, where username and password are stored. Please provide samples and auth’0 libraries in node if you have it.
Note: this is easily accomplished via UI (ie universal login) and tons of excellent guides, I have been searching community to this topic but I could not find a straight up resolution WITHOUT UI.
ROPG is Resource Owner Password Grant. It is NOT recommended, as you have to handle passwords in your app, instead of relying on the ULP for this, as well as losing SSO and centralization of IAM functionality. Docs are here: https://auth0.com/docs/api/authentication#resource-owner-password
Again, this is NOT recommended.
The other way is client credentials or machine-to-machine. If the “user” is a server side application, this one is the way to go. Something like a cron job…
Noted that ROPG is NOT recommended, we do not plan to uptake / implement this.
We looked at the M2M prior to opening this ticket and was able to follow guides using the client_id and client_secret okay. However we need user context specific , we could not locate how to supply user context (username / password) in addition to client_id/secret in which API data response will be different contingent upon such user context. (it’s not a cron-job type.) Please let me know if we missed it, if so can you provide direct link to sample authenticating with client_id + client_secret + username (+ password [optional])? Please also advice different option if Client Credential or M2M did not support this.
There is no user context with client credentials. If the client credentials app has the user ID or email, you can give the app sufficient privileges to look up info on the user. Be aware that this means the client credentials app can look up info on ANY user.
If you truly need a “user context”, that is, if you really have a user logging in and need their profile, you’ll have to either use ROPG (not recommended) or a redirect flow like Auth Code or Auth Code + PKCE.
This use case is a bit confusing to me. An "API only " auth sounds like client credentials, but “users” sounds like there is a web app or native app to interact with. Which one is it?
We are able to use Auth0 web app login (universal) and native app login without problems. All customer facing apps that we have control are good.
There is however a third party tool which rely on a backend API to:
(a) login with username/password in payload to retrieve access_token, and then
(b) use the access_token to call various other protected APIs.
We are trying to solve this use case, hence this post to the community channel.