Auth0 101 - access denied when requesting token by username/password

alanbos · August 24, 2017, 8:50pm

Apologies as this is my first day trying out Auth0 and I must be doing something fairly silly. My issue is that I can’t get a token for a user based on their username/password .
What I did:

Created a new database connection MyDB.
Created a new user henry.green@erewhon.com, gave them a password HelloWorld and assigned them to that database connection.
Created a new API Test Auth0 API
Created a web app client My Appand ensured the Password grant type was set. Also ensured MyDb was one of its connections.

From javascript (node.js) I then issue the following call (AUTH0_DOMAIN is my Auth0 assigned domain, AUTH0_CLIENT_ID and AUTH0_CLIENT_SECRET are set from MyApp’s config, and AUTH0_AUDIENCE is set from my test API’s config):

app.get('/api/getToken', function(req, res) {
    var options = { method: 'POST',
        url: `https://${process.env.AUTH0_DOMAIN}/oauth/token`,
        headers: { 'content-type': 'application/json' },
        json: true,
        body: {
            username: 'henry.green@erewhon.com',
            password: 'HelloWorld',
            client_id: `${process.env.AUTH0_CLIENT_ID}`,
            client_secret: `${process.env.AUTH0_CLIENT_SECRET}`,
            audience: `${process.env.AUTH0_AUDIENCE}`,    
            grant_type: 'http://auth0.com/oauth/grant-type/password-realm',
            realm: 'MyDB'
        }
};

The response I get is:

{
    "error": "unauthorized",
    "error_description": "Access denied."
}

which I presume either means my nodeapp didn’t have the rights to request this token, or my new user was unauthorised. At this point I’m a bit stuck, and would appreciate any assistance.

alanbos · August 24, 2017, 10:10pm

OK - I solved the riddle, and the solution if anyone else gets stuck with this is as follows - when you run the Getting Started tutorial, one of the steps involves setting up a rule based on email domain whitelists. What I hadn’t realised was that the rule was still active; since my new user’s email domain didn’t conform to that whitelist domain the rule was causing the “Access Denied” error to be returned to my token request.

Suggestion amend the error message used in the *Email domain whitelist’ rule to something a bit more obvious e.g. Access denied - email domain not supported. That would’ve saved me a few hours tracking down my silly mistake.

dl21-032 · September 16, 2017, 2:36pm

This got me too.

@alanbos Thanks for posting the root cause. It is certainly a gotcha for new users trying to integrate auth0 for the first time.

The Getting Started tutorial should warn you about this and probably tell you to remove the whitelist rule so subsequent quickstart tutorials don’t fail.

vincent.ml · November 2, 2017, 10:04pm

“Access denied” has wasted countless developer hours and unnecessary stress. “Access denied - email domain not supported” how hard is that? Developer happiness = natural marketing for auth0
Also:

your blog article here is crap > The Complete Guide to Vue.js User Authentication with Auth0
but your dashboard guides for “Clients” and “APIs” are good!
and your bottom right tutorial which makes people add that rule “Email whitelist” is what caused this “Access Denied” in the first place!
thank you @alanbos you’re a life-saver!