Auth0 Home Blog Docs

Auth0 101 - access denied when requesting token by username/password

access-token
tier1
access-is-denied

#1

Apologies as this is my first day trying out Auth0 and I must be doing something fairly silly. My issue is that I can’t get a token for a user based on their username/password .
What I did:

  • Created a new database connection MyDB.
  • Created a new user henry.green@erewhon.com, gave them a password HelloWorld and assigned them to that database connection.
  • Created a new API Test Auth0 API
  • Created a web app client My Appand ensured the Password grant type was set. Also ensured MyDb was one of its connections.

From javascript (node.js) I then issue the following call (AUTH0_DOMAIN is my Auth0 assigned domain, AUTH0_CLIENT_ID and AUTH0_CLIENT_SECRET are set from MyApp’s config, and AUTH0_AUDIENCE is set from my test API’s config):

app.get('/api/getToken', function(req, res) {
    var options = { method: 'POST',
        url: `https://${process.env.AUTH0_DOMAIN}/oauth/token`,
        headers: { 'content-type': 'application/json' },
        json: true,
        body: {
            username: 'henry.green@erewhon.com',
            password: 'HelloWorld',
            client_id: `${process.env.AUTH0_CLIENT_ID}`,
            client_secret: `${process.env.AUTH0_CLIENT_SECRET}`,
            audience: `${process.env.AUTH0_AUDIENCE}`,    
            grant_type: 'http://auth0.com/oauth/grant-type/password-realm',
            realm: 'MyDB'
        }
};

The response I get is:

{
    "error": "unauthorized",
    "error_description": "Access denied."
}

which I presume either means my nodeapp didn’t have the rights to request this token, or my new user was unauthorised. At this point I’m a bit stuck, and would appreciate any assistance.


#2

OK - I solved the riddle, and the solution if anyone else gets stuck with this is as follows - when you run the Getting Started tutorial, one of the steps involves setting up a rule based on email domain whitelists. What I hadn’t realised was that the rule was still active; since my new user’s email domain didn’t conform to that whitelist domain the rule was causing the “Access Denied” error to be returned to my token request.

Suggestion amend the error message used in the *Email domain whitelist’ rule to something a bit more obvious e.g. Access denied - email domain not supported. That would’ve saved me a few hours tracking down my silly mistake.


#3

This got me too.

@alanbos Thanks for posting the root cause. It is certainly a gotcha for new users trying to integrate auth0 for the first time.

The Getting Started tutorial should warn you about this and probably tell you to remove the whitelist rule so subsequent quickstart tutorials don’t fail.


#4

“Access denied” has wasted countless developer hours and unnecessary stress. “Access denied - email domain not supported” how hard is that? Developer happiness = natural marketing for auth0 :slight_smile:
Also:

  1. your blog article here is crap > https://auth0.com/blog/vuejs2-authentication-tutorial/
  2. but your dashboard guides for “Clients” and “APIs” are good!
  3. and your bottom right tutorial which makes people add that rule “Email whitelist” is what caused this “Access Denied” in the first place!
    thank you @alanbos you’re a life-saver!

#5