Auth0 password grant with organization

billyf · March 21, 2022, 10:17pm

We would like to adopt Cypress for testing a SPA with organization enabled.

Based on my research, the recommended approach is to enable password grant and use it to get the tokens. I’m able to get it working for the path that doesn’t involve organization. But I’m not able to get an access token when an organization is involved.

I wonder if password grant type is currently supported for SPA with organization enabled. If it is supported, how to exchange an access token for an organization with password grant type via the oauth/token endpoint?

rueben.tiow · March 23, 2022, 5:00pm

Hi @billyf,

Thanks for reaching out to the Auth0 Community!

I am currently looking into your observations and will follow up once I have new information.

Thank you.

rueben.tiow · March 23, 2022, 8:15pm

Hi @billyf,

First, when using Organizations, I suggest using the Authorization Code Grant to get tokens.

In this case, you will need to Call the Authorization Code Flow with the organization query parameter. To begin the login transaction, start by calling the /authorize request:

https://YOUR_DOMAIN/authorize?
    response_type=code&
    client_id=YOUR_CLIENT_ID&
    redirect_uri=https://YOUR_APP/callback&
    scope=SCOPE&
    state=STATE&
    organization=ORG_ID

Then exchange the code for a token by calling the /oauth/token endpoint:

curl --request POST \
  --url 'https://YOUR_DOMAIN/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=authorization_code \
  --data 'client_id=YOUR_CLIENT_ID' \
  --data client_secret=YOUR_CLIENT_SECRET \
  --data code=YOUR_AUTHORIZATION_CODE \
  --data 'redirect_uri=https://YOUR_APP/callback'

Once that is complete, you will have a valid access token.

Lastly, you may find our Work with Tokens and Organizations documentation useful.

Please let me know if you have any additional questions. I’d be happy to help.

Thank you.

billyf · March 23, 2022, 8:28pm

Hi @rueben.tiow

Thanks for your answer. The authorization code flow works but it requires user interaction. The reason we need to use password grant flow is to be able to do it programmatically which is needed for the e2e test. Is there a way to get the organization access tokens programmatically with the flow and /oauth/token endpoint?

Thanks,

Hawxy · March 24, 2022, 1:48am

There isn’t at this point in time. AFAIK it’s on the Auth0 Roadmap for the end of this year.

To get over this, I combined Cypress’s new Session API with a custom Puppeteer integration to handle the login flow and then copy/store the cookies. This works fairly well.

The other option is to wait for Cypress’s Multi-domain support which should be hitting an experimental release in an upcoming update:
Multi-domain Support · Issue #17336 · cypress-io/cypress (github.com)
You’d be able to login to the application like a normal user once this is released.