Auth0 password grant with organization

We would like to adopt Cypress for testing a SPA with organization enabled.

Based on my research, the recommended approach is to enable password grant and use it to get the tokens. I’m able to get it working for the path that doesn’t involve organization. But I’m not able to get an access token when an organization is involved.

I wonder if password grant type is currently supported for SPA with organization enabled. If it is supported, how to exchange an access token for an organization with password grant type via the oauth/token endpoint?

Hi @billyf,

Thanks for reaching out to the Auth0 Community!

I am currently looking into your observations and will follow up once I have new information.

Thank you.

Hi @billyf,

First, when using Organizations, I suggest using the Authorization Code Grant to get tokens.

In this case, you will need to Call the Authorization Code Flow with the organization query parameter. To begin the login transaction, start by calling the /authorize request:

https://YOUR_DOMAIN/authorize?
    response_type=code&
    client_id=YOUR_CLIENT_ID&
    redirect_uri=https://YOUR_APP/callback&
    scope=SCOPE&
    state=STATE&
    organization=ORG_ID

Then exchange the code for a token by calling the /oauth/token endpoint:

curl --request POST \
  --url 'https://YOUR_DOMAIN/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=authorization_code \
  --data 'client_id=YOUR_CLIENT_ID' \
  --data client_secret=YOUR_CLIENT_SECRET \
  --data code=YOUR_AUTHORIZATION_CODE \
  --data 'redirect_uri=https://YOUR_APP/callback'

Once that is complete, you will have a valid access token.

Lastly, you may find our Work with Tokens and Organizations documentation useful.

Please let me know if you have any additional questions. I’d be happy to help.

Thank you.

Hi @rueben.tiow

Thanks for your answer. The authorization code flow works but it requires user interaction. The reason we need to use password grant flow is to be able to do it programmatically which is needed for the e2e test. Is there a way to get the organization access tokens programmatically with the flow and /oauth/token endpoint?

Thanks,

There isn’t at this point in time. AFAIK it’s on the Auth0 Roadmap for the end of this year.

To get over this, I combined Cypress’s new Session API with a custom Puppeteer integration to handle the login flow and then copy/store the cookies. This works fairly well.

The other option is to wait for Cypress’s Multi-domain support which should be hitting an experimental release in an upcoming update:
Multi-domain Support · Issue #17336 · cypress-io/cypress (github.com)
You’d be able to login to the application like a normal user once this is released.

Hi everyone!

In the context of performing automated tests in the context of organizations, it can be a difficult task since the usual ROPG grant flow cannot be enabled.

However, this can be resolved by using a Custom Token Exchange Trigger in which you will be able to set the organization as seen in this example:

exports.onExecuteCustomTokenExchange = async (event, api) => {

  // 1. Validate subject_token
  const subject_token = await validateToken(event.transaction.subject_token, jwksUri);

  // 2.  Apply your authorization policy on the user
  const isAuthorized = await authorizeAccess(subject_token.sub);
  if (!isAuthorized) {
    api.access.deny('Unauthorized_login', 'User cannot login due to reason: X');
  }

  // 3. Set the user for the transaction
  api.authentication.setOrginzation('org_xS525r979AS33MSf');

  // 4. Set the user for the transaction. You may also use setUserByConnection()
  api.authentication.setUserById(subject_token.sub);

  return;
};

Hope this helps anybody who stumbles across the same issue!

Kind Regards,
Nik