Auth0 Home Blog Docs

Authenticating but not authorizing

We are attempting to use your “Resource Owner Password Grant” flow. We are able to authenticate (the logins are ticking up on the dashboard), but we have no authorization. I went to your (jwt.io), site and was able to view the contents of the token. The token seems to have the permissions I need to implement the /v2/users endpoint. I’ve added the applicable permissions (viewable from the token), but I get the error “401: unauthorized: Bad Audience” for the call. I’ve taken the token and plugged it into your API section of your site “https://auth0.com/docs/api/management/v2”, and I shows red for all permissions.

Hi @fruss
Would you mind posting the request you are using to obtain the token (except for the password!) and the payload of the token you are receiving? And, just to clarify, you mean the access_token, right?

Note that users don’t have access to most of the Management API v2 except for a handful of scopes, like read:current_user and others mentioned here. This means that if you are looking for more generic scopes you’ll have to authorize an application to those scopes and use the client-credentials grant.

Yes, I am trying to gain an access token. Also, thank you in advance for your assistance.

Call =

        var client = new RestClient("https://dev-qyiigyxr.auth0.com/oauth/token");
        var request = new RestRequest(Method.POST);
        request.AddHeader("content-type", "application/x-www-form-urlencoded");
        request.AddParameter("application/x-www-form-urlencoded",
            $"grant_type=password&username=test@test.com&password=<password>&audience=https://dev-qyiigyxr&scope=read%3Asample&client_id=0MJx3iSkEG0CDxqZn7xMgf0fCXThEZtU&client_secret=<secret>", ParameterType.RequestBody);
        IRestResponse response = client.Execute(request);

Token = “eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik16STVOamd4TTBSRk16aEJOelk1UVROQk5UWXhOREl5UlVGRU5qRTRNak00T1VZMk9FRXhRUSJ9.eyJpc3MiOiJodHRwczovL2Rldi1xeWlpZ3l4ci5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NWRjMzQzNGZlM2VmODAwZTE2NDgyZjM5IiwiYXVkIjoiaHR0cHM6Ly9kZXYtcXlpaWd5eHIiLCJpYXQiOjE1NzMyMzU0NjYsImV4cCI6MTU3MzMyMTg2NiwiYXpwIjoiME1KeDNpU2tFRzBDRHhxWm43eE1nZjBmQ1hUaEVadFUiLCJndHkiOiJwYXNzd29yZCIsInBlcm1pc3Npb25zIjpbInJlYWQ6dXNlcnMiLCJyZWFkOnVzZXJzX2FwcF9tZXRhZGF0YSJdfQ.L33FFmWaOL7zOgWRZnUZV-eoNL7s15Bmex3Qg4e1F5iuvevhmT0LxzFC_S_1YDlgwkFoVnyIZd3llZ_AAxEfDg9DVsnfmeYqube6nX_KPwE4YeV_4QkCZ0lnn8s5sGH5VOP1wajKUFbYXXw3MKPDa_ZS3iGGZyyf6yTl6zZ-gsthq_R93iP75_KpNYM8rjL8kV3N1HxJIhAOyO4zfinvyIR_dfogXSMlfCRQKhvAgeZ5NSCnow0CwTKJ_06oix6Gqlyc6ERGVvsa2CKn_iGd7b0_qhYacAjnDgScDm5lctGmQkxjmeqoKS61KzAY8srt_88dC6Yfyo18RrXLkAyQbA”

Here is the Token payload:

{
“iss”: “https://dev-qyiigyxr.auth0.com/”,
“sub”: “auth0|5dc3434fe3ef800e16482f39”,
“aud”: “https://dev-qyiigyxr”,
“iat”: 1573235466,
“exp”: 1573321866,
“azp”: “0MJx3iSkEG0CDxqZn7xMgf0fCXThEZtU”,
“gty”: “password”,
“permissions”: [
“read:users”,
“read:users_app_metadata”
]
}

Hi Just wondering if their was anything else you could tell me. I have the permissions in the token as shown above, but the api on your site says the token cannot perform read:users permissions
image