Authentication does not work in ASP.NET MVC OpenIdConnect when I turn off Implicit Flow

I followed the documentation regarding how to implement Authentication Code Flow

Then I disabled all the authentication flows except Authorization Code and Refresh Token. Now I when I try login with my test user I get an error saying:
unauthorized_client : Grant type ‘implicit’ not allowed for the client.

When I enable Implicit flow of course it works, but why would I need to enable it even though the documentation says I’m doing an Authorization Code flow?

If the documentation is wrong (or misleading) how can I enable Authorization Code flow (as opposed to Implicit flow) in the given ASP.NET MVC (OWIN) example?

Hi Reza,

What OWIN example are you using for this ? Implicit Flow runs client side (javascript apps). In an MVC application, there is a callback url running server side so it should be Authorization Code Flow as you stated. In your case, it seems the redirection to the Authorization Server is happening client side so it tries to use implicit flow.

Thanks

Thanks for your reply!

I am using this example:

This is the redirection I pasted from the browser; broken down in multiple lines to make it more readable.
https://.eu.auth0.com/authorize?client_id=&
redirect_uri=%2Fcallback&
response_type=code%20id_token&
scope=openid%20profile%20email&state=OpenIdConnect.AuthenticationProperties%3D4Lp7Uxk2sNstiaR2pqrC3PJwy8r_YzVlLEbl_hEpf-3N6yzQ_VTw2jXFKXTsg4I7I_AbhDv8CMimSoiVHeLl_nDDrKpajQQVjhp2gdnbJ7IOfLl1H-PRsGFXTnjFt-5CK7IZHLxC1mpyWuKmm7I7Vbh9Fzu4FpC3NXi71fYoZO7iRvcjesINmAdQc3xgOsO690jyxkG_f1xn1C5fBSiGiKN_4ARi4XU9YDl3tdqr11g&
response_mode=form_post&
nonce=637502075583186529.MTNhZmVhYWUtZDdjZi00YjZlLThlZGQtYzU4NDUyYTU0NDIwZjBiZmM3M2YtMTVjZS00YmQzLTkyYzUtZWIyOTA5ODIwYjE3&
x-client-SKU=ID_NET461&
x-client-ver=5.3.0.0

I’m also expecting it to be Authorization Code Flow, but why when I turn off Implicit in the Advanced settings, it stops working and gives me the error:

Everything on your end looks right to me. Even the response type in the URL is code, which means Autorization Code Flow.

This looks more like an issue on the Auth0 side to me.

Thanks