Authorization Code Flow - possible to get single-use 'code' via an API?

When the user logs in they are sent to https://YOUR_DOMAIN/authorize?

After authenticating, they are sent to the redirect_uri along with a ‘code’ parameter, which can then be used via the https://YOUR_DOMAIN/oauth/token endpoint to exchange the code for a token.

Is it possible to obtain a ‘code’ value via API instead of through the authorize web page? For example, maybe this could be possible via an API provided I can already authenticate the user through a password grant. Or via the management API. This would be on a test domain.

The reason this is important is for automated browser testing via Cypress. There is documentation available for using Cypress when Auth0 is fully integrated into the app, but in my case Auth0 is used for single-sign on and then gets out of the way, and sessions are managed using a bespoke mechanism. So it is not possible to set cookies based on Auth0 values and expect the app to pick up on them. The only app endpoint available to me from Cypress is the redirect_url which needs to accept a ‘code’ argument.

Thank you for any suggestions.

Hi @danlester,

You can exchange username/password directly for a token using the resource owner password grant, I don’t know of a way to get a code in exchange for username/password. I have seen users use this for testing.

Hopefully that provides some insight.

Thank you so much for your response. Yes, I think you have confirmed what I suspected - that I can get a token using a password grant, but that I can’t use username/password to somehow inject into the auth flow to get the short one-time code that goes in Auth0’s redirect to my app’s redirect URL. Or something similar. The point is that the redirect handler is the only interface into Auth0 sign on within my app - I’m not maintaining cookies containing JWTs or anything else.

If anyone knows any different, I would really appreciate their thoughts!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.