Connecting to non-default Database in a password grant flow

I’m using a password grant OAuth flow, but can’t connect to a non-default Database/Connection.

  • I’ve got two applications configured on a tenant, each with their own database.

  • Both are using a password grant flow.

  • I’m testing both applications on the command line with curl, using sample code from the docs, so am confident it’s not code related:

export TENANT=foo;
export CLIENT_ID=bar;
export CLIENT_SECRET=baz;
export AUDIENCE=qux;
export USERNAME=quux;
export PASSWORD=corge;

curl --request POST \
  --url https://$TENANT/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"$CLIENT_ID", "client_secret":"$CLIENT_SECRET", "audience":"$AUDIENCE", "grant_type":"password", "username": "$USERNAME", "password": "$PASSWORD"}'
  1. The application that uses the default database on the tenant works fine and can successfully receive a token
  2. but the application that uses the non-default DB returns an error:
{
  "error": "invalid_request",
  "error_description": "connection is disabled (client_id: $SECOND_CLIENT_ID - connection: $DEFAULT_DATABASE_NAME)"
}
  • Application #2 is configured with Database #2 enabled and Database #1 disabled.
  • Both applications are configured with password grant type enabled and can’t see any difference in their configuration
  • I switched Application #2 to talk to Database #1 and it works OK, so seems like it is specifically related to the connection

The issue I’m facing seems to be the same as this previous post, but that user wanted to switch DBs so could resolve their issue by changing their default connection, whereas I need to keep both active.

I’ve tried passing connection as parameter in my request body (similar to when making a create user request), and have also tried a realm param (both with the connection name or its ID), but neither have worked.

Any ideas on what I’m missing? Please let me know if you need more details


Edit to add:

Checking the monitoring in the Console, it gives:

Summary

  • Occurred: a few seconds ago at 2022-07-14 09:18:39.192 UTC
  • Type: Failed Exchange
  • Description: connection is disabled (client_id: $CLIENT_ID_2 - connection: $DEFAULT_DATABASE_NAME)
  • Connection: $DEFAULT_DATABASE_NAME
  • Application: $APPLICATION_NAME_2 ($CLIENT_ID_2)
  • User: $USERNAME

Typically just after posting I found this page in the docs that mention you need to change grant_type in order to use the realm parameter.

At first (on speed reading) I tried tho use "grant_type": "password-realm" but received an error:

{
  "error": "unauthorized_client",
  "error_description": "Grant type 'password-realm' not allowed for the client.",
  "error_uri": "https://auth0.com/docs/clients/client-grant-types"
}

Checking the error URI and back to the original page, I realised that grant_type should be the fully qualified URI:

http://auth0.com/oauth/grant-type/password-realm

And now this is working successfully.