Auth0 Home Blog Docs

Content type wrong when getting an Oauth token

Hi,

I’m trying to implement the SPA login flow (https://auth0.com/docs/quickstart/spa/vuejs/01-login) for an existing Auth0 application. We are migrating from machine-machine login to OAuth login in the browser.

I’m seeing an error when trying to exchange a “code” for an oauth token use the Auth0 SPA JS library. The response from Auth0 is {"error":"access_denied","error_description":"Unauthorized"} and this is caused because the request is sent with the application/json content type (due to https://github.com/auth0/auth0-spa-js/blob/fd21bc5806fa3bc30a854779bbffeb648fb6e7bd/src/utils.ts#L177). If I construct an equivalent request with the application/x-www-form-urlencoded content type then I get a token back in the response and everything works.

Is there a setting on my Auth0 Application that I can change to allow application/json requests?

Here’s the failing request (copied from dev tools)

curl 'https://redacted.eu.auth0.com/oauth/token' -H 'Sec-Fetch-Mode: cors' -H 'Referer: http://localhost:8081/login?code=redacted&state=Q0otOC1jMW0wVlJvR0h1MUJVSkhqaWxSdlpmVWp6fkNwd010QkNNUTdmMQ%3D%3D' -H 'Origin: http://localhost:8081' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36' -H 'Content-type: application/json' --data-binary '{"grant_type":"authorization_code","redirect_uri":"http://localhost:8081","client_id":"redacted","code_verifier":"RZ88iGYNaJIcb~GxUocHEhHdOVfOErwqIuZUpmdieoE","code":"redacted"}' --compressed

Found it!

You have to set the Application Type to “Single Page App” in the Application settings.