Auth0 Home Blog Docs

Error "Grant type 'http://auth0.com/oauth/legacy/grant-type/delegation/id_token' not allowed for the client" after saving settings

lock-10
delegation
tier1
firebase

#1

I had working auth workflow using Lock widget (popup, google account) and signing in with customToken to Firebase. Then I had to update settings by adding one more host to “Allowed Origins (CORS)”. Initially I was getting error “invalid grant types: client_credentials” but when I chose “Client Type” => “SPA” I was able to save settings. But after that the auth workflow became broken - I’m getting error “Grant type ‘http://auth0.com/oauth/legacy/grant-type/delegation/id_token’ not allowed for the client” in the response for https://***.auth0.com/delegation request in the Dev console.

Which changes are required now to get working signing in with customToken to Firebase?


#2

Please see the following post for a similar resolved issue:

https://community.auth0.com/questions/3944/error-grant-type-password-not-allowed-for-the-clie

It includes details on why this happens and how you can work around it


#3

In docs I noticed:

http://auth0.com/oauth/legacy/grant-type/delegation/id_token This feature is disabled by default. If you would like this feature enabled, please contact support to discuss your use case and prevent the possibility of introducing security vulnerabilities.

and thought I can’t enable this specific grant type through the patch. But after support’s answer I’ve tried and it works atm.


#4

We tried to patch our new client to work with the Firebase addon like this and it DIDN’T WORK (ADMIN is an “all-allowed” token)

curl -X PATCH \
 -H 'Content-Type: application/json' \
 -H "Authorization: Bearer $ADMIN" \
 https://****.eu.auth0.com/api/v2/clients/D*** -d\
 '{ "grant_types": "authorization_code","implicit","refresh_token", "http://auth0.com/oauth/legacy/grant-type/delegation/id_token"] }'

--> {"statusCode":400,"error":"Bad Request","message":"Invalid grant types: http://auth0.com/oauth/legacy/grant-type/delegation/id_token"}

#5

We tried to patch our new client to work with the Firebase addon like this and it DIDN’T WORK (ADMIN is an “all-allowed” token)

curl -X PATCH \
 -H 'Content-Type: application/json' \
 -H "Authorization: Bearer $ADMIN" \
 https://****.eu.auth0.com/api/v2/clients/D*** -d\
 '{ "grant_types": "authorization_code","implicit","refresh_token", "http://auth0.com/oauth/legacy/grant-type/delegation/id_token"] }'

--> {"statusCode":400,"error":"Bad Request","message":"Invalid grant types: http://auth0.com/oauth/legacy/grant-type/delegation/id_token"}

#6

I am in the same position, I need to allow my Auth0 users delegated access to Firebase, but delegation does not possible in new Auth0 apps. It even says it clearly here, that the legacy method (still in their docs) is disabled. See https://auth0.com/docs/clients/client-grant-types#secure-alternatives-to-the-legacy-grant-types

What is the alternative to perform delegation now? Is there any documentation?!


#7