Error "Grant type 'http://auth0.com/oauth/legacy/grant-type/delegation/id_token' not allowed for the client" after saving settings

andreev.artem · June 21, 2017, 10:09pm

I had working auth workflow using Lock widget (popup, google account) and signing in with customToken to Firebase. Then I had to update settings by adding one more host to “Allowed Origins (CORS)”. Initially I was getting error “invalid grant types: client_credentials” but when I chose “Client Type” => “SPA” I was able to save settings. But after that the auth workflow became broken - I’m getting error “Grant type ‘http://auth0.com/oauth/legacy/grant-type/delegation/id_token’ not allowed for the client” in the response for https://***.auth0.com/delegation request in the Dev console.

Which changes are required now to get working signing in with customToken to Firebase?

heiker.araujo · June 22, 2017, 3:31am

Please see the following post for a similar resolved issue:

http://community.auth0.com/questions/3944/error-grant-type-password-not-allowed-for-the-clie

It includes details on why this happens and how you can work around it

andreev.artem · June 22, 2017, 1:44pm

In docs I noticed:

http://auth0.com/oauth/legacy/grant-type/delegation/id_token This feature is disabled by default. If you would like this feature enabled, please contact support to discuss your use case and prevent the possibility of introducing security vulnerabilities.

and thought I can’t enable this specific grant type through the patch. But after support’s answer I’ve tried and it works atm.

frankb · July 28, 2017, 12:30am

We tried to patch our new client to work with the Firebase addon like this and it DIDN’T WORK (ADMIN is an “all-allowed” token)

curl -X PATCH \
 -H 'Content-Type: application/json' \
 -H "Authorization: Bearer $ADMIN" \
 https://****.eu.auth0.com/api/v2/clients/D*** -d\
 '{ "grant_types": "authorization_code","implicit","refresh_token", "http://auth0.com/oauth/legacy/grant-type/delegation/id_token"] }'

--> {"statusCode":400,"error":"Bad Request","message":"Invalid grant types: http://auth0.com/oauth/legacy/grant-type/delegation/id_token"}

frankb · July 28, 2017, 12:30am

We tried to patch our new client to work with the Firebase addon like this and it DIDN’T WORK (ADMIN is an “all-allowed” token)

curl -X PATCH \
 -H 'Content-Type: application/json' \
 -H "Authorization: Bearer $ADMIN" \
 https://****.eu.auth0.com/api/v2/clients/D*** -d\
 '{ "grant_types": "authorization_code","implicit","refresh_token", "http://auth0.com/oauth/legacy/grant-type/delegation/id_token"] }'

--> {"statusCode":400,"error":"Bad Request","message":"Invalid grant types: http://auth0.com/oauth/legacy/grant-type/delegation/id_token"}

craig1 · August 30, 2017, 9:16pm

I am in the same position, I need to allow my Auth0 users delegated access to Firebase, but delegation does not possible in new Auth0 apps. It even says it clearly here, that the legacy method (still in their docs) is disabled. See Application Grant Types

What is the alternative to perform delegation now? Is there any documentation?!