We are in the process of rolling out changes aimed at improving the default configuration that gets assigned for new clients that are created. This is in progress right now so you may not see the same behavior in totally independent accounts; this is the likely explanation for why you saw the different behavior when you created a new account.
As a measure to not break existing client applications and as mentioned before, these changes only affect new client applications.
In relation to the root cause of the actual error the explanation is that by default the resource owner password grant is not included in the allowed grant types for new client applications. Given this grant implies the capability for an application to directly exchange user credentials for tokens we did not include it by default as this should be a conscious decision from the part of the developer and should only be enabled for highly trusted clients…
You can use the Management API to patch a client that you recently created to include these additional grant types, in particular, for the resource owner password grant you would be interested in adding the following grants:
passwordhttp://auth0.com/oauth/grant-type/password-realm
For your convenience a sample body request for the PATCH client call:
{
"grant_types":
/* add your other required grants here or the grants that the client already has */,
"password",
"http://auth0.com/oauth/grant-type/password-realm"
]
}
UPDATE:
See additional information about these changes at: