Generate access tokens for organization members (automated testing)

Product Feedback
1

Feature:

The ability to use the Authentication API to generate an access token for users who are team members of organizations

Description:

Our QA team is automating the testing of our APIs. Our application users are all members of organizations.

We tried using the Resource Owner Password (https://auth0.com/docs/api/authentication#resource-owner-password) API to generate an access token for a user, however we get the error “grant type ‘password’ not allowed for the client”.

The application itself has the “accessed by team members of organizations” setting set, so on the Grants page it says “Only the Implicit, Authorization Code and Refresh Token grant types are currently allowed for applications that are accessed by team members of organizations”.

Use-case:

The QA team needs the ability to use an API to generate a valid access token for a user, password and organization combination so that they can automatically test our APIs.

Add organization support for Resource Owner Password flow
2

Hey. Thanks for reaching community.

The said feature request is already in Auth0’s pipeline and is targeted for next year release. We request you to use the existing supported grant types for organizations and resource owner password flow API endpoint for regular testing.

Thanks and have a great day !!!

3

Same request as Add organization support for Resource Owner Password flow

5

Yes. That’s right. Please let me know if my above response was clear.

Thanks !!

6

Am I right in understanding that what we want is not possible currently until the feature request progresses? You say “We request you to use the existing supported grant types for organizations and resource owner password flow API endpoint for regular testing.” But the supported grant types for organizations are incompatible with the resource owner password flow API endpoint (if wanting to supply a username and password for an organization member on the payload), so I’m unsure what is meant by that, unless by “regular testing” you mean for testing with users who are not members of organizations (and therefore don’t encounter this issue)?

7

Hi. Thanks for replying back.

Yes, your understanding is correct. Till the feature is GA, the said flow is not supported. By regular testing, I meant the users that wont come under organizations.

Let us know in case of any other queries.

Thanks,
Gautham

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

9

Hi everyone!

In the context of performing automated tests in the context of organizations, it can be a difficult task since the usual ROPG grant flow cannot be enabled.

However, this can be resolved by using a Custom Token Exchange Trigger in which you will be able to set the organization as seen in this example:

exports.onExecuteCustomTokenExchange = async (event, api) => {

  // 1. Validate subject_token
  const subject_token = await validateToken(event.transaction.subject_token, jwksUri);

  // 2.  Apply your authorization policy on the user
  const isAuthorized = await authorizeAccess(subject_token.sub);
  if (!isAuthorized) {
    api.access.deny('Unauthorized_login', 'User cannot login due to reason: X');
  }

  // 3. Set the user for the transaction
  api.authentication.setOrginzation('org_xS525r979AS33MSf');

  // 4. Set the user for the transaction. You may also use setUserByConnection()
  api.authentication.setUserById(subject_token.sub);

  return;
};

Hope this helps anybody who stumbles across the same issue!

Kind Regards,
Nik