Hey, @mathiasconradt, the additional clarity from the logs was exactly what I was looking for.
The root cause of my issue was that the username/email were not being properly URL encoded in my code which caused issues when I attempted to fetch a token via the
http://auth0.com/oauth/grant-type/password-realm grant type. Problem solved!
My follow up questions regard my actual use of Auth0. I’m using Auth0 in conjuction with Dgraph specifically for use with their authorization and @auth directive features which require custom claims to be added to the received token.
In my tenant I have a Hook configured for “programmatic” access (my internal services) and a Rule configured for “user” access (external users of my project) which perform the required updates (e.g. setting the “isApp” flag to true/false to indicate programmatic/user).
Also in the tenant I have an M2M App configured for issuing the former token via a
client_credentials flow (when this flow is triggered the “isApp” claim is set to “true”).
The other App configured in the tenant is the SPA App for the latter token. This is currently retrieved by the Vue frontend but I would also like to expose an SDK that allows users to set up programmatic access to my project. I have a small script that I use for the
http://auth0.com/oauth/grant-type/password-realm grant type flow (mentioned above) but would like that (or whatever more appropriate Auth0 App/API/grant flow recommended) to be exposed more robustly to third-parties.
First question is:
- Is this configuration generally in-line with best practices?
- What is the best way to configure Auth0 and my project to support an SDK that utilizes the ID tokens for “programmatic” access by a third-party?
Thanks again for your help - totally unblocked my progress!