Hidden grant types and config management

My team has been experimenting with the Terraform provider. We recently ran into an issue regarding a missing grant type.

By dumping out our tenant config with the a0deploy tool, we saw that there was a seemingly hidden value grant_types: - http://auth0.com/oauth/grant-type/password-realm.

When checking the Application in the Tenant Dashboard, there is no option for that particular Grant Type in the Advanced Settings.

Since this grant type is hidden from the UI, should we actually be specifying it in our Terraform or a0deploy configuration?
If so, are there any other hidden grant types we may need to know about?

Hi @cmcgowan,

password-realm is an extension grant of the Resource Owner Password Flow.

You can find more info on it here:

Does that help?

Hi @dan.woda,

I appreciate the link. I had read that documentation, but it does not quite help. Actually what I am asking about is specifically what is not covered in that doc.

From that doc, the Configure realm support section only mentions how you must specify the HTTP request params. Meanwhile, in the Prerequisites section it says to “Make sure your Application’s Grant Types include Password.”

Based on that info, I would believe that it is sufficient to set the grant_types: password config value in my tenant then send the --data grant_type=http://auth0.com/oauth/grant-type/password-realm and --data realm=my-connection request params in my API call.

But that did not work for us. We encounters a “missing grant type” error after doing that.

We were able to solve this by setting our grant_types tenant config to include both password and http://auth0.com/oauth/grant-type/password-realm as values.

However, I am hesitant to take our fix to production when it relies on setting an undocumented config value on the tenant. This value is not mentioned in the doc, nor available to set using the Dashboard UI. It feels like we may be doing the wrong thing here, like this value may be intentionally hidden and we should not be messing with it.

Can you provide us some clarity here?

The password-realm grant type is a supported grant type, and you are free to use it. It is mentioned in a bit more detail here, although not as much as the more common grant types.

As for the why, I’m not sure exactly. It may be because it is a fairly niche grant that isn’t as common as others, or because we generally discourage the use of the ROPG/Password flow entirely due to the added risks.

1 Like

Thanks Dan! That link is basically what I was looking for, I had not found that one.
It also answers my other question, as it seems to provide a full accounting of the supported grant type options.

1 Like

Perfect! Let us know if you have any other questions.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.