How can I specify a database connection while using "/oauth/token" API for authentication

Hi folks, I have two database connections ( one is the default ‘Username-Password-Authentication’ and the other is ‘admin-database’ ) for two sets of users. I have created two different applications “A1” and “A2” (both are of the type “Regular Web Application”) to authenticate them. This is all under one tenant.

“A1” has access to “Username-Password-Authentication” only and “A2” has access to “admin-database” only.

When I use the “signup” API from A2 and create a user in “admin-database”, the user is created.

But when I use the “/oauth/token” API to get an access token, it gives the following error –

{"error":"invalid_grant","error_description":"Wrong email or password."}

Can someone help me understand why?

Hi @junaid ,

Welcome to the Auth0 Community!

For users created by the “signup” API, they are in the pending status. Could you please verify the user and then try again?

BTW, I tested with POST /oauth/token endpoint for the “Regular Web Application” and received the access token.

If the error persists, please share the body scripts with me and I will look into this further. Thanks.

Hi, thanks for the reply. I am using “grant_type” as “password”. Below is my request body –

{
  "username": "*email goes here as it's the username*",
  "password": "*password goes here*",
  "grant_type":"password",
  "audience":"*audience goes here*",
  "scope" : "openid",
  "client_id": "*client ID goes here*",
  "client_secret":"*client secret goes here*"
}

I marked the email as verified from the Auth0 dashboard. Still getting the below response –

{
    "error": "invalid_grant",
    "error_description": "Wrong email or password."
}

I have also attached the snapshot of the database connections which have been enabled.

If I disable the “Username-Password-Authentication” connection, the API throws an error that it has been disabled.

If I enable it, then I get the “invalid_grant” error as shown above.

Please advise.

Hi Lihua! I was able to solve this issue on my own.

All I had to do was add Realm support to the API call.

The grant_type should http://auth0.com/oauth/grant-type/password-realm and the realm value should be set to the respective database connection which is admin-database.

Below is the complete body for the /oauth/token

{
    "username": "fill in the username value here.  In my case, it is the email",
    "password": "fill in the password here",
    "grant_type": "http://auth0.com/oauth/grant-type/password-realm",
    "audience": "fill in the `audience` value here",
    "scope": "openid",
    "client_id": "fill in the `client_id` value here",
    "client_secret": "fill in the `client_secret` value here",
    "realm": "admin-database"
}

The response gave me the access_token and id_token correctly.

No need to verify the email of the newly-created user.

Thanks for taking the time and replying to my query!

2 Likes

@junaid ,

Thank you for sharing your solution with our Community! :pray: :clap:

This topic was automatically closed after 2 days. New replies are no longer allowed.