How to bypass the login page and directly proceed to the required page using access_token

Hi,

I am using puppeteer package to convert the web pages to pdf format but since I have implemented Auth0 login functionality to my web pages I am not able to access the web pages directly and by default I am getting redirected to the login page. I have found a solution for that by using the below code

const page = await browser.newPage();
await page.goto(
https://${env.domain}/authorize?client_id=${env.clientId}&response_type=token&redirect_uri=${env.redirectUri},
{ waitUntil: “networkidle2” }
);
await page.waitForSelector(‘input[name=“email”]’, {
visible: true,
timeout: 5000
});
await page.type(‘input[name=“email”]’, env.email, {delay: 50});
await page.type(‘input[name=“password”]’, env.password, {delay: 50});
await page.click(‘button[type=“submit”]’);
await page.waitForNavigation({ waitUntil: “networkidle2” });

But to me more specific I don’t want a session to be used to enter my email , password and submit the request, instead of this can I directly go to the required page ? Is there any way I can modify the URL to bypass the login page

Hi @vignesh.ramesh,

Similar to this topic, you can use the Resource Owner Flow to gain a token. As mentioned in the topic, this setting should only be enabled for test applications in a dev environment.

Here is some more information about working with Auth0 locally which describes other options you might want to use:

Hi Stephanie,

Thanks for the reply, I will try this out and will come back to you if I face any issue. But one question I have why this should be used only in Dev -> test environment why this settings should not be enabled in Production environment.

1 Like

The Resource Owner Flow is not recommended for production applications because it requires the app to handle user credentials directly instead of using delegated redirect flows such as the Authorization Code Flow. There are several things that the app must do to stay secure. As the docs mention, there are ways to mitigate common problems, but the best option is to use a different flow.

The OAuth2 protocol essentially describes the Resource Owner Password Flow as a last resort to be used only if other flows are not possible to implement:

The resource owner password credentials grant type is suitable in
cases where the resource owner has a trust relationship with the
client, such as the device operating system or a highly privileged
application. The authorization server should take special care when
enabling this grant type and only allow it when other flows are not
viable.

That’s why this flow should only be used in dev environments or locally for testing purposes.

Hi @stephanie.chamblee ,

Thanks for you reply. I tried the password resource owner flow to gain a token but I am getting the access denied error. I have done the exact steps provided in the document. Can you help me with this ?