How to get access token to automate tests of a spa

We are using azure Active Directory with auth0. Also we configured a SPA with grant password enabled only in test env. I also configured default directory to Username-Password-Authentication. I followed this tutorial to get an access token in order to use it in end-to-end tests using python.

Here is what I sent:

curl --request POST \
  --url 'https://my_tenant.auth0.com/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=password' \
  --data 'username=superuser@test.com' \
  --data 'password=<password>' \
  --data 'audience=https://my_tenant.auth0.com/api/v2/' \
  --data 'scope=openid profile email' \
  --data 'client_id=<from my spa>' \
  --data 'client_secret=<from my spa>'

The response is a token

{
  "iss": "https://my_tenant.auth0.com/",
  "sub": "auth0|672bc...9d8c",
  "aud": [
    "https://my_tenant.auth0.com/api/v2/",
    "https://my_tenant.auth0.com/userinfo"
  ],
  "iat": 1731006868,
  "exp": 1731093268,
  "scope": "email openid profile read:current_user update:current_user_metadata delete:current_user_metadata create:current_user_metadata create:current_user_device_credentials delete:current_user_device_credentials update:current_user_identities",
  "gty": "password",
  "azp": "fwpC.....1LJRA"
}

But this one is missing some claims we need for automated tests like email and custom_roles. If a send this token to https://my_tenant.auth0.com/userinfo I am able to get a json containing expected claims: email, custom_roles, etc.

So just by curiosity I created a fake application API and used its audience as in:

curl --request POST \
  --url 'https://my_tenant.auth0.com/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=password' \
  --data 'username=superuser@test.com' \
  --data 'password=<password>' \
  --data 'audience=https://fakeapi' \
  --data 'scope=openid profile email' \
  --data 'client_id=<from my spa>' \
  --data 'client_secret=<from my spa>'

which returns the same token but now at least the custom_roles claim is included. Yet email claim is still missing though.

What I need is the access token to contain those expected claims: email and custom_roles. Is this possible?

btw, the authentication/authorization is working well when user interacts with the SPA which is using authorization_code grant.

Hi @david200,

Welcome to the Auth0 Community!

It looks like you are using the Management API as your audience. Could you try this with an API you create in the Auth0 Dashboard? Steps here: Call Your API Using Resource Owner Password Flow

Let me know if I can help further!

Thanks,

Mary Beth

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.