I am an Auth0 noob, and am able to create a new user with the Management API after I get a token for the using the Management API for my specific Auth0 application. My question is, how do I procure a authentication JWT for a specific user using username and password, but with using API, not a browser based method like Lock. Please provide examples with links to the correct URLs within Auth0. I have been looking for this for a while now with no success. If I may provide general advice on your tutorials and documentation. I find you folks overuse several terms that is horribly confusing. These terms are API, application, client and token. It would be a lot easier with pictures. Thanks.
The Resource Owner Password endpoint can obtain an id_token through the API (non browser-based). Please ensure to read the Remarks about setting the grant_types
for your client to support this endpoint:
https://auth0.com/docs/api/authentication#resource-owner-password
Thanks for your feedback, I have passed on your suggestions to our documentation team.
Well, I tried the resource owner password endpoint, and I keep getting the following error:
{"error":"unauthorized_client","error_description":"Grant type 'password' not allowed for the client.","error_uri":"https://auth0.com/docs/clients/client-grant-types"}
I think we could benefit from a simple workflow for non-interactive clients to create a user and then get a token for that user.
The following document outlines using the new grant types with Realm support: Call Your API Using Resource Owner Password Flow
You will need to PATCH your client to allow the http://auth0.com/oauth/grant-type/password-realm
grant_type, outlined here: Application Grant Types
Thanks, Prashant. I was able to get this working. So, I have management API working for creating users etc. and then the authentication API working for getting an access_token
for a user. How does one validate a user for that access_token
using your API (I assume use Authentication API, but what REST API)?.
You’ll need to elaborate on what you mean by “validate a user for that access_token using your API”. Are you talking about API Authentication and Authorization, or just validate the token in your application? Access_tokens are meant to be used to make API calls to your protected API. For your application, the id_token
should serve the purpose.
Here’s what I want, in steps:
- Get a user registered using Mgmt API (OK)
- Get an
access_token
based on username and password (OK) - For any user-specific REST API in my application (not the Auth0 application, my application server, for which I am using your service), I need the token
access_token
which I will validate with some API endpointhttps://silly.auth0.com/myvalidationendpoint
in Auth0 that helps me go “Oh, OK, this is a legit user asking for this REST API, and their account username is x.”
What is the Auth0 API for 3? R you saying my app should store the result of 2?
The Authentication API is to use in your applications to authenticate a user. The Management API is for you to use as an administrator of your account, to control account/user/client settings.
Your scenario would use API Authorization flows. Please review the following documentation:
If you require further help with this, please create another question post.
My feeling is that Auth0 has become a really confusing, messy and over complicated solution. Also, this change was a major change to the workflow and it has not been communicated properly.
I agree. Auth0 looks and feels painfully over-architected, without simple solutions to common workflows.
Solved here: Simply getting a JWT in exchange for a user/pass