How to retrieve access_token for user with only email, client id and client secret?

Hello Auth0,

My company is currently working on integrating Auth0 but we have run into an issue with being able to retrieve a user’s access_token from just their email.
We currently have a paradigm that authenticates a user via a sign-in code on our end. Once this user is authenticate on our end, we need to pass their email to retrieve Auth0’s information for that user (access_token, JWT token, etc).

We have tried simply omitting the password field but this gives us an error. Is there a different endpoint or method we can use to achieve the goal of getting an access_token for a user without specifying their password?

Here is the current code we are using for authenticating with a password:

def authenticate_user(self, login, password):
        """
        Authenticates a user in Auth0 using their login credentials. This function constructs a payload with 
        the necessary details (including client credentials and user login information) and sends a request to 
        Auth0's OAuth token endpoint to authenticate the user.

        Args:
            login (str): The username or email of the user attempting to log in.
            password (str): The password of the user.

        Returns:
            dict: A dictionary containing the authentication token and other information if the login is successful, 
                or an empty dictionary if the login fails. The response includes information such as the access token, 
                id token, and scope.
        """
        url = f"https://{self.auth0_domain}/oauth/token"
        headers = {'content-type': "application/json"}
        payload = {
            "client_id": self.client_id,
            "client_secret": self.client_secret,
            "grant_type": "http://auth0.com/oauth/grant-type/password-realm",
            "username": str(login).lower(),
            "password": password,
            "audience": f"https://{self.auth0_domain}/api/v2/",
            "scope": "openid profile email",
            "realm": self.auth0_env
        }

        response = requests.post(url, json=payload, headers=headers)
        print(f"Response Text: {response.text}")

        if response.status_code != 200:
            print(f"Unsuccessful login for {login} {response.status_code}")
            return {}
        else:
            return response.json()

Hey there @devans welcome to the community!

Unfortunately, there really isn’t a solution within the supported OAuth and OIDC flows that allows for obtaining a user’s tokens with just an email in the way you’ve described. It seems like your best bet may utilizing the Resource Owner Password Flow (what you’re doing in the code shared) if it is being carried out by a highly trusted application.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.