Invalid_grant error while using Password Flow

axel1 · June 21, 2022, 1:33am

Hi,

I need some help in figuring out what is that I am doing wrong here.

TL; DR:

I am trying to implement Cypress.io tests on my exising codebase.
Unfortunately, I keep getting this as a response when executing the code from that Cypress.io guide:

{
  "error": "invalid_grant",
  "error_description": "Wrong email or password."
}

I am trying to follow their docs: Auth0 Authentication | Cypress Documentation

The setup:

My App’s Application Type is: “Single Page Application”
Grant Types for my app includes “password” (checkbox is checked)

image820×180 9.12 KB
Default audience for the tenant is set. AND Default directory set to “Username-Password-Authentication”

image975×405 41.1 KB
I created a “cypress” user from Auth0’s dashboard

image1012×108 9.47 KB
I successfully logged in via the test on the Database Connections section.

image957×732 25.9 KB

Executing the code from the Cypress guide:

I can see that the request (among other data) looks like this:

Method: POST
URL: <my auth0 domain>/oauth/token

Body: {
    "grant_type": "password",
    "username": "*******", // <-- triple checked this is correct
    "password": "*******", // <-- triple checked this is correct
    "audience": "*******",
    "scope": "openid profile email",
    "client_id": "*******",
    "client_secret": "*******"
}

The code:

// cypress/support/commands.js
Cypress.Commands.add(
  'loginByAuth0Api',
  (username: string, password: string) => {
    cy.log(`Logging in as ${username}`)

    /**
       The following constants are being properly picked up.
        All the values are printed in the request from before.
        
        They also match my tenant/app settings.
    **/
    const client_id = Cypress.env('auth0_client_id')
    const client_secret = Cypress.env('auth0_client_secret')
    const audience = Cypress.env('auth0_audience')
    const scope = Cypress.env('auth0_scope')

    cy.request({
      method: 'POST',
      url: `https://${Cypress.env('auth0_domain')}/oauth/token`,
      body: {
        grant_type: 'password',
        username,
        password,
        audience,
        scope,
        client_id,
        client_secret,
      },
    }).then(({ body }) => {
      const claims = jwt.decode(body.id_token)
      const {
        nickname,
        name,
        picture,
        updated_at,
        email,
        email_verified,
        sub,
        exp,
      } = claims

      const item = {
        body: {
          ...body,
          decodedToken: {
            claims,
            user: {
              nickname,
              name,
              picture,
              updated_at,
              email,
              email_verified,
              sub,
            },
            audience,
            client_id,
          },
        },
        expiresAt: exp,
      }

      window.localStorage.setItem('auth0Cypress', JSON.stringify(item))

      cy.visit('/')
    })
  }
)

dan.woda · June 24, 2022, 6:46pm

Hi @axel1,

Welcome to the Auth0 Community!

You should not be passing the client_secret param when the app is registered as a Single Page Application.

Can you try the request without that param and see if that fixes it?