Auth0 Home Blog Docs

Javascript login


#1

Hi all,

What I want should be fairly simple, I guess. But I can’t find how to do it.

I want to authenticate a user agains the Auth0 database with javascript. I want to send the email/password and receive back the idToken of that user.
I don’t want to see a popup where the user has to enter his email/password. I don’t want a redirect after authenticating. Just sending the request from javascript and getting back the idToken.

How can I do this?

thanks for helping me,
Peter


#2

What you describe is the “Resource Owner Password Grant” in OAuth2 parlance. It means that the application collects the credentials and sends them to the authorization server in exchange for a token.
Nowadays it’s considered an anti-pattern that’s reserved for legacy applications that can’t use browser-based authentication, because of security risks.

  • The application handles the credentials (username/password) instead of the actual authorization server.
  • By getting the user credentials, you can’t restrict what the application can access (you are giving the application full access to the user’s resources).

This blog post by Scott Brady should steer you away from doing this: https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications

If you still want to use it, Auth0 gives you the possibility. You’ll need to enable this grant type for a specific application (it’s not enabled by default).
You can see the API used for this grant type at https://auth0.com/docs/api/authentication#resource-owner-password, and look at https://auth0.com/docs/api-auth/tutorials/password-grant for a general description.
If you want to use Auth0.js to make the request, you can use the Authentication.login() function (https://github.com/auth0/auth0.js#api-1).