Oauth/token not working

My oauth/token flow does not work. When I try to authenticate with valid user and password, I get a strange response from the server via lumen dd()

object(stdClass)#60 (2) { ["error"]=> string(13) "invalid_grant" ["error_description"]=> string(24) "Wrong email or password." }

What am I missing here?

$curl = curl_init();

		$postfields = json_encode( array(
			"grant_type"    => "password",
			"username"      => $username,
			"password"      => $password,
			"audience"      => "https://tenant-url/api/v2/",
			"scope"         => "openid profile",
			"client_id"     => "My Client ID",
			"client_secret" => "My Client Secret"
		));

		curl_setopt_array( $curl, array(
			CURLOPT_URL            => "tenant-url/oauth/token",
			CURLOPT_RETURNTRANSFER => true,
			CURLOPT_SSL_VERIFYPEER => false,
			CURLOPT_ENCODING       => "",
			CURLOPT_MAXREDIRS      => 10,
			CURLOPT_TIMEOUT        => 30,
			CURLOPT_HTTP_VERSION   => CURL_HTTP_VERSION_1_1,
			CURLOPT_CUSTOMREQUEST  => "POST",
			CURLOPT_POSTFIELDS     => $postfields,
			CURLOPT_HTTPHEADER     => array( "content-type: application/json" )
		) );


		$response = curl_exec( $curl );
		$err      = curl_error( $curl );

		curl_close( $curl );

		if ( $err ) {
			dd( $err );
		} else {
			$userData = json_decode( $response );
			dd( $userData );
		}
```

:wave: @wloske If we are interacting with the management API we should be using the client_credentials grant type. So, we will need amachine to machine communication and so for this we will need to set the grant_type to client_credentials? Otherwise what you have looks to be setup properly.

For reference, grant types can be explored here for folks interested:

More related content that may be useful:

Hi @kimcodes No, it is not management API. I’ve found the solution though.

  1. If you are using grant type password then you must have set a default directory in the tenant settings which must be written correctly (why no pull-down here?) and must be the one your username/password combination works with. Test this before, if unsure
  2. If you can’t set the default directory to the one your username/password combo is in, you must use a different grant type which curiously is not a single word like all the others, but this URL:
    http://auth0.com/oauth/grant-type/password-realm. Your CURLOPT_POSTFIELDS then must contain another key/value pair which is "realm": "your_realm". The ‘Before you start’ prerequisites of the documentation regarding the normal grant type must still be met.
    (Call Your API Using Resource Owner Password Flow)

A directory in this context means one of your username/password stores in the “Connections” part of the management dashboard. Also make sure, the name give for audience is correct. Unfortunately the error messages of the API are the same in any case which is good and not good at the same time :wink:

Complete example:

$curl = curl_init();

		$postfields = json_encode( array(
			"grant_type"    => "http://auth0.com/oauth/grant-type/password-realm",
			"username"      => $username,
			"password"      => $password,
			"audience"      => "https://tenant-url/api/v2/",
			"scope"         => "openid profile",
			"realm"         => "name of your password store here",
			"client_id"     => "My Client ID",
			"client_secret" => "My Client Secret"
		));

		curl_setopt_array( $curl, array(
			CURLOPT_URL            => "tenant-url/oauth/token",
			CURLOPT_RETURNTRANSFER => true,
			CURLOPT_SSL_VERIFYPEER => false,
			CURLOPT_ENCODING       => "",
			CURLOPT_MAXREDIRS      => 10,
			CURLOPT_TIMEOUT        => 30,
			CURLOPT_HTTP_VERSION   => CURL_HTTP_VERSION_1_1,
			CURLOPT_CUSTOMREQUEST  => "POST",
			CURLOPT_POSTFIELDS     => $postfields,
			CURLOPT_HTTPHEADER     => array( "content-type: application/json" )
		) );


		$response = curl_exec( $curl );
		$err      = curl_error( $curl );

		curl_close( $curl );

		if ( $err ) {
			dd( $err );
		} else {
			$userData = json_decode( $response );
			dd( $userData );
		}
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.