Auth0 Home Blog Docs

Password-realm grant type - 'Passwordless authentication is not allowed on this endpoint.'

Hello everyone,

I am trying to use ‘http://auth0.com/oauth/grant-type/password-realm’ grant type in order to get access token for different connections that I have. I have two connections (sms, email) which I am using on one application.

I want to allow passwordless authentication for users so they receive one time code on email or mobile and use that code to later obtain access token. I have managed to do that (sending one time codes) but now I need to use Authentication API to obtain access token (/oauth/token). Because, as I mentioned I am using two connections (email, sms) I can’t use password grant because in that case I must setup ‘Default Directory’ to exact one. I have tried that and it works but as I said it then only checks one connection (email or mobile) but I want to use both of them. As I read from other posts on forums that should be possible by using ‘password-realm’ grant type.

When I try to send request

POST /oauth/token HTTP/1.1
Host: xxx.eu.auth0.com
cache-control: no-cache
Postman-Token: 6add44d8-1780-484d-9b8b-50dec0f1f6bc
grant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realmusername=%2B38163000000password=349076client_id=orXs11111111111jno4client_secret=xxxxxxxxxIQvRwrealm=sms

use this type of grant I get following error:

{
    "error": "invalid_request",
    "error_description": "Passwordless authentication is not allowed on this endpoint."
}

I read that this grant type needs to be activated using Management API which I did but still I am getting this response. From Management API I get following for this client

{
    "tenant": "xxxxx",
    "global": false,
    "is_token_endpoint_ip_header_trusted": false,
    "name": "AuthServiceWebApp",
    "is_first_party": true,
    "oidc_conformant": false,
    "sso_disabled": false,
    "cross_origin_auth": false,
    "description": "",
    "logo_uri": "",
    "sso": false,
    "callbacks": [
        "http://localhost:3000/callback",
        "http://localhost:3000/login/callback"
    ],
    "allowed_logout_urls": [
        "http://localhost:3000"
    ],
    "allowed_clients": [
        "https://xxxxx.eu.auth0.com/api/v2/"
    ],
    "signing_keys": [
        {
            ...
        }
    ],
    "allowed_origins": [],
    "client_id": "oxxxx",
    "callback_url_template": false,
    "client_secret": "xxxx",
    "jwt_configuration": {
        "alg": "RS256",
        "lifetime_in_seconds": 36000,
        "secret_encoded": false
    },
    "token_endpoint_auth_method": "client_secret_post",
    "app_type": "regular_web",
    "grant_types": [
        "authorization_code",
        "client_credentials",
        "http://auth0.com/oauth/grant-type/password-realm",
        "implicit",
        "password",
        "refresh_token"
    ],
    "web_origins": [
        "http://localhost:3000"
    ],
    "custom_login_page_on": true
}

Do you have any idea what I am missing here?

Thanks in advance!

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?