Hello everyone,
I am trying to use ‘http://auth0.com/oauth/grant-type/password-realm’ grant type in order to get access token for different connections that I have. I have two connections (sms, email) which I am using on one application.
I want to allow passwordless authentication for users so they receive one time code on email or mobile and use that code to later obtain access token. I have managed to do that (sending one time codes) but now I need to use Authentication API to obtain access token (/oauth/token). Because, as I mentioned I am using two connections (email, sms) I can’t use password grant because in that case I must setup ‘Default Directory’ to exact one. I have tried that and it works but as I said it then only checks one connection (email or mobile) but I want to use both of them. As I read from other posts on forums that should be possible by using ‘password-realm’ grant type.
When I try to send request
POST /oauth/token HTTP/1.1
Host: xxx.eu.auth0.com
cache-control: no-cache
Postman-Token: 6add44d8-1780-484d-9b8b-50dec0f1f6bc
grant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realmusername=%2B38163000000password=349076client_id=orXs11111111111jno4client_secret=xxxxxxxxxIQvRwrealm=sms
use this type of grant I get following error:
{
"error": "invalid_request",
"error_description": "Passwordless authentication is not allowed on this endpoint."
}
I read that this grant type needs to be activated using Management API which I did but still I am getting this response. From Management API I get following for this client
{
"tenant": "xxxxx",
"global": false,
"is_token_endpoint_ip_header_trusted": false,
"name": "AuthServiceWebApp",
"is_first_party": true,
"oidc_conformant": false,
"sso_disabled": false,
"cross_origin_auth": false,
"description": "",
"logo_uri": "",
"sso": false,
"callbacks": [
"http://localhost:3000/callback",
"http://localhost:3000/login/callback"
],
"allowed_logout_urls": [
"http://localhost:3000"
],
"allowed_clients": [
"https://xxxxx.eu.auth0.com/api/v2/"
],
"signing_keys": [
{
...
}
],
"allowed_origins": [],
"client_id": "oxxxx",
"callback_url_template": false,
"client_secret": "xxxx",
"jwt_configuration": {
"alg": "RS256",
"lifetime_in_seconds": 36000,
"secret_encoded": false
},
"token_endpoint_auth_method": "client_secret_post",
"app_type": "regular_web",
"grant_types": [
"authorization_code",
"client_credentials",
"http://auth0.com/oauth/grant-type/password-realm",
"implicit",
"password",
"refresh_token"
],
"web_origins": [
"http://localhost:3000"
],
"custom_login_page_on": true
}
Do you have any idea what I am missing here?
Thanks in advance!