Auth0 Home Blog Docs

Password-realm grant type - 'Passwordless authentication is not allowed on this endpoint.'

Hello everyone,

I am trying to use ‘http://auth0.com/oauth/grant-type/password-realm’ grant type in order to get access token for different connections that I have. I have two connections (sms, email) which I am using on one application.

I want to allow passwordless authentication for users so they receive one time code on email or mobile and use that code to later obtain access token. I have managed to do that (sending one time codes) but now I need to use Authentication API to obtain access token (/oauth/token). Because, as I mentioned I am using two connections (email, sms) I can’t use password grant because in that case I must setup ‘Default Directory’ to exact one. I have tried that and it works but as I said it then only checks one connection (email or mobile) but I want to use both of them. As I read from other posts on forums that should be possible by using ‘password-realm’ grant type.

When I try to send request

POST /oauth/token HTTP/1.1
Host: xxx.eu.auth0.com
cache-control: no-cache
Postman-Token: 6add44d8-1780-484d-9b8b-50dec0f1f6bc
grant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realmusername=%2B38163000000password=349076client_id=orXs11111111111jno4client_secret=xxxxxxxxxIQvRwrealm=sms

use this type of grant I get following error:

{
    "error": "invalid_request",
    "error_description": "Passwordless authentication is not allowed on this endpoint."
}

I read that this grant type needs to be activated using Management API which I did but still I am getting this response. From Management API I get following for this client

{
    "tenant": "xxxxx",
    "global": false,
    "is_token_endpoint_ip_header_trusted": false,
    "name": "AuthServiceWebApp",
    "is_first_party": true,
    "oidc_conformant": false,
    "sso_disabled": false,
    "cross_origin_auth": false,
    "description": "",
    "logo_uri": "",
    "sso": false,
    "callbacks": [
        "http://localhost:3000/callback",
        "http://localhost:3000/login/callback"
    ],
    "allowed_logout_urls": [
        "http://localhost:3000"
    ],
    "allowed_clients": [
        "https://xxxxx.eu.auth0.com/api/v2/"
    ],
    "signing_keys": [
        {
            ...
        }
    ],
    "allowed_origins": [],
    "client_id": "oxxxx",
    "callback_url_template": false,
    "client_secret": "xxxx",
    "jwt_configuration": {
        "alg": "RS256",
        "lifetime_in_seconds": 36000,
        "secret_encoded": false
    },
    "token_endpoint_auth_method": "client_secret_post",
    "app_type": "regular_web",
    "grant_types": [
        "authorization_code",
        "client_credentials",
        "http://auth0.com/oauth/grant-type/password-realm",
        "implicit",
        "password",
        "refresh_token"
    ],
    "web_origins": [
        "http://localhost:3000"
    ],
    "custom_login_page_on": true
}

Do you have any idea what I am missing here?

Thanks in advance!