Dear @ruchi , unfortunately this seems somewhat orthogonal to the issue we encounter, so let me try to better describe the steps we take.
We are using the Resource Owner Password Flow to establish a long-lasting connection, on the back-end, between an identity on our own CMS, and an identity on Auth0.
As such, we try to match user management operations, ie. create an account on Auth0 when one is created on our CMS, update on Auth0 when an account is updated on our CMS, delete an account on Auth0 when an account is deleted on our CMS.
What we are doing, exactly, in php:
On create:
return $this->management_client->users()->create($this->realm, $arg);
With a payload like:
[
'email' => $userdata['email'],
'email_verified' => true,
'app_metadata' => [
...
],
'given_name' => $userdata['first_name'],
'family_name' => $userdata['last_name'],
'name' => $userdata['display_name'],
'nickname' => $userdata['login'],
'password' => $userdata['password'],
'verify_email' => false,
'username' => $userdata['login'],
]
Then, login:
return $this->authentication_client->login(
$arg['username'],
$arg['password'],
$this->realm,
['scope' => 'openid profile email offline_access', 'audience' => $this->audience],
);
Username now is the email address, and the password is the password used upon creation.
If the email address contains dashes, this never goes through. The account isn’t so much as created in Auth0.
In fairness: as part of tests some of these accounts had been created, deleted, then re-created. And for a while this worked fine. But recently it has stopped working.
As far as more recent tests, if I create a brand new account with an email containing dashes, creation fails, and the subsequent login of course fails.
I also got confused when receiving the error message above. There isn’t a matching account in Auth0, it’s not being created anymore. Hence the initial question about “phantom accounts” but I think it’s more than that.
Please advise.