Resource Owner Password authentication failure

abelose90 · August 2, 2021, 10:34am

Current setup: Created a SPA, added a rule to add roles of the logged in user. This role is checked while accessing the apis. Added grant type password.

My usecase: I am trying to run postman tests. For testing apis I need bearer token. By using Resource Owner Password flow I was trying to obtain the bearer token.
Here is my curl command,
curl --location --request POST 'https://my-second-tenant.eu.auth0.com/oauth/token?grant_type=password&username=username&password=password&audience=https://quickstarts/api&client_id=%23%23%23%23%23%23%23%23%23&client_secret=*****'

I am getting
{ "error": "access_denied", "error_description": "Unauthorized" }

I have already checked the password grant type is enabled. I also tried disabling the rule just to check if rule is causing any problem but no luck.
Am I missing anything here?

I also came across Client credentials flow and that could be a good option. But I am using SPA application type.
My second question is, as this is SPA so the client credentials option is disabled.
Is there any way that I could configure my SPA to allow client credential.

dan.woda · August 3, 2021, 7:06pm

Hi again @abelose90,

Can you try omitting the client secret?

If you are using a SPA type application you should omit it from the token request.

abelose90 · August 4, 2021, 5:54am

Hi @dan.woda

Yes I did.
Here is my request

https://my-second-tenant.eu.auth0.com/oauth/token?grant_type=password&username={{username}}&password={{password}}&audience=https://quickstarts/api&scope=openid profile email&client_id={{auth0_clientid}}

Followed all the steps from here

But still getting

{
    "error": "access_denied",
    "error_description": "Unauthorized"
}

abelose90 · August 4, 2021, 9:25am

Hi @dan.woda
I think I got what I was doing wrong. I was sending the parameters as query parameters but I was suppose to send the parameters in the request body using application/x-www-form-urlencoded encoding.
I got my answer from here:

Thank you!

dan.woda · August 4, 2021, 3:42pm

Yes, you must send the data in the body. Glad you found a solution.

system · August 19, 2021, 3:43pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to get token using resource owner password via /oauth/token api Help api , oauth , resource-owner-passw	3	5017	August 10, 2019
Error "Grant type 'password' not allowed for the client." for Resource Owner Password flow Help resource-owner-passw	21	40542	December 15, 2022
SPA - authenticate user with password grant type Help auth0 , password , spa , authentication , login	3	2882	September 17, 2021
Error: Grant type 'http://auth0.com/oauth/grant-type/password-realm' not allowed for the client Help password , login , 403 , grant-types , unauthorized_client	3	8536	March 2, 2018
Getting token via Resource Owner Password without client secret Help	8	7932	April 17, 2019

Resource Owner Password authentication failure

Related Topics