Resource Owner Password authentication failure

Current setup: Created a SPA, added a rule to add roles of the logged in user. This role is checked while accessing the apis. Added grant type password.

My usecase: I am trying to run postman tests. For testing apis I need bearer token. By using Resource Owner Password flow I was trying to obtain the bearer token.
Here is my curl command,
curl --location --request POST 'https://my-second-tenant.eu.auth0.com/oauth/token?grant_type=password&username=username&password=password&audience=https://quickstarts/api&client_id=%23%23%23%23%23%23%23%23%23&client_secret=*****'

I am getting
{ "error": "access_denied", "error_description": "Unauthorized" }

I have already checked the password grant type is enabled. I also tried disabling the rule just to check if rule is causing any problem but no luck.
Am I missing anything here?

I also came across Client credentials flow and that could be a good option. But I am using SPA application type.
My second question is, as this is SPA so the client credentials option is disabled.
Is there any way that I could configure my SPA to allow client credential.

Hi again @abelose90,

Can you try omitting the client secret?

If you are using a SPA type application you should omit it from the token request.

Hi @dan.woda

Yes I did.
Here is my request

https://my-second-tenant.eu.auth0.com/oauth/token?grant_type=password&username={{username}}&password={{password}}&audience=https://quickstarts/api&scope=openid profile email&client_id={{auth0_clientid}}

Followed all the steps from here

But still getting

{
    "error": "access_denied",
    "error_description": "Unauthorized"
}

Hi @dan.woda
I think I got what I was doing wrong. I was sending the parameters as query parameters but I was suppose to send the parameters in the request body using application/x-www-form-urlencoded encoding.
I got my answer from here:

Thank you!

Yes, you must send the data in the body. Glad you found a solution.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.