Resource Owner Password Flow not working when using node/JS while cURL works

We have an app live (https://app.example.com), that knows about a username and password.
The goal is to login as a user with JavaScript.

We were following the docs here resource-owner-password-flow
and here call-your-api-using-resource-owner-password-flow

By posting to the endpoint https://example.eu.auth0.com/oauth/token
with the payload like the one from here migration-oauthro-oauthtoken

{
    "grant_type": "http://auth0.com/oauth/grant-type/password-realm",
    "client_id": "1234567890",
    "client_secret": "1234567890",
    "username": "alice",
    "password": "123456",
    "realm": "Username-Password-Authentication",
    "scope": "openid profile email offline_access",
    "audience": "https://api.example.com"
}

We used the application settings (domain, client_id, client_secret) from the app.
We also made sure to configure Callback URL and Password grant type here:
https://manage.auth0.com/dashboard/eu/example/applications/1234567890/settings
Application URIs → Allowed Callback URLs
Advanced settings → Grant Types

Also we were using the default Realm here:
https://manage.auth0.com/dashboard/eu/example/connections/database
Neither the default Database Connection Username-Password-Authentication provided by auth0
nor it’s Identifier con_1234567890 lead to anything but a 401 response.

Neither http://auth0.com/oauth/grant-type/password-realm nor password as grant_type lead to anything but a 401 response.

The user’s email is verified and it’s Primary Identity Provider is the very Username-Password-Authentication Database.
Of course it’s name and password are correct. The OAuth2/OIDC Flow works without problems.

Testing with the Authentication API Debugger Extension from here:
https://example.eu12.webtask.io/auth0-authentication-api-debugger
also lead to 401 response only

{
  "err": {
    "readyState": 4,
    "responseText": "{\"error\":\"access_denied\",\"error_description\":\"Unauthorized\"}",
    "responseJSON": {
      "error": "access_denied",
      "error_description": "Unauthorized"
    },
    "status": 401,
    "statusText": "error"
  }
}

Could you provide assistance with this?

Thanks for your support

Hi @skew202

What is the entry in the tenant logs? Does it give more information?

John

1 Like

Hi @john.gateley ,
thank you for assisting with this one here!

Raw

{
  "date": "2021-04-14T09:26:41.082Z",
  "type": "fepft",
  "description": "Unauthorized",
  "connection_id": "",
  "client_id": "1234567890",
  "client_name": null,
  "ip": "12.345.678.90",
  "client_ip": "12.345.678.90",
  "user_agent": "1234567890",
  "hostname": "example.eu.auth0.com",
  "user_id": "",
  "user_name": "1234567890@example.com",
  "audience": null,
  "scope": "openid name email nickname",
  "log_id": "1234567890",
  "_id": "1234567890",
  "isMobile": false
}

To my surprise, the cURL returns the access_token just fine, while the js request errors with unathorized access.

curl --request POST \
  --url https://TENANT.eu.auth0.com/oauth/token \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=password \
  --data username=USERNAME \
  --data password=PASSWORD \
  --data audience=AUDIENCE \
  --data scope='openid profile email' \
  --data client_id=CLIENT_ID \
  --data client_secret=CLIENT_SECRET
var axios = require("axios").default;

var options = {
  method: 'POST',
  url: 'https://TENANT.eu.auth0.com/oauth/token',
  headers: {
    'content-type': 'application/x-www-form-urlencoded',
    'mode': 'no-cors'
  },
  data: {
    grant_type: 'password',
    username: 'USERNAME',
    password: 'PASSWORD',
    audience: 'AUDIENCE',
    scope: 'openid profile email',
    client_id: 'CLIENT_ID',
    client_secret: 'CLIENT_SECRET'
  }
};

axios.request(options).then(function (response) {
  console.log(response.data);
}).catch(function (error) {
  console.error(error);
});

Hi @skew202

I don’t see anything obvious. The next step is to sniff the packets for the curl command and the javascript and see what is different.

John