Resource Owner Password Flow not working when using node/JS while cURL works

skew202 · April 13, 2021, 9:01am

We have an app live (https://app.example.com), that knows about a username and password.
The goal is to login as a user with JavaScript.

We were following the docs here resource-owner-password-flow
and here call-your-api-using-resource-owner-password-flow

By posting to the endpoint https://example.eu.auth0.com/oauth/token
with the payload like the one from here migration-oauthro-oauthtoken

{
    "grant_type": "http://auth0.com/oauth/grant-type/password-realm",
    "client_id": "1234567890",
    "client_secret": "1234567890",
    "username": "alice",
    "password": "123456",
    "realm": "Username-Password-Authentication",
    "scope": "openid profile email offline_access",
    "audience": "https://api.example.com"
}

We used the application settings (domain, client_id, client_secret) from the app.
We also made sure to configure Callback URL and Password grant type here:
https://manage.auth0.com/dashboard/eu/example/applications/1234567890/settings
Application URIs → Allowed Callback URLs
Advanced settings → Grant Types

Also we were using the default Realm here:
https://manage.auth0.com/dashboard/eu/example/connections/database
Neither the default Database Connection Username-Password-Authentication provided by auth0
nor it’s Identifier con_1234567890 lead to anything but a 401 response.

Neither http://auth0.com/oauth/grant-type/password-realm nor password as grant_type lead to anything but a 401 response.

The user’s email is verified and it’s Primary Identity Provider is the very Username-Password-Authentication Database.
Of course it’s name and password are correct. The OAuth2/OIDC Flow works without problems.

Testing with the Authentication API Debugger Extension from here:
https://example.eu12.webtask.io/auth0-authentication-api-debugger
also lead to 401 response only

{
  "err": {
    "readyState": 4,
    "responseText": "{\"error\":\"access_denied\",\"error_description\":\"Unauthorized\"}",
    "responseJSON": {
      "error": "access_denied",
      "error_description": "Unauthorized"
    },
    "status": 401,
    "statusText": "error"
  }
}

Could you provide assistance with this?

Thanks for your support

john.gateley · April 13, 2021, 1:15pm

Hi @skew202

What is the entry in the tenant logs? Does it give more information?

John

skew202 · April 14, 2021, 9:14am

Hi @john.gateley ,
thank you for assisting with this one here!

Raw

{
  "date": "2021-04-14T09:26:41.082Z",
  "type": "fepft",
  "description": "Unauthorized",
  "connection_id": "",
  "client_id": "1234567890",
  "client_name": null,
  "ip": "12.345.678.90",
  "client_ip": "12.345.678.90",
  "user_agent": "1234567890",
  "hostname": "example.eu.auth0.com",
  "user_id": "",
  "user_name": "1234567890@example.com",
  "audience": null,
  "scope": "openid name email nickname",
  "log_id": "1234567890",
  "_id": "1234567890",
  "isMobile": false
}

skew202 · April 14, 2021, 12:49pm

To my surprise, the cURL returns the access_token just fine, while the js request errors with unathorized access.

curl --request POST \
  --url https://TENANT.eu.auth0.com/oauth/token \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=password \
  --data username=USERNAME \
  --data password=PASSWORD \
  --data audience=AUDIENCE \
  --data scope='openid profile email' \
  --data client_id=CLIENT_ID \
  --data client_secret=CLIENT_SECRET

var axios = require("axios").default;

var options = {
  method: 'POST',
  url: 'https://TENANT.eu.auth0.com/oauth/token',
  headers: {
    'content-type': 'application/x-www-form-urlencoded',
    'mode': 'no-cors'
  },
  data: {
    grant_type: 'password',
    username: 'USERNAME',
    password: 'PASSWORD',
    audience: 'AUDIENCE',
    scope: 'openid profile email',
    client_id: 'CLIENT_ID',
    client_secret: 'CLIENT_SECRET'
  }
};

axios.request(options).then(function (response) {
  console.log(response.data);
}).catch(function (error) {
  console.error(error);
});

john.gateley · April 14, 2021, 1:45pm

Hi @skew202

I don’t see anything obvious. The next step is to sniff the packets for the curl command and the javascript and see what is different.

John

fernando.torres · May 31, 2022, 3:24am

Exact same problem here, cURL works just fine, returning an useful access token for the user while nodejs does not, please help!

Topic		Replies	Views
About setup authentication with grant-type/password-realm Help	3	9339	April 16, 2021
Resource Owner Password flow only works with headers removed Help auth0 , access_token , login	2	2037	December 22, 2022
Call API Using Resource Owner Password Flow Help	11	1830	May 25, 2022
Resource Owner Password Flow works fine with Postman but throws 401 Unauthorised with Axios Node.js Help auth0 , management-api , login	12	4858	August 30, 2021
Unable to get token using resource owner password via /oauth/token api Help api , oauth , resource-owner-passw	3	5016	August 10, 2019

Resource Owner Password Flow not working when using node/JS while cURL works

Related Topics