Resource Owner Password Flow not working when using node/JS while cURL works

We have an app live (https://app.example.com), that knows about a username and password.
The goal is to login as a user with JavaScript.

We were following the docs here resource-owner-password-flow
and here call-your-api-using-resource-owner-password-flow

By posting to the endpoint https://example.eu.auth0.com/oauth/token
with the payload like the one from here migration-oauthro-oauthtoken

{
    "grant_type": "http://auth0.com/oauth/grant-type/password-realm",
    "client_id": "1234567890",
    "client_secret": "1234567890",
    "username": "alice",
    "password": "123456",
    "realm": "Username-Password-Authentication",
    "scope": "openid profile email offline_access",
    "audience": "https://api.example.com"
}

We used the application settings (domain, client_id, client_secret) from the app.
We also made sure to configure Callback URL and Password grant type here:
https://manage.auth0.com/dashboard/eu/example/applications/1234567890/settings
Application URIs → Allowed Callback URLs
Advanced settings → Grant Types

Also we were using the default Realm here:
https://manage.auth0.com/dashboard/eu/example/connections/database
Neither the default Database Connection Username-Password-Authentication provided by auth0
nor it’s Identifier con_1234567890 lead to anything but a 401 response.

Neither http://auth0.com/oauth/grant-type/password-realm nor password as grant_type lead to anything but a 401 response.

The user’s email is verified and it’s Primary Identity Provider is the very Username-Password-Authentication Database.
Of course it’s name and password are correct. The OAuth2/OIDC Flow works without problems.

Testing with the Authentication API Debugger Extension from here:
https://example.eu12.webtask.io/auth0-authentication-api-debugger
also lead to 401 response only

{
  "err": {
    "readyState": 4,
    "responseText": "{\"error\":\"access_denied\",\"error_description\":\"Unauthorized\"}",
    "responseJSON": {
      "error": "access_denied",
      "error_description": "Unauthorized"
    },
    "status": 401,
    "statusText": "error"
  }
}

Could you provide assistance with this?

Thanks for your support

Hi @skew202

What is the entry in the tenant logs? Does it give more information?

John

1 Like

Hi @john.gateley ,
thank you for assisting with this one here!

Raw

{
  "date": "2021-04-14T09:26:41.082Z",
  "type": "fepft",
  "description": "Unauthorized",
  "connection_id": "",
  "client_id": "1234567890",
  "client_name": null,
  "ip": "12.345.678.90",
  "client_ip": "12.345.678.90",
  "user_agent": "1234567890",
  "hostname": "example.eu.auth0.com",
  "user_id": "",
  "user_name": "1234567890@example.com",
  "audience": null,
  "scope": "openid name email nickname",
  "log_id": "1234567890",
  "_id": "1234567890",
  "isMobile": false
}

To my surprise, the cURL returns the access_token just fine, while the js request errors with unathorized access.

curl --request POST \
  --url https://TENANT.eu.auth0.com/oauth/token \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=password \
  --data username=USERNAME \
  --data password=PASSWORD \
  --data audience=AUDIENCE \
  --data scope='openid profile email' \
  --data client_id=CLIENT_ID \
  --data client_secret=CLIENT_SECRET
var axios = require("axios").default;

var options = {
  method: 'POST',
  url: 'https://TENANT.eu.auth0.com/oauth/token',
  headers: {
    'content-type': 'application/x-www-form-urlencoded',
    'mode': 'no-cors'
  },
  data: {
    grant_type: 'password',
    username: 'USERNAME',
    password: 'PASSWORD',
    audience: 'AUDIENCE',
    scope: 'openid profile email',
    client_id: 'CLIENT_ID',
    client_secret: 'CLIENT_SECRET'
  }
};

axios.request(options).then(function (response) {
  console.log(response.data);
}).catch(function (error) {
  console.error(error);
});

Hi @skew202

I don’t see anything obvious. The next step is to sniff the packets for the curl command and the javascript and see what is different.

John

Exact same problem here, cURL works just fine, returning an useful access token for the user while nodejs does not, please help!