I’m currently trying to implement the Resource Owner Password Flow for an application that cannot be redirected to the Auth0 login page. What I’m doing is: Taking username, password and calling the oauth/token endpoint as described in documentation. I am able to retrieve an access_token, but it’s not containing the same information as the tokens of our other applications (which use redirect).
In the documentation it says:
Rules will run for the Resource Owner Password Flow (including the Realm extension grant).
We have a set of rules, which will do things like adding user_metadata, permissions or roles to the token. To me it seems, that those rules are not executed when I’m calling the /oauth/token endpoint. Am I missing something? Appreciate any kind of input.
They should be executed. Are you using the realtime webtask logs extension? If not, enable that, put some console.logs in and figure out what is going on.
Make sure you are looking at the proper Auth0 tenant. When this happens to me, it usually means I am authenticating against a different tenant than I think I am.
It looks like I have fixed that issue by accident today. I noticed, that the access_token I received was an opaque token and only the id_token was a JWT. Then I cam across this FAQ page: Why is my access token not a JWT? (Opaque Token)
After calling the endpoint with the audience parameter, both tokens were returned as JWT’s and the access_token includes all the information I would expect.