Resource Owner Password Flow works fine with Postman but throws 401 Unauthorised with Axios Node.js

assadullahch · August 25, 2021, 2:08pm

Hi,

I browsed similar questions but no luck.

We are building a SPA (Single Page App) which uses React.js on frontend and Node.js on backend and we want to authenticate our users upon successful registration.

For the registration, we are creating user accounts through our backend using Auth0 management API and that works perfectly fine but we are struggling with Resource Owner Password Flow.

When making API call from Postman, we successfully get the access_token , refresh_token , id_token , token_type , and expires_in.

Please see the screenshot of the API call using Postman.

I just wrote a function to share here. Here’s my code:

require("dotenv").config();
const express = require("express");
const axios = require("axios").default;
const cors = require("cors");
const app = express();

const port = process.env.PORT || 4000;

app.use(cors());
app.use(express.json());
app.use(express.urlencoded({ extended: true }));

app.post("/login", (req, res) => {
  var options = {
    method: "POST",
    url: `https://${process.env.AUTH0_DOMAIN}/oauth/token`,
    headers: { "Content-Type": "application/x-www-form-urlencoded" },
    data: {
      grant_type: "password",
      username: req.body.username,
      password: req.body.password,
      audience: process.env.AUTH0_AUDIENCE,
      scope: "openid profile email",
      client_id: process.env.AUTH0_CLIENT_ID,
      client_secret: process.env.AUTH0_CLIENT_SECRET,
    },
  };


  axios(options)
    .then(function (response) {
      console.log(response.data);

      return res.status(200).json({
        status: "success",
        response: response.data,
      });
    })
    .catch(function (error) {
      console.error(error);
      return res.status(error.response.status).json({
        status: "error",
        response: error.response.data,
      });
    });
});

app.listen(port, () =>
  console.log(`Listing to server: http://localhost/${port}`)
);

Our Requirement

Ability to authenticate the users without redirecting the users to Auth0 hosted login page.
Ability to create user accounts through our backend using Management API and then using Resource Owner Password Flow to authenticate the users upon successful account creation through our backend.

Please help me out.

Thank you.

assadullahch · August 26, 2021, 5:27pm

Is it possible for someone to help me out with this?

dan.woda · August 26, 2021, 5:36pm

Hi @assadullahch,

Friendly tip: If you respond to your own post it removes it from the unanswered queue and it is likely to go unanswered.

As for you question, let’s see if we can figure it out

Are you using the same client ID and secret for your postman app and your node app?

assadullahch · August 26, 2021, 5:38pm

Hi @dan.woda ,

Sorry about responding to my question. We are on a tight deadline so.

I would appreciate your help.

I copied the client_id straight from my text editor. Matched it many times and I can assure you that is correct. I am also not seeing logs related to this 401 response in Auth0 dashboard.

dan.woda · August 26, 2021, 8:37pm

Can you confirm the domain you are sending to is being input properly? I have seen cases where the domain env variable is causing issues, for instance:

https://${process.env.AUTH0_DOMAIN}/oauth/token

resolves as

https://https://your_domain/oauth/token

Also, you should ensure the application is authorized to access the audience you are passing.

assadullahch · August 27, 2021, 8:07am

@dan.woda I removed the env variables and pasted the values directly in my code. Still there’s no luck.

Client id, domain and audience are the same exact I am using with Postman.

The strange thing is, there are no logs in Auth0 related to 401.

assadullahch · August 27, 2021, 8:35am

In my Node.js Axios call, I commented out audience and headers and it’s working now.

You can see my Axios options here

const options = {
    method: "POST",
    url: `https://${process.env.AUTH0_DOMAIN}/oauth/token`,
    //headers: { "Content-Type": "application/x-www-form-urlencoded" },
    data: {
      grant_type: "password",
      username: req.body.username,
      password: req.body.password,
      //audience: process.env.AUTH0_AUDIENCE,
      scope: "openid profile email",
      client_id: process.env.AUTH0_CLIENT_ID,
      client_secret: process.env.AUTH0_CLIENT_SECRET,
    },
  };

dan.woda · August 30, 2021, 7:38pm

If the audience param was causing the issue it is likely because the application (client ID) you are making the request with is not authorized to access that API (audience).

You can update this in settings of your API in the dashboard.

assadullahch · August 30, 2021, 7:47pm

There was no issue with audience. I just commented out headers in my Axios call options and it all just started working as expected.

dan.woda · August 30, 2021, 7:54pm

Great let us know if you have any other questions.

assadullahch · August 30, 2021, 8:02pm

I got another question. Please see this here

dan.woda · August 30, 2021, 8:41pm

I responded in that thread.

system · September 14, 2021, 8:42pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
401 Unauthorized Post /oauth/token using Resource Owner Flow Help api , password , login	6	6532	July 28, 2022
Resource Owner Password flow only works with headers removed Help auth0 , access_token , login	2	2037	December 22, 2022
Resource Owner Password Flow not working when using node/JS while cURL works Help bug , password , login	5	3894	May 31, 2022
Using the Auth0-spa-js SDK after logging in via the Resource Owner Password Flow Help	2	1571	February 14, 2023
Get Management API Token in actions (SPA) Help management-api	2	2606	June 28, 2021

Resource Owner Password Flow works fine with Postman but throws 401 Unauthorised with Axios Node.js

Related Topics