Resource Owner Password Flow works fine with Postman but throws 401 Unauthorised with Axios Node.js

Hi,

I browsed similar questions but no luck.

We are building a SPA (Single Page App) which uses React.js on frontend and Node.js on backend and we want to authenticate our users upon successful registration.

For the registration, we are creating user accounts through our backend using Auth0 management API and that works perfectly fine but we are struggling with Resource Owner Password Flow.

When making API call from Postman, we successfully get the access_token , refresh_token , id_token , token_type , and expires_in.

Please see the screenshot of the API call using Postman.

I just wrote a function to share here. Here’s my code:

require("dotenv").config();
const express = require("express");
const axios = require("axios").default;
const cors = require("cors");
const app = express();

const port = process.env.PORT || 4000;

app.use(cors());
app.use(express.json());
app.use(express.urlencoded({ extended: true }));

app.post("/login", (req, res) => {
  var options = {
    method: "POST",
    url: `https://${process.env.AUTH0_DOMAIN}/oauth/token`,
    headers: { "Content-Type": "application/x-www-form-urlencoded" },
    data: {
      grant_type: "password",
      username: req.body.username,
      password: req.body.password,
      audience: process.env.AUTH0_AUDIENCE,
      scope: "openid profile email",
      client_id: process.env.AUTH0_CLIENT_ID,
      client_secret: process.env.AUTH0_CLIENT_SECRET,
    },
  };


  axios(options)
    .then(function (response) {
      console.log(response.data);

      return res.status(200).json({
        status: "success",
        response: response.data,
      });
    })
    .catch(function (error) {
      console.error(error);
      return res.status(error.response.status).json({
        status: "error",
        response: error.response.data,
      });
    });
});

app.listen(port, () =>
  console.log(`Listing to server: http://localhost/${port}`)
);

Our Requirement

  1. Ability to authenticate the users without redirecting the users to Auth0 hosted login page.
  2. Ability to create user accounts through our backend using Management API and then using Resource Owner Password Flow to authenticate the users upon successful account creation through our backend.

Please help me out.

Thank you.

Is it possible for someone to help me out with this?

Hi @assadullahch,

Friendly tip: If you respond to your own post it removes it from the unanswered queue and it is likely to go unanswered.

As for you question, let’s see if we can figure it out :grinning_face_with_smiling_eyes:

Are you using the same client ID and secret for your postman app and your node app?

Hi @dan.woda ,

Sorry about responding to my question. We are on a tight deadline so.

I would appreciate your help.

I copied the client_id straight from my text editor. Matched it many times and I can assure you that is correct. I am also not seeing logs related to this 401 response in Auth0 dashboard.

Can you confirm the domain you are sending to is being input properly? I have seen cases where the domain env variable is causing issues, for instance:

https://${process.env.AUTH0_DOMAIN}/oauth/token

resolves as

https://https://your_domain/oauth/token

Also, you should ensure the application is authorized to access the audience you are passing.

@dan.woda I removed the env variables and pasted the values directly in my code. Still there’s no luck.

Client id, domain and audience are the same exact I am using with Postman.

The strange thing is, there are no logs in Auth0 related to 401.

In my Node.js Axios call, I commented out audience and headers and it’s working now.

You can see my Axios options here

const options = {
    method: "POST",
    url: `https://${process.env.AUTH0_DOMAIN}/oauth/token`,
    //headers: { "Content-Type": "application/x-www-form-urlencoded" },
    data: {
      grant_type: "password",
      username: req.body.username,
      password: req.body.password,
      //audience: process.env.AUTH0_AUDIENCE,
      scope: "openid profile email",
      client_id: process.env.AUTH0_CLIENT_ID,
      client_secret: process.env.AUTH0_CLIENT_SECRET,
    },
  };
1 Like

If the audience param was causing the issue it is likely because the application (client ID) you are making the request with is not authorized to access that API (audience).

You can update this in settings of your API in the dashboard.

There was no issue with audience. I just commented out headers in my Axios call options and it all just started working as expected.

1 Like

Great let us know if you have any other questions.

I got another question. Please see this here

I responded in that thread.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.