SPA - authenticate user with password grant type

I have an SPA registered in auth0 and connection enabled for username/password DB.

I have the scenario when users wish to update their passwords, they first have to enter their current password and that is validated in the backend. I know that there is no way to get the hashed passwords from Auth0, so I decided to authenticate the user by posting to the oauth/token endpoint. I am using the password grant type and my SPA has this grant type enabled. I am testing this with curl:

curl --request POST \
  --url https://MY_DOMAIN/oauth/token \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data '{"username":"username","password":"pass",client_id":"SPA_CLIENT_ID","client_secret":"SPA_CLIENT_SECRET","audience":"https://MY-DOMAIN/api/v2/","grant_type":"password","connection":"Username-Password-Authentication"}'

I am getting {"error":"access_denied","error_description":"Unauthorized"}.
What am I doing wrong? I noticed that the Token Endpoint Authentication Method for my SPA is set to NONE and that cannot be changed.


A SPA should not contain client secrets, that is why the Token Endpoint Authentication Method is set to None on a SPA in the Auth0 dashboard.

With this in mind, the resource owner password grant should not be called from a SPA.

You can initiate a password reset flow (via email) from your SPA using the Change Password endpoint

Hope this helps!

1 Like

Thanks for helping on this one Marcus!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.