I have an SPA registered in auth0 and connection enabled for username/password DB.
I have the scenario when users wish to update their passwords, they first have to enter their current password and that is validated in the backend. I know that there is no way to get the hashed passwords from Auth0, so I decided to authenticate the user by posting to the oauth/token
endpoint. I am using the password
grant type and my SPA has this grant type enabled. I am testing this with curl:
curl --request POST \
--url https://MY_DOMAIN/oauth/token \
--header 'content-type: application/x-www-form-urlencoded' \
--data '{"username":"username","password":"pass",client_id":"SPA_CLIENT_ID","client_secret":"SPA_CLIENT_SECRET","audience":"https://MY-DOMAIN/api/v2/","grant_type":"password","connection":"Username-Password-Authentication"}'
I am getting {"error":"access_denied","error_description":"Unauthorized"}
.
What am I doing wrong? I noticed that the Token Endpoint Authentication Method
for my SPA is set to NONE
and that cannot be changed.