SPA - authenticate user with password grant type

I have an SPA registered in auth0 and connection enabled for username/password DB.

I have the scenario when users wish to update their passwords, they first have to enter their current password and that is validated in the backend. I know that there is no way to get the hashed passwords from Auth0, so I decided to authenticate the user by posting to the oauth/token endpoint. I am using the password grant type and my SPA has this grant type enabled. I am testing this with curl:

curl --request POST \
  --url https://MY_DOMAIN/oauth/token \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data '{"username":"username","password":"pass",client_id":"SPA_CLIENT_ID","client_secret":"SPA_CLIENT_SECRET","audience":"https://MY-DOMAIN/api/v2/","grant_type":"password","connection":"Username-Password-Authentication"}'

I am getting {"error":"access_denied","error_description":"Unauthorized"}.
What am I doing wrong? I noticed that the Token Endpoint Authentication Method for my SPA is set to NONE and that cannot be changed.

Hi!

A SPA should not contain client secrets, that is why the Token Endpoint Authentication Method is set to None on a SPA in the Auth0 dashboard.

With this in mind, the resource owner password grant should not be called from a SPA.

You can initiate a password reset flow (via email) from your SPA using the Change Password endpoint

Hope this helps!

Thanks for helping on this one Marcus!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.