Testing Auth0 programatically when Passwordless (email) is the default directory?

I previously had my tenant set up with the Database directory only. I was successfully generating auth tokens for testing my APIs using the following .NET code:

private static async Task<string> CreateValidAccessTokenAsync(bool subscribed = true)
    {
        var authSettings = GetOidcSettings();

        var username = subscribed ? authSettings["SubscribedUsername"] : authSettings["UnsubscribedUsername"];
        var password = subscribed ? authSettings["SubscribedPassword"] : authSettings["UnsubscribedPassword"];

        var authClient = new AuthenticationApiClient(authSettings["Domain"]);
        var tokenRequest = new ResourceOwnerTokenRequest
        {
            ClientId = authSettings["ClientId"],
            ClientSecret = authSettings["ClientSecret"],
            Audience = authSettings["Audience"],
            Scope = "openid profile",
            Username = username,
            Password = password
        };

        var tokenResponse = await authClient.GetTokenAsync(tokenRequest);

        return tokenResponse.AccessToken;
    }

I want to change to using Passwordless (email) as my authentication method going forward. So made the following changes to my Auth0 tenant:

  • disabled registration in the database directory
  • enabled passwordless (email) directory
  • set passwordless (email) as the default directory
  • set Authentication profile to Identifier First

Now when I run the above code I get the following error:

Auth0.Core.Exceptions.ErrorApiException: Wrong email or verification code.

My assumption here is that it is looking in the passwordless directory and expecting a verification code sent via email. From my understanding, direct the request to the database directory I need to use the Realm property of ResourceOwnerTokenRequest so I adapted my code to include that:

rivate static async Task<string> CreateValidAccessTokenAsync(bool subscribed = true)
    {
        var authSettings = GetOidcSettings();

        var username = subscribed ? authSettings["SubscribedUsername"] : authSettings["UnsubscribedUsername"];
        var password = subscribed ? authSettings["SubscribedPassword"] : authSettings["UnsubscribedPassword"];

        var authClient = new AuthenticationApiClient(authSettings["Domain"]);
        var tokenRequest = new ResourceOwnerTokenRequest
        {
            ClientId = authSettings["ClientId"],
            ClientSecret = authSettings["ClientSecret"],
            Audience = authSettings["Audience"],
            Scope = "openid profile",
            Username = username,
            Password = password,
            Realm = "Username-Password-Authentication"
        };

        var tokenResponse = await authClient.GetTokenAsync(tokenRequest);

        return tokenResponse.AccessToken;
    }

This changes the error to Auth0.Core.Exceptions.ErrorApiException: Grant type 'http://auth0.com/oauth/grant-type/password-realm' not allowed for the client. which led me to this article. Which says you need to use the management API to add the https://auth0.com/oauth/grant-type/password-realm, but that responds with a 400 Bad Request: Invalid grant types: https://auth0.com/oauth/grant-type/password-realm.

So how can I make a ResourceOwnerTokenRequest that targets the non-default directory?