I previously had my tenant set up with the Database directory only. I was successfully generating auth tokens for testing my APIs using the following .NET code:
private static async Task<string> CreateValidAccessTokenAsync(bool subscribed = true)
{
var authSettings = GetOidcSettings();
var username = subscribed ? authSettings["SubscribedUsername"] : authSettings["UnsubscribedUsername"];
var password = subscribed ? authSettings["SubscribedPassword"] : authSettings["UnsubscribedPassword"];
var authClient = new AuthenticationApiClient(authSettings["Domain"]);
var tokenRequest = new ResourceOwnerTokenRequest
{
ClientId = authSettings["ClientId"],
ClientSecret = authSettings["ClientSecret"],
Audience = authSettings["Audience"],
Scope = "openid profile",
Username = username,
Password = password
};
var tokenResponse = await authClient.GetTokenAsync(tokenRequest);
return tokenResponse.AccessToken;
}
I want to change to using Passwordless (email) as my authentication method going forward. So made the following changes to my Auth0 tenant:
- disabled registration in the database directory
- enabled passwordless (email) directory
- set passwordless (email) as the default directory
- set Authentication profile to Identifier First
Now when I run the above code I get the following error:
Auth0.Core.Exceptions.ErrorApiException: Wrong email or verification code.
My assumption here is that it is looking in the passwordless directory and expecting a verification code sent via email. From my understanding, direct the request to the database directory I need to use the Realm property of ResourceOwnerTokenRequest so I adapted my code to include that:
rivate static async Task<string> CreateValidAccessTokenAsync(bool subscribed = true)
{
var authSettings = GetOidcSettings();
var username = subscribed ? authSettings["SubscribedUsername"] : authSettings["UnsubscribedUsername"];
var password = subscribed ? authSettings["SubscribedPassword"] : authSettings["UnsubscribedPassword"];
var authClient = new AuthenticationApiClient(authSettings["Domain"]);
var tokenRequest = new ResourceOwnerTokenRequest
{
ClientId = authSettings["ClientId"],
ClientSecret = authSettings["ClientSecret"],
Audience = authSettings["Audience"],
Scope = "openid profile",
Username = username,
Password = password,
Realm = "Username-Password-Authentication"
};
var tokenResponse = await authClient.GetTokenAsync(tokenRequest);
return tokenResponse.AccessToken;
}
This changes the error to Auth0.Core.Exceptions.ErrorApiException: Grant type 'http://auth0.com/oauth/grant-type/password-realm' not allowed for the client. which led me to this article. Which says you need to use the management API to add the https://auth0.com/oauth/grant-type/password-realm, but that responds with a 400 Bad Request: Invalid grant types: https://auth0.com/oauth/grant-type/password-realm.
So how can I make a ResourceOwnerTokenRequest that targets the non-default directory?