Testing Auth0 programatically when Passwordless (email) is the default directory?

I previously had my tenant set up with the Database directory only. I was successfully generating auth tokens for testing my APIs using the following .NET code:

private static async Task<string> CreateValidAccessTokenAsync(bool subscribed = true)
    {
        var authSettings = GetOidcSettings();

        var username = subscribed ? authSettings["SubscribedUsername"] : authSettings["UnsubscribedUsername"];
        var password = subscribed ? authSettings["SubscribedPassword"] : authSettings["UnsubscribedPassword"];

        var authClient = new AuthenticationApiClient(authSettings["Domain"]);
        var tokenRequest = new ResourceOwnerTokenRequest
        {
            ClientId = authSettings["ClientId"],
            ClientSecret = authSettings["ClientSecret"],
            Audience = authSettings["Audience"],
            Scope = "openid profile",
            Username = username,
            Password = password
        };

        var tokenResponse = await authClient.GetTokenAsync(tokenRequest);

        return tokenResponse.AccessToken;
    }

I want to change to using Passwordless (email) as my authentication method going forward. So made the following changes to my Auth0 tenant:

• disabled registration in the database directory
• enabled passwordless (email) directory
• set passwordless (email) as the default directory
• set Authentication profile to Identifier First

Now when I run the above code I get the following error:

Auth0.Core.Exceptions.ErrorApiException: Wrong email or verification code.

My assumption here is that it is looking in the passwordless directory and expecting a verification code sent via email. From my understanding, to direct the request to the database directory I need to use the Realm property of ResourceOwnerTokenRequest so I adapted my code to include that:

rivate static async Task<string> CreateValidAccessTokenAsync(bool subscribed = true)
    {
        var authSettings = GetOidcSettings();

        var username = subscribed ? authSettings["SubscribedUsername"] : authSettings["UnsubscribedUsername"];
        var password = subscribed ? authSettings["SubscribedPassword"] : authSettings["UnsubscribedPassword"];

        var authClient = new AuthenticationApiClient(authSettings["Domain"]);
        var tokenRequest = new ResourceOwnerTokenRequest
        {
            ClientId = authSettings["ClientId"],
            ClientSecret = authSettings["ClientSecret"],
            Audience = authSettings["Audience"],
            Scope = "openid profile",
            Username = username,
            Password = password,
            Realm = "Username-Password-Authentication"
        };

        var tokenResponse = await authClient.GetTokenAsync(tokenRequest);

        return tokenResponse.AccessToken;
    }

This changes the error to Auth0.Core.Exceptions.ErrorApiException: Grant type 'http://auth0.com/oauth/grant-type/password-realm' not allowed for the client. which led me to this article. Which says you need to use the management API to add the https://auth0.com/oauth/grant-type/password-realm, but that responds with a 400 Bad Request: Invalid grant types: https://auth0.com/oauth/grant-type/password-realm.

So how can I make a ResourceOwnerTokenRequest that targets the non-default directory?

Hi @baynezy

I will be looking into the inquiry that you are having regarding your passwordless implementation and come back as soon as possible with an update or more information!

Kind Regards,
Nik

Thanks @nik.baleca - much appreciated.

Hi again @baynezy

Regarding your implementation, you can do one of the following approaches regarding your situation. Please keep in mind that your application must be a Regular Web App and must not use organizations to use your current testing flow. Please keep in mind that you should be able to enable these grants by going to Applications → Your Application → Settings → Advanced Settings → Grant Types → Enable Password and Passwordless OTP :

• Enable the password realm grant for your application using the Management API. The body of the request should look something like this:

{
  "grant_types": [
    "http://auth0.com/oauth/grant-type/password-realm"
  ]
}

Once you have done so, you should be able to do the same requests as before using your current code as long as the database connection is still enabled on the client, regardless of the flow that you are using.

• Enable the passwordless otp grant for your application using the Management API. The request would look something like this:

{
  "grant_types": [
    "http://auth0.com/oauth/grant-type/passwordless/otp"
  ]
}

For your testing purposes, I believe you would want to have both of these enabled as such:

{
  "grant_types": [
    "http://auth0.com/oauth/grant-type/passwordless/otp",
    "http://auth0.com/oauth/grant-type/password-realm"
  ]
}

I am able to perform both of these flows using Postman once these grants have been enabled for the said application. If you wish to continue testing using passwordless, you would need the following things:

• POST request to https://{{auth0_domain}}/passwordless/start.
• Body parameters containing:

1. Client ID
2. Client Secret
3. connection - use email to send a code
4. User email
5. send - use code to send a code to the email address
6. authParams[scope] - use openid email profile read:current_user offline_access
7. authParams[response_type] - use token id_token
8. authParams[audience] - use https://{{auth0_domain}}/api/v2/ or the usual audience you are using

• The next step would be the token request by making a POST to https://{{auth0_domain}}/oauth/token
• The body parameters should contain:

1. grant type - use http://auth0.com/oauth/grant-type/passwordless/otp
2. Client ID
3. Client Secret
4. Realm - use email
5. User email
6. otp - code received in the email
7. audience - same as above
8. scope - use openid email profile read:current_user offline_access

Let me know if you have any other questions or difficulties with the situation at hand.

Kind Regards,
Nik

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.