Token Endpoint Authentication Method Post vs None

elgin.cahangirov · February 2, 2022, 1:27pm

When I make POST request to https://my.auth0.domain/oauth/token, it return 401 response with body:


{
    "error": "access_denied",
    "error_description": "Unauthorized"
}

My request body is:

{
    "grant_type": "password",
    "username": "user@emal.com",
    "password": "user password",
    "client_id": "client id for my app",
    "client secret": "client secret for my app",
    "audience": "my api identifier"
}

After changing Token Endpoint Authentication Method from Post to None, it works as expected by returning 200 response and access token in the body. But after making this change in settings, Client Credentials is disabled in grant types of the application. As a result, I cannot get access token for the client:

Client is not authorized to access “my identifier”. You need to create a “client-grant” associated to this API. See: Auth0 Management API v2

So, these two are mutually exclusive to achieve. Should I create two different application for being able to both getting client and user access tokens?

dan.woda · February 22, 2022, 10:10pm

Hi @elgin.cahangirov,

Welcome to the Auth0 Community and sorry for the delayed response!

Can you tell us a bit about your use case? What type of application are you using?

Additionally, you should be able to set the token authentication type to POST, and enable the client credentials grant in the Advanced Settings → Grant Types options. Have you tried this?