Troubleshooting /oauth/token endpoint

I am attempting to use Postman to get an access token on behalf of a test user. So I can run automation against APIs secured by OIDC/Auth0.

My applications are all configured correctly and I can use OIDC with Auth0 to AuthN/AuthZ with my front end, and the tokens get passed correctly to my APIs and are validated fine.

My goal is to be able to generate the token on behalf of a user so that I can call protected API resources.

I am using the following code in my pre-request-script in postman.

setAuth0JWT();

function setAuth0JWT() {
  // fill local vars from Postman environment
  var domain = pm.environment.get("oauth-domain");
  var client_id = pm.environment.get("oauth-client_id");
  var client_secret = pm.environment.get("oauth-client_secret");
  var audience = pm.environment.get("oauth-audience");
  var username = pm.environment.get("oauth-username");
  var password = pm.environment.get("oauth-password");

  // load request object
  var req = {
    url: "https://" + domain + "/oauth/token",
    method: "POST",
    header: {
      "accept": "application/json",
      "content-type": "application/x-www-form-urlencoded"
    },
    body: {
      mode: 'formdata',
      formdata: 
        [
            {key: "grant_type", value: "password"},
            {key: "username", value: username},
            {key: "password", value: password},
            {key: "audience", value: audience},
            {key: "scope", value: "profile"},
            {key: "client_id", value: client_id},
            {key: "client_secret", value: client_secret}
        ]
      
    }
  };
  
  // execute request for JWT, store token, set header
  pm.sendRequest(req, function (err, res) {
    pm.environment.set("bearer-token", res.json().access_token);
  });
}

All I get back is {"error":"access_denied","error_description":"Unauthorized"} so I have no idea what the issue is.

How do I even begin to debug this?

Hey there @baynezy!

Were you able to resolve this? Your code looks fine to me, so my guess is this is a configuration error somewhere. I would check that the client (client_id) has the password grant enabled to start. You can check if you navigate to the application in your dashboard → settings → advanced settings → grant types.

Thanks @tyf !

I have password as a grant type. However, I still get {"error":"access_denied","error_description":"Unauthorized"}

I don’t see any failed entries in Monitoring > Logs either which I would have expected.

What should my next step be?

Thanks for confirming!

What type of application is this in Auth0 (SPA, Web, etc.)?

@tyf - I worked it out.

The problem was that I was using the incorrect mode.

So instead of:

body: {
      mode: 'formdata',
      formdata: 
        [
            {key: "grant_type", value: "password"},
            {key: "username", value: username},
            {key: "password", value: password},
            {key: "audience", value: audience},
            {key: "scope", value: "profile"},
            {key: "client_id", value: client_id},
            {key: "client_secret", value: client_secret}
        ]
      
    }

I needed to use

body: {
      mode: 'urlencoded',
      urlencoded: 
        [
            {key: "grant_type", value: "password"},
            {key: "username", value: username},
            {key: "password", value: password},
            {key: "audience", value: audience},
            {key: "scope", value: "openid profile"},
            {key: "client_id", value: client_id},
            {key: "client_secret", value: client_secret}
        ]
      
    }
1 Like

Ahh good catch! Thanks for sharing here :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.