Unauthorized request to /oauth/token

ajgkhoros · September 16, 2020, 5:20pm

I’m trying to use Auth0 as the auth provider for a apple business chat, but it looks like the way apple business chat issues the token request isn’t compatible with Auth0’s expectations.

I discovered that Apple’s software issues a request to /oauth/token which looks like this:

POST https://super-awesome-domain.auth0.com/oauth/token?client_id=foo_bar_baz&code=some_code\&grant_type=authorization_code&redirect_uri=https://auth.businesschat.apple.com&client_secret=super_secret

And the response from auth0 looks like:

{"error":"access_denied","error_description":"Unauthorized"}

Apparently Auth0 requires the request parameters to be in the body in JSON format, but I have no control over how Apple issues the request.

Is there a way to allow my Auth0 tenant to accept token requests with query parameters?

joseantonio.rey · September 17, 2020, 3:00pm

Hi, @ajgkhoros,

You are correct on that it requires a body, because it’s a POST request.

This is actually to comply with the OAuth2 specification, more clearly section 3.2: RFC 6749: The OAuth 2.0 Authorization Framework

The client MUST use the HTTP "POST" method when making access token requests.

Unfortunately, no - there is no way for us to accept token request within query parameters. Have you attempted to contact Apple to check on what protocols they support, or if they can be OIDC compliant?

ajgkhoros · September 18, 2020, 3:04pm

Thanks for the response, @joseantonio.rey! I’m communicating with Apple directly now.

PS. I have additionally proven that the parameters as provided to Auth0 from Apple would actually work if they put them in the request body instead of as query parameters. So I guess that’s good news.