Auth0 Home Blog Docs

Using the Request Owner Password Endpoint on a new dev account

flow

#1

Hi I wanted to use Auth0 to test a native desktop Java Swing app designed to uses the “Request Owner Password” flow. The Auth0 implementation seems to be the “/oauth/ro” endpoint.

Unfortunately, according to the API doc’s “This feature is disabled by default for new tenants as of 8 June 2017.”

Is it possible to “enable” this endpoint in order to be able to test the workflow?

Thanks,

Kind regards,
Aitzol


#2

It should not be necessary to use the /oauth/ro endpoint.

There are two alternatives.

  1. we highly recommend not using the Resource Owner Password Grant flow for Native applications. It goes against the IETF standard for a variety of reasons. I highly recommend you read through the concerns before implementing this flow (including following the links below and reading the concerns laid out in the standard).

In the RFC 8252 OAuth 2.0 for Native Apps from the Internet Engineering Task Force (IETF) it is recommended that “OAuth 2.0 authorization request from native apps should ONLY be made through external user-agents, primarily the user’s browser”. It clearly lays this out here. There is also more information on this in OAuth 2.0 Best Practices for Native Apps.

  1. If you truly must use ROPG in your native app instead of PKCE as is recommended, then you can use our OIDC compliant ROPG endpoint. Instead of /oauth/ro.
  2. If there is some reason you can’t use that endpoint, then you can create a support ticket to get /oauth/ro enabled on your tenant, but you will have to justify why the above two options won’t work for you in the support ticket.

#3

Thanks @Carlos_Mostek,

Unfortunate we are talking about a legacy application. Whilst adding login via a browser (probably by bundling in a webkit browser) is planned, this is will not happen for a while and is out of my control. In the mean-time we need to add 0Auth2/OpenIDC so ROPG seems like the way to go right now.

I’ve tried using the endpoint you indicated, but I am getting the following 500 Internal Server Error response:

{
    "error": "server_error",
    "error_description": "Authorization server not configured with default connection."
}
POST https://{URL}.eu.auth0.com/oauth/token
{
    "client_id": "***",
    "connection": "email",
    "grant_type": "password",
    "username": "***",
    "password": "***",
    "scope": "openid"
}

Reading around the forum, it looks like I need to set the Default Directory in (my) the test user’s account settings. Could you clarify what I need to set this value too?

Thanks.

kind regards,
Aitzol


#4

You have two options:

  1. Use the password-realm grant type. Just pass the different grant_type and then you can add an additional “realm” property to the call which should be set to the database connection name you want to use
  2. Go to your tenant settings (drop-down in the upper right side of the manage dashboard). I believe it is on the general page, you can set the default connection for ROPG there.

#5

Thanks @Carlos_Mostek,

So finally got the /token endpoint working. I indicate below the exact config in case anyone else has the same issue in the future:

URL endpoint: https://{AUTH0_DOMAIN}/oauth/token

Post body:

{
    "client_id": "***",
    "grant_type": "password",
    "username": "email@provider.com",
    "password": "***"
}

Client Application settings:
The Client application who’s client ID you are using must be of type native and password must be checked within the Applications -> Settings -> Advanced Settings -> Grant Types pannel

Tenant Settings:
(Under tenant user account -> settings)
Set General -> API Authorization Settings ->Default Directory to Username-Password-Authentication

Hope this helps someone.

Kind regards
Aitzol


#6

I tried your solution because I have the same problem, but when I try to set Client Application settings and Tenant Settings both are forbidden so I am not able to set them.

Did somebody else had this problem?