I am trying to retrieve an access token for my API through Auth0. My application and API are set up in Auth0. If I send a request through Postman all is good. However, when I request through my angular app, I get a 401 error "access_denied".
The raw http request generated from angular (that doesn't work) is:
POST https://ACCOUNT.auth0.com/oauth/token HTTP/1.1
Host: gacattak.auth0.com
Connection: keep-alive
Content-Length: 210
Pragma: no-cache
Cache-Control: no-cache
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
content-type: text/plain
Origin: http://localhost:4200
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:4200/callback
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
{ "client_id":"CLIENT_ID", "client_secret":"CLIENT_SECRET", "audience":"API_URL", "grant_type":"client_credentials" }
The response from this request is:
HTTP/1.1 401 Unauthorized
Date: Sun, 10 May 2020 21:38:54 GMT
Content-Type: application/json
Content-Length: 60
Connection: keep-alive
Server: nginx
ot-tracer-spanid: 0b9da465429fa2b6
ot-tracer-traceid: 3f4f92ca634996df
ot-tracer-sampled: true
ot-baggage-auth0-request-id: c183f69c93c7973cb432dc78
X-Auth0-RequestId: 802fba1aa3437e9b24c4
Set-Cookie: did=s%3Av0%3Aa55fb060-9306-11ea-bfd6-312783a9f474.U2HrQl3KVe%2FwgK4fL74FqFddwYH4iagTH24GHPvII2Q; Max-Age=31557600; Path=/; Expires=Tue, 11 May 2021 03:38:54 GMT; HttpOnly; Secure; SameSite=None
Set-Cookie: did_compat=s%3Av0%3Aa55fb060-9306-11ea-bfd6-312783a9f474.U2HrQl3KVe%2FwgK4fL74FqFddwYH4iagTH24GHPvII2Q; Max-Age=31557600; Path=/; Expires=Tue, 11 May 2021 03:38:54 GMT; HttpOnly; Secure
Access-Control-Allow-Origin: http://localhost:4200
X-RateLimit-Limit: 30
X-RateLimit-Remaining: 29
X-RateLimit-Reset: 1589146735
cache-control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-transform
{"error":"access_denied","error_description":"Unauthorized"}
The raw http request generated from Postman is:
POST https://ACCOUNT.auth0.com/oauth/token HTTP/1.1
Content-Type: application/json
Postman-Token: d14b0c57-554b-4dba-b68f-05971da85ecb
Host: ACCOUNT.auth0.com
Content-Length: 221
Cookie: did=s%3Av0%3A7ae18350-9314-11ea-87eb-d7ba4a7f045b.w9PKfAKMOzjGUi6Kb4ZU4D0PN6u42pHGtZFWn1abvoM; did_compat=s%3Av0%3A7ae18350-9314-11ea-87eb-d7ba4a7f045b.w9PKfAKMOzjGUi6Kb4ZU4D0PN6u42pHGtZFWn1abvoM
{
"client_id":"CLIENT_ID",
"client_secret":"CLIENT_SECRET",
"audience":"API_URL",
"grant_type":"client_credentials"
}
And the response is:
HTTP/1.1 200 OK
Date: Mon, 11 May 2020 00:33:12 GMT
Content-Type: application/json
Content-Length: 822
Connection: keep-alive
Server: nginx
ot-tracer-spanid: 4805513e35ed8153
ot-tracer-traceid: 42c6383f201f080b
ot-tracer-sampled: true
ot-baggage-auth0-request-id: a5d16ad0458cc1d04765f4e0
X-Auth0-RequestId: 1c5f74c3e5b99f41ed83
X-RateLimit-Limit: 30
X-RateLimit-Remaining: 29
X-RateLimit-Reset: 1589157193
Cache-Control: no-store
Pragma: no-cache
Strict-Transport-Security: max-age=15724800
X-Robots-Tag: noindex, nofollow, nosnippet, noarchive
{"access_token":"ACCESS_TOKEN","expires_in":86400,"token_type":"Bearer"}
I can't figure out what is materially different between the Postman generated request and the one coming from my Angular SPA.
Appreciate any help.
The content-type
of your angular request is text/plain
. It should be application/json