oauthoauth-2.0postmanauth0auth0-delegated-admin

"Missing grant-type parameter" in Auth0 Delegation endpoint call

I'm trying to call (POST) the Auth0 delegation endpoint from Postman with the following request, as suggested by Auth0:

Content-Type: 'application/json'

{
  "client_id":   "{CLIENT_ID}",
  "grant_type":  "urn:ietf:params:oauth:grant-type:jwt-bearer",
  "id_token":    "{YOUR_ID_TOKEN}",
  "target":      "lwTL1rYVfC0KsBUFPeKWY3HvGjbIgdDM",
  "api_type":    "salesforce_api",
  "scope":       "openid"
}

I'm getting this error, even though the grant_type parameter is included in the above request:

{
    "error": "invalid_request",
    "error_description": "Missing grant_type parameter"
}

What am I doing wrong here?

Solution

  • From Auth0's new OIDC Conformant Authentication docs:

    Delegation

    Given that ID tokens should no longer be used as API tokens and that refresh tokens should be used only at the token endpoint, this endpoint is now considered deprecated.

    At the moment there is no OIDC-compliant mechanism to obtain third-party API tokens. In order to facilitate a gradual migration to the new authentication pipeline, delegation can still be used to obtain third-party API tokens. This will be deprecated in future releases.

    Also, from Auth0's Using AWS with Tokens docs:

    Legacy Grant Types

    As of 8 June 2017, new Auth0 customers cannot add any of the legacy grant types to their clients, which are required for use with the Delegation endpoint. Legacy grant types are only available for previous customers while they migrate to new flows, to avoid breaking changes. To find the secure alternative for your case refer to Secure Alternatives to the Legacy Grant Types.

    Reading further from the Secure Alternatives to the Legacy Grant Types link:

    Legacy Grant Type

    http://auth0.com/oauth/legacy/grant-type/ro/jwt-bearer


    Alternative

    This feature is disabled by default. If you would like this feature enabled, please contact support to discuss your use case and prevent the possibility of introducing security vulnerabilities.

    More info on legacy grant types can also be found here.

    So, the problem you are having is that Delegation has been deprecated. That means the /delegation endpoint and more importantly the jwt-bearer grant type, have been deprecated. If you are a new customer, you are out of luck. If you are an existing customer you need to contact support to get it enabled.

    As to why Postman returns the cryptic "Missing grant_type parameter" error as opposed to the much better "Grant type 'http://auth0.com/oauth/legacy/grant-type/delegation/id_token not allowed for the client." error you get with other browser extension based REST Clients, your guess is as good as mine.