"Missing grant-type parameter" in Auth0 Delegation endpoint call

Question

I'm trying to call (POST) the Auth0 delegation endpoint from Postman with the following request, as suggested by Auth0:

Content-Type: 'application/json'

{
  "client_id":   "{CLIENT_ID}",
  "grant_type":  "urn:ietf:params:oauth:grant-type:jwt-bearer",
  "id_token":    "{YOUR_ID_TOKEN}",
  "target":      "lwTL1rYVfC0KsBUFPeKWY3HvGjbIgdDM",
  "api_type":    "salesforce_api",
  "scope":       "openid"
}

I'm getting this error, even though the grant_type parameter is included in the above request:

{
    "error": "invalid_request",
    "error_description": "Missing grant_type parameter"
}

What am I doing wrong here?

Please include the code for the request you are sending. Please remove Google-oauth tag it doesnt apear you are using Googles oauth servers — Linda Lawton - DaImTo, Oct 30 '17 at 11:38
@DaImTo: Thanks for the reply. I'm trying this from Postman Client. So there is no code. Just added the header and pasted the above request body in the body and making a POST. — Nat, Oct 30 '17 at 11:41
This error can be caused by not properly setting the content-type Beyond that i cant help without being able to test your code. please include https://stackoverflow.com/help/mcve. — Linda Lawton - DaImTo, Oct 30 '17 at 12:06
The [Auth0 docs](https://auth0.com/docs/api/authentication#database-ad-ldap-active-) indicate you've got it right, but [another page implementing OAuth2](https://developer.atlassian.com/cloud/jira/platform/oauth-2-jwt-bearer-token-authorization-grant-type/) suggests the grant_type might need to be URL-encoded, i.e. replacing `:` with `%3A` in each case. Is that any help? — bouteillebleu, Oct 30 '17 at 12:07
@DaImTo: At present there is no code, I am only trying it from the POSTMAN Client. Can you please suggest how I can include stackoverflow.com/help/mcve? should I add it to the tag? — Nat, Oct 30 '17 at 12:14
@bouteillebleu: Thanks for your reply. I tried replacing all : with %3A but still facing the same issue. — Nat, Oct 30 '17 at 12:15
Postman has specific instructions and "helpers" for OAuth 2.0 as described here: https://www.getpostman.com/docs/postman/sending_api_requests/authorization — jwilleke, Oct 30 '17 at 12:37
@jwilleke: Thanks for your comment. I checked that out. When I tried to check the Postman Console, I 'm not sure why there are no entries for my POSTs :( — Nat, Oct 30 '17 at 13:12
Nat: What DalmTo means is to click the link, read about MCVE, and then to include one in your answer. Nat & @DaImTo: However, the MCVE comment ***is not applicable is this case***. The post request supplied in the question is as close to a working MCVE as you can get, as it is not appropriate to supply a working client ID or token ID. — robinCTS, Nov 01 '17 at 03:03

score 2 · Accepted Answer · edited Jun 20 '20 at 09:12

From Auth0's new OIDC Conformant Authentication docs:

Delegation

Given that ID tokens should no longer be used as API tokens and that refresh tokens should be used only at the token endpoint, this endpoint is now considered deprecated.

At the moment there is no OIDC-compliant mechanism to obtain third-party API tokens. In order to facilitate a gradual migration to the new authentication pipeline, delegation can still be used to obtain third-party API tokens. This will be deprecated in future releases.

Also, from Auth0's Using AWS with Tokens docs:

Legacy Grant Types

As of 8 June 2017, new Auth0 customers cannot add any of the legacy grant types to their clients, which are required for use with the Delegation endpoint. Legacy grant types are only available for previous customers while they migrate to new flows, to avoid breaking changes. To find the secure alternative for your case refer to Secure Alternatives to the Legacy Grant Types.

Reading further from the Secure Alternatives to the Legacy Grant Types link:

Legacy Grant Type

http://auth0.com/oauth/legacy/grant-type/ro/jwt-bearer

Alternative

This feature is disabled by default. If you would like this feature enabled, please contact support to discuss your use case and prevent the possibility of introducing security vulnerabilities.

More info on legacy grant types can also be found here.

So, the problem you are having is that Delegation has been deprecated. That means the /delegation endpoint and more importantly the jwt-bearer grant type, have been deprecated. If you are a new customer, you are out of luck. If you are an existing customer you need to contact support to get it enabled.

As to why Postman returns the cryptic "Missing grant_type parameter" error as opposed to the much better "Grant type 'http://auth0.com/oauth/legacy/grant-type/delegation/id_token not allowed for the client." error you get with other browser extension based REST Clients, your guess is as good as mine.

@Nat If you are interested you could take the [Tour]. Another useful, and hard to find, link, is the [community moderated FAQ](https://meta.stackexchange.com/questions/7931/faq-for-stack-exchange-sites). — robinCTS, Nov 01 '17 at 07:13

"Missing grant-type parameter" in Auth0 Delegation endpoint call

1 Answers1

Linked