Auth0 authentication method is missing documentation

I'm trying to authenticate with Auth0 so that my API calls will work and I'm getting a 403 error even though my credentials are correct.
There is no documentation on how to make the integration work.
I expected to be redirected to Auth0 for authentication, but instead, it uses a client grant, which seems unhelpful as I want to authenticate as a specific admin user in my system.
In addition, there's no way to request specific scopes. Is this intended?

This is the error that was logged in Auth0:

{
  "date": "2023-02-08T16:23:13.453Z",
  "type": "feccft",
  "description": "Client is not authorized to access \"https://mydomain.uk.auth0.com/api/v2/\". You need to create a \"client-grant\" associated to this API. See: https://auth0.com/docs/api/v2#!/Client_Grants/post_client_grants",
  "connection_id": "",
  "client_id": "MyClientId",
  "client_name": "MyName",
  "ip": "35.90.103.132",
  "user_agent": "Other 0.0.0 / Other 0.0.0",
  "hostname": "mydomain.uk.auth0.com",
  "user_id": "",
  "user_name": "",
  "audience": "https://mydomain.uk.auth0.com/api/v2/",
  "scope": null,
  "log_id": "90020230208162313461000000000000000007029122477687046144",
  "_id": "90020230208162313461000000000000000007029122477687046144",
  "isMobile": false,
  "id": "90020230208162313461000000000000000007029122477687046144"
}

What am I doing wrong here? Note that the client credentials grant is turned on for my app so this shouldn't be a problem but the error I'm getting indicates otherwise.

Should I be using a different authentication method?

Hey @Omer_Katz!

It might help to see more of your auth configuration both from the Retool side and from your OAuth app. Will reach out in case that's something you'd be willing to share (not necessarily publicly :sweat_smile: )

Has this documentation ever been added? I am trying to do the same thing and don't see anywhere that retool has documented the Auth0 resource configuration.

@JQ105 good question! Looks like for the Auth0 authentication option on our REST API resource, we use “client credentials” grant_type, which is a client<-> server handshake that doesn’t require any user interaction. Specifically, the Auth0 option shown in the screenshot below only supports the Client Credentials use case documented in Auth0 docs: Client Credentials Flow and Call Your API Using the Client Credentials Flow

I've filed a request to our product team to rename the Auth0 option to be clearer that it’s only for the “Auth0 Client Credentials” flow. While I was at it, I requested whether there'd be a way to add a tooltip somewhere (perhaps on each of the fields above like "Auth0 Domain", "Auth0 Client ID", "Auth0 Client Secret") that points to the Auth0 docs containing where to locate this information. Appreciate the feedback that it is currently confusing as to which of Auth0's many authentication types is supported.

As for documentation, given the dozens and dozens of third party platforms that Retool integrates with, including auth providers, our docs team prefers that users reference the docs provided by that third party (in this case Auth0's own docs). This is because things could change on their end, and their docs should be considered the source of truth. Still, in-product we could be clearer with the nomenclature and tooltips.

In terms of the specific use case @Omer_Katz outlined above, it sounds like you're trying to use OAuth2 with Auth0. I believe you could solve the problem by selecting OAuth2.0 as the Authentication option instead of Auth0, and specifying the scopes you need. :thinking: Hope that helps as a possible workaround.

Thanks for the detailed response and clarification. I was able to get this to work by following your suggestion and using the generic OAuth2.0 option instead of Auth0.

Clarification on the naming/tooltip that you suggest will likely go a long way toward avoiding confusion for other users in the future.

2 Likes

Fyi, circling back to confirm that the update to make this clearer in the product was completed about a month ago! Thanks to @JQ105 's question and feedback here, we've changed the wording in the Authentication dropdown from the too-generic Auth0 to Auth0 Client Credentials with a notice that points to the relevant docs, and even suggests using the OAuth 2.0 option instead for use cases outside of the client credential flow.

So when you are configuring a resource and select this Authentication type, you will see this more helpful guidance in the product itself:

Thanks again to all of you for sharing these questions and feedback!