auth0 4.4.0 → 5.1.2

data/lib/auth0/mixins/httpproxy.rb

@@ -1,3 +1,5 @@
+require "addressable/uri"
+
 module Auth0
   module Mixins
     # here's the proxy for Rest calls based on rest-client, we're building all request on that gem
@@ -6,25 +8,40 @@ module Auth0
       attr_accessor :headers, :base_uri, :timeout
 
       # proxying requests from instance methods to HTTP class methods
-      %i(get post post_file put patch delete).each do |method|
-        define_method(method) do |path, body = {}|
-          safe_path = URI.escape(path)
+      %i(get post post_file put patch delete delete_with_body).each do |method|
+        define_method(method) do |path, body = {}, extra_headers = {}|
+          safe_path = Addressable::URI.escape(path)
           body = body.delete_if { |_, v| v.nil? }
-          result = if [:get, :delete].include?(method)
-                     call(method, url(safe_path), timeout, add_headers(params: body))
+          result = if method == :get
+                     # Mutate the headers property to add parameters.
+                     add_headers({params: body})
+                     # Merge custom headers into existing ones for this req.
+                     # This prevents future calls from using them.
+                     get_headers = headers.merge extra_headers
+                     # Make the call with extra_headers, if provided.
+                     call(:get, url(safe_path), timeout, get_headers)
+                   elsif method == :delete
+                     call(:delete, url(safe_path), timeout, add_headers({params: body}))
+                   elsif method == :delete_with_body
+                     call(:delete, url(safe_path), timeout, headers, body.to_json)
                    elsif method == :post_file
-                     call(:post, url(safe_path), timeout, headers, body)
+                     body.merge!(multipart: true)
+                     # Ignore the default Content-Type headers and let the HTTP client define them
+                     post_file_headers = headers.slice(*headers.keys - ['Content-Type'])
+                     # Actual call with the altered headers
+                     call(:post, url(safe_path), timeout, post_file_headers, body)
                    else
                      call(method, url(safe_path), timeout, headers, body.to_json)
                    end
           case result.code
           when 200...226 then safe_parse_json(result.body)
-          when 400       then raise Auth0::BadRequest, result.to_s
-          when 401       then raise Auth0::Unauthorized, result.body
-          when 403       then raise Auth0::AccessDenied, result.body
-          when 404       then raise Auth0::NotFound, result.body
-          when 500       then raise Auth0::ServerError, result.body
-          else                raise Auth0::Unsupported, result.body
+          when 400       then raise Auth0::BadRequest.new(result.body, code: result.code, headers: result.headers)
+          when 401       then raise Auth0::Unauthorized.new(result.body, code: result.code, headers: result.headers)
+          when 403       then raise Auth0::AccessDenied.new(result.body, code: result.code, headers: result.headers)
+          when 404       then raise Auth0::NotFound.new(result.body, code: result.code, headers: result.headers)
+          when 429       then raise Auth0::RateLimitEncountered.new(result.body, code: result.code, headers: result.headers)
+          when 500       then raise Auth0::ServerError.new(result.body, code: result.code, headers: result.headers)
+          else                raise Auth0::Unsupported.new(result.body, code: result.code, headers: result.headers)
           end
         end
       end
@@ -46,11 +63,17 @@ module Auth0
       end
 
       def call(method, url, timeout, headers, body = nil)
-        RestClient::Request.execute(method: method, url: url, timeout: timeout, headers: headers, payload: body)
+        RestClient::Request.execute(
+          method: method,
+          url: url,
+          timeout: timeout,
+          headers: headers,
+          payload: body
+        )
       rescue RestClient::Exception => e
         case e
         when RestClient::RequestTimeout
-          raise Auth0::RequestTimeout
+          raise Auth0::RequestTimeout.new(e.message)
         else
           return e.response
         end

data/lib/auth0/mixins/initializer.rb

@@ -1,7 +1,10 @@
+require 'json'
+
 module Auth0
   module Mixins
     # Help class where Auth0::Client initialization described
     module Initializer
+
       # Default initialization mechanism, moved here to keep Auth0::Client clear
       # accepts hash as parameter
       # you can get all required fields from here: https://auth0.com/docs/auth-api
@@ -10,10 +13,12 @@ module Auth0
       def initialize(config)
         options = Hash[config.map { |(k, v)| [k.to_sym, v] }]
         @base_uri = base_url(options)
-        @headers = client_headers(config)
+        @headers = client_headers
         @timeout = options[:timeout] || 10
         extend Auth0::Api::AuthenticationEndpoints
         @client_id = options[:client_id]
+        @client_secret = options[:client_secret]
+        @organization = options[:organization]
         initialize_api(options)
       end
 
@@ -36,7 +41,7 @@ module Auth0
       private
 
       def initialize_api(options)
-        api_v2?(options) ? initialize_v2(options) : initialize_v1(options)
+        initialize_v2(options)
         raise InvalidCredentials, 'Must supply a valid API token' if @token.nil?
         if options.fetch(:authorization, nil) == 'Basic'
           authorization_header_basic(options)
@@ -47,36 +52,15 @@ module Auth0
 
       def base_url(options)
         @domain = options[:domain] || options[:namespace]
-        raise InvalidApiNamespace, 'Api namespace must supply an API domain' if @domain.to_s.empty?
+        raise InvalidApiNamespace, 'API namespace must supply an API domain' if @domain.to_s.empty?
         "https://#{@domain}"
       end
 
-      def client_headers(config)
-        client_info = JSON.dump(name: 'ruby-auth0', version: Auth0::VERSION)
-
-        headers = {
-          'Content-Type' => 'application/json'
-        }
-
-        unless config[:opt_out_sdk_info]
-          headers['User-Agent'] = "Ruby/#{RUBY_VERSION}"
-          headers['Auth0-Client'] = Base64.urlsafe_encode64(client_info)
-        end
-
-        headers
-      end
-
       def initialize_v2(options)
         extend Auth0::Api::V2
-        @client_secret = options[:client_secret]
         @token = options[:access_token] || options[:token]
-      end
-
-      def initialize_v1(options)
-        extend Auth0::Api::V1
-        @client_secret = options[:client_secret]
-        raise InvalidCredentials, 'Invalid API v1 client_id and client_secret' if @client_id.nil? || @client_secret.nil?
-        @token = obtain_access_token
+        api_identifier = options[:api_identifier] || "https://#{@domain}/api/v2/"
+        @token = api_token(audience: api_identifier).token if @token.nil? && @client_id && @client_secret
       end
 
       def api_v2?(options)

data/lib/auth0/mixins/permission_struct.rb

@@ -0,0 +1,3 @@
+Auth0::Permission = Struct.new :permission_name, :resource_server_identifier do
+
+end

data/lib/auth0/mixins/validation.rb

@@ -0,0 +1,346 @@
+require 'zache'
+
+class Zache
+  def last(key)
+    @hash[key][:value] if @hash.key?(key)
+  end
+end
+
+module Auth0
+  module Mixins
+    # Module to provide validation for specific data structures.
+    module Validation
+
+      # Check a roles array
+      def validate_strings_array(strings)
+        raise Auth0::InvalidParameter, 'Must supply an array of strings' unless strings.kind_of?(Array)
+        raise Auth0::MissingParameter, 'Must supply an array of strings' if strings.empty?
+        raise Auth0::InvalidParameter, 'All array elements must be strings' unless strings.all? {|str| str.is_a? String}
+      end
+
+      # Check a permissions array
+      def validate_permissions_array(permissions)
+        raise Auth0::InvalidParameter, 'Must supply an array of Permissions' unless permissions.kind_of?(Array)
+        raise Auth0::MissingParameter, 'Must supply an array of Permissions' if permissions.empty?
+        raise Auth0::InvalidParameter, 'All array elements must be Permissions' unless permissions.all? do |permission|
+          permission.kind_of? ::Auth0::Permission
+        end
+        permissions.map { |permission| permission.to_h }
+      end
+
+      # rubocop:disable Metrics/ClassLength
+      class IdTokenValidator
+        def initialize(context)
+          @context = context
+        end
+
+        def validate(id_token)
+          decoding_error = 'ID token could not be decoded'
+
+          unless !id_token.to_s.empty? && id_token.split('.').count == 3
+            raise Auth0::InvalidIdToken, decoding_error
+          end
+
+          begin
+            header = JWT::JSON.parse(JWT::Base64.url_decode(id_token.split('.').first))
+          rescue
+            raise Auth0::InvalidIdToken, decoding_error
+          end
+
+          claims = decode_and_validate_signature(id_token, header)
+          validate_claims(claims)
+        end
+
+        private
+
+        # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Metrics/CyclomaticComplexity
+        def decode_and_validate_signature(id_token, header)
+          algorithm = @context[:algorithm]
+
+          unless algorithm.is_a?(Auth0::Mixins::Validation::JWTAlgorithm)
+            raise Auth0::InvalidIdToken, "Signature algorithm of \"#{algorithm}\" is not supported"
+          end
+
+          # The expiration verification will be performed in the validate_claims method
+          options = { algorithms: [algorithm.name], verify_expiration: false, verify_not_before: false }
+          secret = nil
+
+          case algorithm
+          when Auth0::Algorithm::RS256
+            kid = header['kid']
+            jwks = JSON.parse(JSON[algorithm.jwks], symbolize_names: true)
+
+            if !jwks[:keys].find { |key| key[:kid] == kid } && !algorithm.fetched_jwks?
+              jwks = JSON.parse(JSON[algorithm.jwks(force: true)], symbolize_names: true)
+            end
+
+            options[:jwks] = jwks
+          when Auth0::Algorithm::HS256
+            secret = algorithm.secret
+          end
+
+          begin
+            result = JWT.decode(id_token, secret, true, options)
+            result.first
+          rescue JWT::VerificationError
+            raise Auth0::InvalidIdToken, 'Invalid ID token signature'
+          rescue JWT::IncorrectAlgorithm
+            alg = header['alg']
+            raise Auth0::InvalidIdToken, "Signature algorithm of \"#{alg}\" is not supported. Expected the ID token"\
+                                         " to be signed with \"#{algorithm.name}\""
+          rescue JWT::DecodeError
+            raise Auth0::InvalidIdToken, "Could not find a public key for Key ID (kid) \"#{kid}\""
+          end
+        end
+
+        # rubocop:disable Metrics/PerceivedComplexity
+        def validate_claims(claims)
+          leeway = @context[:leeway]
+          nonce = @context[:nonce]
+          issuer = @context[:issuer]
+          audience = @context[:audience]
+          max_age = @context[:max_age]
+          org = @context[:organization]
+
+          raise Auth0::InvalidParameter, 'Must supply a valid leeway' unless leeway.is_a?(Integer) && leeway >= 0
+          raise Auth0::InvalidParameter, 'Must supply a valid nonce' unless nonce.nil? || !nonce.to_s.empty?
+          raise Auth0::InvalidParameter, 'Must supply a valid issuer' unless issuer.nil? || !issuer.to_s.empty?
+          raise Auth0::InvalidParameter, 'Must supply a valid audience' unless audience.nil? || !audience.to_s.empty?
+          raise Auth0::InvalidParameter, 'Must supply a valid organization' unless org.nil? || !org.to_s.empty?
+
+          unless max_age.nil? || (max_age.is_a?(Integer) && max_age >= 0)
+            raise Auth0::InvalidParameter, 'Must supply a valid max_age'
+          end
+
+          validate_iss(claims, issuer)
+          validate_sub(claims)
+          validate_aud(claims, audience)
+          validate_exp(claims, leeway)
+          validate_iat(claims, leeway)
+          validate_nonce(claims, nonce) if nonce
+          validate_azp(claims, audience) if claims['aud'].is_a?(Array) && claims['aud'].count > 1
+          validate_auth_time(claims, max_age, leeway) if max_age
+          validate_org(claims, org) if org
+        end
+        # rubocop:enable Metrics/MethodLength, Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+
+        def validate_iss(claims, expected)
+          unless claims.key?('iss') && claims['iss'].is_a?(String)
+            raise Auth0::InvalidIdToken, 'Issuer (iss) claim must be a string present in the ID token'
+          end
+
+          unless expected == claims['iss']
+            raise Auth0::InvalidIdToken, "Issuer (iss) claim mismatch in the ID token; expected \"#{expected}\","\
+                                         " found \"#{claims['iss']}\""
+          end
+        end
+
+        def validate_sub(claims)
+          unless claims.key?('sub') && claims['sub'].is_a?(String)
+            raise Auth0::InvalidIdToken, 'Subject (sub) claim must be a string present in the ID token'
+          end
+        end
+
+        def validate_aud(claims, expected)
+          unless claims.key?('aud') && (claims['aud'].is_a?(String) || claims['aud'].is_a?(Array))
+            raise Auth0::InvalidIdToken, 'Audience (aud) claim must be a string or array of strings present'\
+                                         ' in the ID token'
+          end
+
+          if claims['aud'].is_a?(String) && expected != claims['aud']
+            raise Auth0::InvalidIdToken, "Audience (aud) claim mismatch in the ID token; expected \"#{expected}\","\
+                                         " found \"#{claims['aud']}\""
+          elsif claims['aud'].is_a?(Array) && !claims['aud'].include?(expected)
+            raise Auth0::InvalidIdToken, "Audience (aud) claim mismatch in the ID token; expected \"#{expected}\""\
+                                         " but was not one of \"#{claims['aud'].join ', '}\""
+          end
+        end
+
+        def validate_exp(claims, leeway)
+          unless claims.key?('exp') && claims['exp'].is_a?(Integer)
+            raise Auth0::InvalidIdToken, 'Expiration Time (exp) claim must be a number present in the ID token'
+          end
+
+          now = @context[:clock] || Time.now.to_i
+          exp_time = claims['exp'] + leeway
+
+          unless now < exp_time
+            raise Auth0::InvalidIdToken, 'Expiration Time (exp) claim mismatch in the ID token; current time'\
+                                         " \"#{now}\" is after expiration time \"#{exp_time}\""
+          end
+        end
+
+        def validate_iat(claims, leeway)
+          unless claims.key?('iat') && claims['iat'].is_a?(Integer)
+            raise Auth0::InvalidIdToken, 'Issued At (iat) claim must be a number present in the ID token'
+          end
+        end
+
+        def validate_nonce(claims, expected)
+          unless claims.key?('nonce') && claims['nonce'].is_a?(String)
+            raise Auth0::InvalidIdToken, 'Nonce (nonce) claim must be a string present in the ID token'
+          end
+
+          unless expected == claims['nonce']
+            raise Auth0::InvalidIdToken, "Nonce (nonce) claim mismatch in the ID token; expected \"#{expected}\","\
+                                         " found \"#{claims['nonce']}\""
+          end
+        end
+
+        def validate_org(claims, expected)
+          unless claims.key?('org_id') && claims['org_id'].is_a?(String)
+            raise Auth0::InvalidIdToken, 'Organization Id (org_id) claim must be a string present in the ID token'
+          end
+
+          unless expected == claims['org_id']
+            raise Auth0::InvalidIdToken, "Organization Id (org_id) claim value mismatch in the ID token; expected \"#{expected}\","\
+                                         " found \"#{claims['org_id']}\""
+          end
+        end
+
+        def validate_azp(claims, expected)
+          unless claims.key?('azp') && claims['azp'].is_a?(String)
+            raise Auth0::InvalidIdToken, 'Authorized Party (azp) claim must be a string present in the ID token'
+          end
+
+          unless expected == claims['azp']
+            raise Auth0::InvalidIdToken, 'Authorized Party (azp) claim mismatch in the ID token; expected'\
+                                         " \"#{expected}\", found \"#{claims['azp']}\""
+          end
+        end
+
+        def validate_auth_time(claims, max_age, leeway)
+          unless claims.key?('auth_time') && claims['auth_time'].is_a?(Integer)
+            raise Auth0::InvalidIdToken, 'Authentication Time (auth_time) claim must be a number present in the ID'\
+                                         ' token when Max Age (max_age) is specified'
+          end
+
+          now = @context[:clock] || Time.now.to_i
+          auth_valid_until = claims['auth_time'] + max_age + leeway
+
+          unless now < auth_valid_until
+            raise Auth0::InvalidIdToken, 'Authentication Time (auth_time) claim in the ID token indicates that too'\
+                                         ' much time has passed since the last end-user authentication. Current time'\
+                                         " \"#{now}\" is after last auth at \"#{auth_valid_until}\""
+          end
+        end
+      end
+      # rubocop:enable Metrics/ClassLength
+
+      class JWTAlgorithm
+        private_class_method :new
+
+        def name
+          raise RuntimeError, 'Must be overriden by the subclasses'
+        end
+      end
+
+      module Algorithm
+        # Represents the HS256 algorithm, which rely on shared secrets.
+        # @see https://auth0.com/docs/tokens/concepts/signing-algorithms
+        class HS256 < JWTAlgorithm
+          class << self
+            private :new
+
+            # Create a new instance passing the shared secret.
+            # @param secret [string] The HMAC shared secret.
+            # @return [HS256] A new instance.
+            def secret(secret)
+              new secret
+            end
+          end
+
+          attr_accessor :secret
+
+          def initialize(secret)
+            raise Auth0::InvalidParameter, 'Must supply a valid secret' if secret.to_s.empty?
+
+            @secret = secret
+          end
+
+          # Returns the algorithm name.
+          # @return [string] The algorithm name.
+          def name
+            'HS256'
+          end
+        end
+
+        # Represents the RS256 algorithm, which rely on public key certificates.
+        # @see https://auth0.com/docs/tokens/concepts/signing-algorithms
+        class RS256 < JWTAlgorithm
+          include Auth0::Mixins::HTTPProxy
+
+          @@cache = Zache.new.freeze
+
+          class << self
+            private :new
+
+            # Create a new instance passing the JWK set url.
+            # @param url [string] The url where the JWK set is located.
+            # @param lifetime [integer] The lifetime of the JWK set in-memory cache in seconds.
+            #   Must be a non-negative value. Defaults to *600 seconds* (10 minutes).
+            # @return [RS256] A new instance.
+            def jwks_url(url, lifetime: 10 * 60)
+              new url, lifetime
+            end
+
+            # Clear the JWK set cache.
+            def remove_jwks
+              @@cache.remove(:jwks)
+            end
+          end
+
+          def initialize(jwks_url, lifetime)
+            raise Auth0::InvalidParameter, 'Must supply a valid jwks_url' if jwks_url.to_s.empty?
+            raise Auth0::InvalidParameter, 'Must supply a valid lifetime' unless lifetime.is_a?(Integer) && lifetime >= 0
+
+            @lifetime = lifetime
+            @jwks_url = jwks_url
+            @did_fetch_jwks = false
+          end
+
+          # Returns the algorithm name.
+          # @return [string] The algorithm name.
+          def name
+            'RS256'
+          end
+
+          # Fetches the JWK set from the in-memory cache or from the url.
+          # @return [hash] A JWK set.
+          def jwks(force: false)
+            result = fetch_jwks if force
+
+            if result
+              @@cache.put(:jwks, result, lifetime: @lifetime)
+              return result
+            end
+
+            previous_value = @@cache.last(:jwks)
+
+            @@cache.get(:jwks, lifetime: @lifetime, dirty: true) do
+              new_value = fetch_jwks
+
+              raise Auth0::InvalidIdToken, 'Could not fetch the JWK set' unless new_value || previous_value
+
+              new_value || previous_value
+            end
+          end
+
+          # Returns whether or not the JWK set was fetched from the url.
+          # @return [boolean] +true+ if a request to the JWK set url was made, +false+ otherwise.
+          def fetched_jwks?
+            @did_fetch_jwks
+          end
+
+          private
+
+          def fetch_jwks
+            result = get(@jwks_url)
+            @did_fetch_jwks = result.is_a?(Hash) && result.key?('keys')
+            result if @did_fetch_jwks
+          end
+        end
+      end
+    end
+  end
+end

data/lib/auth0/mixins.rb

@@ -1,14 +1,22 @@
 require 'base64'
 require 'rest-client'
 require 'uri'
+
+require 'auth0/mixins/access_token_struct'
+require 'auth0/mixins/api_token_struct'
+require 'auth0/mixins/headers'
 require 'auth0/mixins/httpproxy'
 require 'auth0/mixins/initializer'
+require 'auth0/mixins/permission_struct'
+require 'auth0/mixins/validation'
+
 require 'auth0/api/authentication_endpoints'
-require 'auth0/api/v1'
 require 'auth0/api/v2'
+
 module Auth0
   # Collecting dependencies here
   module Mixins
+    include Auth0::Mixins::Headers
     include Auth0::Mixins::HTTPProxy
     include Auth0::Mixins::Initializer
   end

data/lib/auth0/version.rb

@@ -1,4 +1,4 @@
 # current version of gem
 module Auth0
-  VERSION = '4.4.0'.freeze
+  VERSION = '5.1.2'.freeze
 end

data/lib/auth0.rb

@@ -1,6 +1,7 @@
 require 'auth0/version'
 require 'auth0/mixins'
 require 'auth0/exception'
+require 'auth0/algorithm'
 require 'auth0/client'
 require 'auth0_client'
 # Namespace for ruby-auth0 logic

data/spec/fixtures/vcr_cassettes/Auth0_Api_AuthenticationEndpoints/_change_password/should_trigger_a_password_reset.yml

@@ -0,0 +1,63 @@
+---
+http_interactions:
+- request:
+    method: post
+    uri: https://auth0-sdk-tests.auth0.com/dbconnections/change_password
+    body:
+      encoding: UTF-8
+      string: '{"email":"rubytest-username-1@auth0.com","password":"","connection":"Username-Password-Authentication","client_id":"2cnWuug6zaFX1j0ge1P99jAUn0F4XSuI"}'
+    headers:
+      Accept:
+      - "*/*"
+      Accept-Encoding:
+      - gzip, deflate
+      User-Agent:
+      - Ruby/2.5.1
+      Content-Type:
+      - application/json
+      Auth0-Client:
+      - eyJuYW1lIjoicnVieS1hdXRoMCIsInZlcnNpb24iOiI0LjUuMCJ9
+      Authorization:
+      - Bearer API_TOKEN
+      Content-Length:
+      - '150'
+      Host:
+      - auth0-sdk-tests.auth0.com
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Date:
+      - Wed, 10 Oct 2018 23:19:59 GMT
+      Content-Type:
+      - text/html; charset=utf-8
+      Transfer-Encoding:
+      - chunked
+      Connection:
+      - keep-alive
+      Vary:
+      - Accept-Encoding
+      X-Auth0-Requestid:
+      - b1edcce5da4346cf4e72
+      X-Ratelimit-Limit:
+      - '10'
+      X-Ratelimit-Remaining:
+      - '9'
+      X-Ratelimit-Reset:
+      - '1539213660'
+      Cache-Control:
+      - private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+      Strict-Transport-Security:
+      - max-age=15724800
+      X-Robots-Tag:
+      - noindex, nofollow, nosnippet, noarchive
+      Content-Encoding:
+      - gzip
+    body:
+      encoding: ASCII-8BIT
+      string: !binary |-
+        H4sIAAAAAAAAAwtPVS9LVcgqLS5RKE7NK1GozC9VSMxTSM1NzMxRKMlXKEotTgWLFikUJBYXl+cXpegBAKHKLwA0AAAA
+    http_version: 
+  recorded_at: Wed, 10 Oct 2018 23:19:59 GMT
+recorded_with: VCR 4.0.0

data/spec/fixtures/vcr_cassettes/Auth0_Api_AuthenticationEndpoints/_login_with_resource_owner/should_fail_with_an_incorrect_email.yml

@@ -0,0 +1,54 @@
+---
+http_interactions:
+- request:
+    method: post
+    uri: https://auth0-sdk-tests.auth0.com/oauth/token
+    body:
+      encoding: UTF-8
+      string: '{"username":"rubytest-username-1@auth0.com_invalid","password":"23kejn2jk3en2jke2jk3be2jk3ber","client_id":"2cnWuug6zaFX1j0ge1P99jAUn0F4XSuI","client_secret":"CLIENT_SECRET","scope":"openid","grant_type":"password"}'
+    headers:
+      Accept:
+      - "*/*"
+      Accept-Encoding:
+      - gzip, deflate
+      User-Agent:
+      - Ruby/2.5.1
+      Content-Type:
+      - application/json
+      Auth0-Client:
+      - eyJuYW1lIjoicnVieS1hdXRoMCIsInZlcnNpb24iOiI0LjUuMCJ9
+      Authorization:
+      - Bearer API_TOKEN
+      Content-Length:
+      - '266'
+      Host:
+      - auth0-sdk-tests.auth0.com
+  response:
+    status:
+      code: 403
+      message: Forbidden
+    headers:
+      Date:
+      - Wed, 17 Oct 2018 17:17:52 GMT
+      Content-Type:
+      - application/json
+      Content-Length:
+      - '72'
+      Connection:
+      - keep-alive
+      X-Auth0-Requestid:
+      - b6bab16857282fef5757
+      X-Ratelimit-Limit:
+      - '100'
+      X-Ratelimit-Remaining:
+      - '94'
+      X-Ratelimit-Reset:
+      - '1539801484'
+      Cache-Control:
+      - private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+    body:
+      encoding: UTF-8
+      string: '{"error":"invalid_grant","error_description":"Wrong email or password."}'
+    http_version: 
+  recorded_at: Wed, 17 Oct 2018 17:17:52 GMT
+recorded_with: VCR 4.0.0