Valid access token still getting a 401

I have a client app in React which authenticates correctly with Auth0, the access token received is valid and contains the proper audience (validated the token in jwt.io with Auth0 certificate). The server is registering a token validated event, then a message AuthenticationScheme: Bearer was challenged. and soon after a 401 is returned. The server is also correctly configured with proper domain and audience. The HTTP request contains the Authorization header with the Bearer scheme.

Decoded JWT payload (with some replacements):

{
  "iss": "https://work.eu.auth0.com/",
  "sub": "google-oauth2|XXXX",
  "aud": 
    "https://my-api.com",
    "https://work.eu.auth0.com/userinfo"
  ],
  "iat": 1507787600,
  "exp": 1507794800,
  "azp": "iqb4QobWGTA6Xmo3Ys8sIVCK1T5aPsdr",
  "scope": "openid profile my-api"
}

Server logs for the request:

      => RequestId:0HL8GQM6G7E9T:00000001 RequestPath:/api/1.0/things => my-app.things.Controller.Get (Web)
      Authorization failed for user: (null).
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:Information: Authorization failed for user: (null).
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[3]
      => RequestId:0HL8GQM6G7E9T:00000001 RequestPath:/api/1.0/things => my-app.things.Controller.Get (Web)
      Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:Information: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
info: Microsoft.AspNetCore.Mvc.ChallengeResult[1]
      => RequestId:0HL8GQM6G7E9T:00000001 RequestPath:/api/1.0/things => my-app.things.Controller.Get (Web)
      Executing ChallengeResult with authentication schemes ().
Microsoft.AspNetCore.Mvc.ChallengeResult:Information: Executing ChallengeResult with authentication schemes ().
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[2]
      => RequestId:0HL8GQM6G7E9T:00000001 RequestPath:/api/1.0/things => my-app.things.Controller.Get (Web)
      Successfully validated the token.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: Successfully validated the token.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[12]
      => RequestId:0HL8GQM6G7E9T:00000001 RequestPath:/api/1.0/things => my-app.things.Controller.Get (Web)
      AuthenticationScheme: Bearer was challenged.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: AuthenticationScheme: Bearer was challenged.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
      => RequestId:0HL8GQM6G7E9T:00000001 RequestPath:/api/1.0/things => my-app.things.Controller.Get (Web)
      Executed action my-app.things.Controller.Get (Web) in 23.2551ms
Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:Information: Executed action my-app.things.Controller.Get (Web) in 23.2551ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
      => RequestId:0HL8GQM6G7E9T:00000001 RequestPath:/api/1.0/things
      Request finished in 31.3853ms 401 
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request finished in 31.3853ms 401 
The thread 4456 has exited with code 0 (0x0).
1 Like

According to the logs you provided (thanks for that) the access token is being validated successfully, but then the identity generated from that access token is not enough to satisfy the requirement of an AuthorizeFilter. For example, I know that it’s possible in ASP .NET Core to use an Authorize attribute to request a certain role present in the current identity.

If your controller methods are decorated with something like that then even if the access token is valid from a signature and audience validation perspective it may still not meet the full requirements which can likely result in the 401 you’re experiencing. I say likely, because I don’t have much experience with using ASP .NET Core so not sure on all the details.

1 Like

Thank you so much for your quick response. Still haven’t figured out the problem but at least I have something to look at. There is indeed a Authorize attribute, and roles can be specified. But in my case I have none yet.

    [Route("api/1.0/things")]
    [Authorize]
    public class Controller: BaseController
    {
    // More code

I will try to dig deeper into the authorization in the dotnet core app.

Solved it!!
Authentication had no problems. The thing is that aspnet in dotnet core is all about pipelines and middlewares…So the middleware order matters. The authentication middleware must be set up before the MVC one.

2 Likes

Authentication’s middleware must be set up before MVC’s one.

app.UserAuthentication();

app.UseMvc();
4 Likes

Thank you so much for your quick response. Still haven’t figured out the problem but at least I have something to look at. There is indeed a Authorize attribute, and roles can be specified. But in my case I have none yet.

    [Route("api/1.0/things")]
    [Authorize]
    public class Controller: BaseController
    {
    // More code

I will try to dig deeper into the authorization in the dotnet core app.