Can't validate token via webapi

I thought I’d set this up correctly, but evidently not.

I have a single page app which is using auth0-lock. I can successfully issue an id_token via auth0-lock, but the token doesn’t validate:

{
  "name": "Microsoft.ApplicationInsights.Dev.Message",
  "time": "2017-05-10T22:25:16.1917749Z",
  "tags": {
    "ai.operation.name": "GET /api/profiles/126",
    "ai.cloud.roleInstance": "AORUS_X7",
    "ai.internal.sdkVersion": "aspnet5c:2.0.0",
    "ai.internal.nodeName": "AORUS_X7",
    "ai.application.ver": "1.0.0.0",
    "ai.operation.id": "0HL4NUCEMBVFM",
    "ai.location.ip": "::1"
  },
  "data": {
    "baseType": "MessageData",
    "baseData": {
      "ver": 2,
      "message": "Bearer was not authenticated. Failure message: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId: MEZFRDdBNDg4RTQ2REQ2RDA1OTRCOUM2NjUxNzgyODdDRkIxMERBMQ\r\nMicrosoft.IdentityModel.Tokens.RsaSecurityKey , KeyId: MEZFRDdBNDg4RTQ2REQ2RDA1OTRCOUM2NjUxNzgyODdDRkIxMERBMQ\r\n'.\nExceptions caught:\n ''.\ntoken: '{\"alg\":\"HS256\",\"typ\":\"JWT\"}.{\"email_verified\":true,\"email\":\"mike@zept.ca\",\"clientID\":\"f4HLfdP9K4TuBEbO8Qs6c9GIlG1N6n4N\",\"updated_at\":\"2017-05-10T22:24:49.942Z\",\"name\":\"mike@zept.ca\",\"picture\":\"https://s.gravatar.com/avatar/c00a377d67469cfb93a2b08f638f830f?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fmi.png\",\"user_id\":\"auth0|58b70f852c2fab67120547e7\",\"nickname\":\"mike\",\"identities\":{\"user_id\":\"58b70f852c2fab67120547e7\",\"provider\":\"auth0\",\"connection\":\"Username-Password-Authentication\",\"isSocial\":false},{\"profileData\":{\"email\":\"mike@zept.ca\",\"email_verified\":true,\"name\":\"Mike Bridge\",\"given_name\":\"Mike\",\"family_name\":\"Bridge\",\"picture\":\"https://lh3.googleusercontent.com/-gEYNKcK1aoc/AAAAAAAAAAI/AAAAAAAAAAA/Lt2hkkNwjXk/photo.jpg\",\"gender\":\"male\",\"locale\":\"en\"},\"provider\":\"google-oauth2\",\"user_id\":\"108943239765691358261\",\"connection\":\"google-oauth2\",\"isSocial\":true}],\"created_at\":\"2017-03-01T18:14:29.997Z\",\"user_metadata\":{},\"app_metadata\":{\"roles\":\"api:admin\"]},\"roles\":\"api:admin\"],\"persistent\":{},\"iss\":\"https://zept.auth0.com/\",\"sub\":\"auth0|58b70f852c2fab67120547e7\",\"aud\":\"f4HLfdP9K4TuBEbO8Qs6c9GIlG1N6n4N\",\"exp\":1494491090,\"iat\":1494455090,\"nonce\":\"H1tNXfbgW\"}'.",
  "severityLevel": "Information",
  "properties": {
    "{OriginalFormat}": "{AuthenticationScheme} was not authenticated. Failure message: {FailureMessage}",
    "CategoryName": "Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware",
    "AspNetCoreEnvironment": "Development",
    "AuthenticationScheme": "Bearer",
    "FailureMessage": "IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId: MEZFRDdBNDg4RTQ2REQ2RDA1OTRCOUM2NjUxNzgyODdDRkIxMERBMQ\r\nMicrosoft.IdentityModel.Tokens.RsaSecurityKey , KeyId: MEZFRDdBNDg4RTQ2REQ2RDA1OTRCOUM2NjUxNzgyODdDRkIxMERBMQ\r\n'.\nExceptions caught:\n ''.\ntoken: '{\"alg\":\"HS256\",\"typ\":\"JWT\"}.{\"email_verified\":true,\"email\":\"mike@zept.ca\",\"clientID\":\"f4HLfdP9K4TuBEbO8Qs6c9GIlG1N6n4N\",\"updated_at\":\"2017-05-10T22:24:49.942Z\",\"name\":\"mike@zept.ca\",\"picture\":\"https://s.gravatar.com/avatar/c00a377d67469cfb93a2b08f638f830f?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fmi.png\",\"user_id\":\"auth0|58b70f852c2fab67120547e7\",\"nickname\":\"mike\",\"identities\":{\"user_id\":\"58b70f852c2fab67120547e7\",\"provider\":\"auth0\",\"connection\":\"Username-Password-Authentication\",\"isSocial\":false},{\"profileData\":{\"email\":\"mike@zept.ca\",\"email_verified\":true,\"name\":\"Mike Bridge\",\"given_name\":\"Mike\",\"family_name\":\"Bridge\",\"picture\":\"https://lh3.googleusercontent.com/-gEYNKcK1aoc/AAAAAAAAAAI/AAAAAAAAAAA/Lt2hkkNwjXk/photo.jpg\",\"gender\":\"male\",\"locale\":\"en\"},\"provider\":\"google-oauth2\",\"user_id\":\"108943239765691358261\",\"connection\":\"google-oauth2\",\"isSocial\":true}],\"created_at\":\"2017-03-01T18:14:29.997Z\",\"user_metadata\":{},\"app_metadata\":{\"roles\":\"api:admin\"]},\"roles\":\"api:admin\"],\"persistent\":{},\"iss\":\"https://zept.auth0.com/\",\"sub\":\"auth0|58b70f852c2fab67120547e7\",\"aud\":\"f4HLfdP9K4TuBEbO8Qs6c9GIlG1N6n4N\",\"exp\":1494491090,\"iat\":1494455090,\"nonce\":\"H1tNXfbgW\"}'.",
        "DeveloperMode": "true"
     }
   }
  }
}

The token I get back is this:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6Im1pa2VAYnJpZGdlY2FuYWRhLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoiTWlrZSBCcmlkZ2UiLCJnaXZlbl9uYW1lIjoiTWlrZSIsImZhbWlseV9uYW1lIjoiQnJpZGdlIiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS8tam1ZTk8wb0ZMSlUvQUFBQUFBQUFBQUkvQUFBQUFBQUFBSVEvNDRYMmQ3RXMyRTQvcGhvdG8uanBnIiwiZ2VuZGVyIjoibWFsZSIsImxvY2FsZSI6ImVuLUdCIiwiY2xpZW50SUQiOiJmNEhMZmRQOUs0VHVCRWJPOFFzNmM5R0lsRzFONm40TiIsInVwZGF0ZWRfYXQiOiIyMDE3LTA1LTEwVDIwOjI2OjQ2LjAxMVoiLCJ1c2VyX2lkIjoiZ29vZ2xlLW9hdXRoMnwxMTM4ODgyNTE4NjIzMDcxMDIwOTYiLCJuaWNrbmFtZSI6Im1pa2UiLCJpZGVudGl0aWVzIjpbeyJwcm92aWRlciI6Imdvb2dsZS1vYXV0aDIiLCJ1c2VyX2lkIjoiMTEzODg4MjUxODYyMzA3MTAyMDk2IiwiY29ubmVjdGlvbiI6Imdvb2dsZS1vYXV0aDIiLCJpc1NvY2lhbCI6dHJ1ZX1dLCJjcmVhdGVkX2F0IjoiMjAxNy0wMy0wMVQxOTo0ODoyNi43NjBaIiwiYXBwX21ldGFkYXRhIjp7InJvbGVzIjpbImFwaTp1c2VyIl19LCJyb2xlcyI6WyJ1c2VyOmFwaSJdLCJwZXJzaXN0ZW50Ijp7fSwiaXNzIjoiaHR0cHM6Ly96ZXB0LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDExMzg4ODI1MTg2MjMwNzEwMjA5NiIsImF1ZCI6ImY0SExmZFA5SzRUdUJFYk84UXM2YzlHSWxHMU42bjROIiwiZXhwIjoxNDk0NDg0MDA2LCJpYXQiOjE0OTQ0NDgwMDYsIm5vbmNlIjoiU2tzWXZsV3hiIn0.xNdNyyjs8wgK6lEOmbzHNG6iETfAjbBDpBjfOLcj-fs

When I look at it in jwt.io, it shows that I’m using HS256, but my API is configured to use RS256.

This seems like it should contain a public key, but none of these seem to work when I paste them into the public key authentication space:

https://zept.auth0.com/.well-known/jwks.json

Any idea what I’m doing wrong? My C# jwt configuration is pasted exactly from the quick start.

You should not send the id_token to your API. The id_token only contains user information and is for using inside your client application.

You should instead send the access_token - which you should also have received back when using Lock - to your API. Our ASP.NET API Quickstarts are written to accept the access_token.

Please see this blog post for more background on id_token vs access_token:

I am confused because the access_token is only 16 characters long… I have used IdentityServer4 for this before and I was able to issue an access_token that was correctly signed by an asymmetric key, but I don’t know what I’ve done wrong with auth0…

I see other people are having the same problem:

http://community.auth0.com/questions/1064/angular-spa-get-access-token-to-call-api

It’s now after midnight, so I’ll take another shot at this all again tomorrow.

Unfortunately I am not very familiar with Angular, but I do know that you will have the pass the API Identifier for your API as the audience when using Lock

See the Angular sample:
https://github.com/auth0-samples/auth0-angular-samples/tree/master/04-Calling-an-API

and in particular these lines:
https://github.com/auth0-samples/auth0-angular-samples/blob/master/04-Calling-an-API/src/app/auth/auth.service.ts#L10-L17

@jerrie It looks like the “audience” field is indeed what I’m missing, thanks! (I’m actually using auth0-lock and react).

There are still several things which aren’t working but this at least gets me to the next stage.