Cannot figure out how to validate token in .NET Core Web API

account · May 14, 2017, 4:29am

I’m having a terrible time trying to wrap my head around token validation process on the API side.

I created a database connection and a client in Auth0.

In my angular SPA, i’m calling the oauth/token endpoint to authenticate users and get a token

{
    "realm":"Username-Password-Authentication",
    "client_id":"*****",
    "scope":"openid profile",
    "grant_type":"password",
    "username":"some@email",
    "password":"some_password"
}

This is happening via webAuth object and the particular method I’m using is documented here.

This works and returns a token that looks like:

{
“access_token”: “T-WMwABHs5N99z-b”,
“expires_in”: 86400,
“id_token”: “big_long_id_token”,
“token_type”: “Bearer”
}

So this is already concerning because the access token seems very short.

Even more confusing, when I try to configure my .NET Core Web API, i’m instructed to create an “API” in Auth0 dashboard with its own non-interactive client? So am I supposed to use this client to login with instead of the client that i created earlier? When I try to switch the logins to use the non-interactive client i immediately started getting Unauthorized from Auth0 w/o any helpful information in the logs. When I switched back to the old client and tried to send the access_token to my API they were rejected.

What am I doing wrong? I feel like half of the documentation i find on auth0 is old.

prashantT · May 15, 2017, 9:43am

In order to obtain a JWT access_token, you need to provide a valid audience parameter when calling /oauth/token. The audience value is the Identifier of the API you create in Auth0. In short, you need to create an API in Auth0, and provide the Identifier as the audience value.

Securing your WebAPI is outlined in our Quickstart: https://auth0.com/docs/quickstart/backend/aspnet-core-webapi/00-getting-started

account · May 15, 2017, 12:06pm

@prashant, thank you so much. Adding audience parameter which references the API allowed me to get a valid JWT access token, which also validates against the API. One thing I noticed right away is that the access_token doesn’t contain profile and email claims even though i’m explicitly specifying them in the scope parameter. However, they are present in the id_token. Is this the expected behavior or am I missing something else?

prashantT · May 15, 2017, 12:11pm

Glad to hear. Have a read through the following doc which outlines how to add additional claims to your access tokens using Rules: OpenID Connect Scopes.

account · May 19, 2017, 8:54am

Hi @prashant. I have read the guide. I’m not trying to add custom claims. I’m passing “openid profile email” in the scope but i’m not getting name, email, nickname claims in the access_token. However, I am getting them in id_token. I’m assuming this is by design to reduce token size.

matthew.hartz · November 10, 2017, 5:08pm

Hi @prashant,

I followed the WebAPI quick start for Web API .net core 2.0 and added the AddAuthentication/AddJwtBearer functions to ConfigureServices and UseAuthentication in the Configure function.

Yet I get the error
IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey , KeyId:
'.

It shows that the algorithm is HS256, yet my API is configured for RS256.

Any ideas? thanks!