Id_token invalid on jwt.io site

I build into my server The example server code :
public void ConfigureAuth(IAppBuilder app)
{
var domain = $“https://{ConfigurationManager.AppSettings"Auth0Domain”]}/“;
var apiIdentifier = ConfigurationManager.AppSettings"Auth0ApiIdentifier”];

        var keyResolver = new OpenIdConnectSigningKeyResolver(domain);
        app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidAudience = apiIdentifier,
                    ValidIssuer = domain,
                    IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) => keyResolver.GetSigningKey(identifier)
                }
            });

        // Configure Web API
        // WebApiConfig.Configure(app);

        var issuer = domain;
        var audience = apiIdentifier;

        byte] byt = System.Text.Encoding.UTF8.GetBytes("MYCLEARTEXTSECRET");
        var secret = Convert.ToBase64String(byt);

        app.UseJwtBearerAuthentication(
           new JwtBearerAuthenticationOptions
           {
               AuthenticationMode = AuthenticationMode.Active,
               AllowedAudiences = new] { audience },
               IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider]
             {
              new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret)
             },
           });
    }

In my Controller I add
[Authorize]
[HttpGet]
[Route(“ping/secure”)]
public IHttpActionResult PingSecured()
{
return Ok(new
{
Message = “All good. You only get this message if you are authenticated.”
}
);
}
Finally from Postman I try to get on server/api/ping/secure with header beaerer set to id_token
I get id-token from another client which deserializes var url = “https://railcomm.auth0.com/oauth/ro” into a class called AuthoBits0, which is simply public class Auth0bits
{
[DataMember]
public string id_token;
[DataMember]
public string access_token;
[DataMember]
public string token_type;
}

anyways, this id_token , when put into https://jwt.io/ returns invalid.
The GET with postman passing this id_token also fails.

To make secured calls to your API, you should be passing the access_token in the Authorization header, rather than the id_token. Your API also seems to be configured for HS256 tokens - please ensure that your API in Auth0 is configured to generate HS256 tokens. Note: We highly suggest the use of RS256 tokens rather than HS256; the Quickstart outlines how this can be setup in your API:

Update:

In order to call a secured API, you need to use an access_token that has been obtained from OIDC conformant endpoints, with the appropriate audience - /oauth/ro is not an OIDC conformant endpoint. You can use the /oauth/token endpoint instead,

Prashant,
Thank you. I know I read online that you need to pass id_token. I’ll try to find that reference and forward it.
Thanks again
John

Hi Prashant,
Can you tell me where my API says HS256? I’m following the quickstart from GitHub.
John

Prashant
My server code is reduced to :
var domain = $“https://{ConfigurationManager.AppSettings"Auth0Domain”]}/“;
var apiIdentifier = ConfigurationManager.AppSettings"Auth0ApiIdentifier”];

        var keyResolver = new OpenIdConnectSigningKeyResolver(domain);
        app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidAudience = apiIdentifier,
                    ValidIssuer = domain,
                    IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) => keyResolver.GetSigningKey(identifier)
                }
            });

My auth0 client is configured to RS256

Postmand
https://localhost:44309/api/railroads/ping/secure Authorization header : bearer access_token

Sill 401 Unauthorized. I use this accent_token in another client to access Autho0 and it works fine.

The code sample shows :

// Configure Web API
WebApiConfig.Configure(app);

what does this do … I do not have Configure method on my WebApiConfig , just a Register

Our ASP.NET MVC project is newer and seems to have a newer structure. Anyways we are still failing if you have any ideas.

Prashant,
Thank you. I know I read online that you need to pass id_token. I’ll try to find that reference and forward it.
Thanks again
John

Hi Prashant,
Can you tell me where my API says HS256? I’m following the quickstart from GitHub.
John

Our ASP.NET MVC project is newer and seems to have a newer structure. Anyways we are still failing if you have any ideas.

Please see my updated answer above. As a side note, if providing additional information or replying to a comment, please either update the questions, or use the comment feature, rather than posting as an answer.