ASP.Net Web API Tutorial

Hello Everyone,
Given that there were some breaking changes in Auth0, I am trying to follow their tutorial provided in the link:
https://auth0.com/docs/quickstart/backend/webapi-owin

I already have the api running and can see when I make a call to the controller via Postman, where the authorization is not configured, it is properly returning the controller method value.

When I try to invoke the method with the [Authorize] attribute, I need to provide a Bearer token (access token) on the header of the request.

I am trying to obtain that access token via my SPA application, where I invoke the login via:

webAuth.client.login({
    username: username,
    password: password,
    realm: 'Username-Password-Authentication',
    scope: 'openid profile'
  }

With the access token provided by the SPA login, I use that as the header for my api call, but I am still getting:

“Message”: “Authorization has been
denied for this request.”

Is there a step that I still need to take to ensure that the access token obtained from my SPA can be used to access the web api authorized methods?

I read further that I may need to provide Implicit Grant to access the api via the link:
https://auth0.com/docs/api-auth/tutorials/implicit-grant

but I am unsure why I need to have to request permission from the user for them to invoke the API when in the first place, they should already be able to make calls via the api through the login process?

It seems the latest changes that Auth0 did has made some things quite harder to implement.

In essence, what I am trying to achieve is this:
I have a SPA application, where I login and authenticate via Auth0. After authenticating, I want to be able to use the access_token (in the SPA, it is the id_token) so that I can make a call to my web api.

In my web api, I want to ensure that only those access tokens issued by Auth0 authentication will be allowed to invoke any web api calls.

I was doing this before, but something changed in Auth0 that when I updated the libraries in my WebApi application, I am all getting the Authorization denied message.

Thanks.

There are a couple of things you need to do:

  1. Correct, for a SPA, you would use the Implicit Grant flow.
  2. You need to configure the API in Auth0. This is the Auth0 mapping to your API, similar to how you setup a Client in Auth0 for your SPA.
    https://manage.auth0.com/#/apis
  3. The identifier of the API you setup in step 2 needs to be passed as an audience parameter when executing the authentication flow. This will result in an access_token returned, along with the id_token. The access_token is the one you will pass to your API.
  4. Your API middleware will validate the token.