Acces Token With .Net Core Api

Hello to all.

I’m working with .net core 2.0 web api and web application.

My web application has been configured to login/logut using oauth. It works ok, i can loggin, view my claims, view my access token and token id but i need to consume some methods from my api

So we tried to access our api metod, for example: http://localhost:21366/api/values
passing in header the KEY=Authorization with Value=Bearer acces_token

But we always receive the following error:

IOException: IDX10804: Unable to retrieve document from: 'https:///.well-known/openid-configuration&#x2

In our api we have this config:

public void ConfigureServices(IServiceCollection services)
{
string domain = $“https://{Configuration[“Auth0:Domain”]}/”;

        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        }).AddJwtBearer(options =>
        {
            options.Authority = domain;
            options.Audience = Configuration["Auth0:ApiIdentifier"];
            options.RequireHttpsMetadata = false;
            
            options.TokenValidationParameters = new TokenValidationParameters
            {
                RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/roles"
            };
        });

        services.AddMvc();
    }

Any idea? What i’m doing wrong?

Thank u so much

@jaullo I am not 100% familiar with this middleware so I’ll answer generally first and maybe I can find a more specific answer to follow.

When you send an access_token to your API the middleware is trying to hit a .well-known endpoint. This endpoint is a directory for certain information the API needs to know to validate the token. Particularly it wants to know where Auth0 is hosting the JWKS endpoint, which is used to communicate the appropriate public key necessary to validate the JWT. Given the error message it seems you’ve not configured the auth0 domain.

I see Authority configured which seems right. By chance chave you piped out wht domain string? Is it possible that configuration is returning an empty string?

Basically, it is really strange to see it is trying to find the directory here: https:///.well-known/openid-configuration instead of https://your_tenant.auth0.com/.well-known/openid-configuration