access_token not added as claim on the ClaimsIdentity after login to app

I have a ASP.NET web app that communicates with an ASP.NET API, and the app uses Auth0 to authenticate users. I followed the quickstart for ASP.NET(Owin) Auth0 ASP.NET (OWIN) SDK Quickstarts: Login

I want to pass the access_token to the API so that the API can verify the user, but when using the method suggested in the section “Storing Tokens” the access_token is always null, but I do get the id_token.
How can I get the access token?

If you are following, that’s the correct place to start.
Are you setting SaveAccessToken to true? If so, does this expression returns null?

string accessToken = claimsIdentity?.Claims.FirstOrDefault(c => c.Type == "access_token")?.Value;

Which version of the OWIN package are you using?

So … I think you’re trying to do the same thing that I am.

I think the ID_TOKEN and ACCESS_TOKEN are two different things. If you look in the Claims when you do a request, you can see the ACCESS_TOKEN is super short, and the ID_TOKEN is really long. If you goto the API’s section on your dashboard, and then click “Authorize” on your app, you can find a test token (that you can call your APi with using something like Postman) to test.

I can’t get my API to authorize with either the ID_TOKEN or the ACCESS_TOKEN, unless I specifically request the ID_TOKEN from Auth0 first…

I’m not 100% certain this is the proper way to address this when using WEBAPP and WEBAPI together.

I don’t think the ACCESS_TOKEN is supposed to actually authorize the user, as much as its supposed to authorize your WEBAPP to use your WEBAPI.

Can anyone confirm that^^?

If this is true - it does have the unfortunate problem that its not following standard use of Controllers and MVC patterns. But I can’t find another way to do it.

The access_token is issued to the client application (i.e. the web app, or a mobile app, or an SPA) to access the API on behalf of the user.

Not that it answers the original question, but:
If you specify scope=openid, then the access_token can be used to call the /userinfo endpoint of the identity provider (Auth0), to get profile information about the user. If you specify an audience, then the access_token can be used to call the API specified in audience. You can specify both scope=openid and audience=xxx, and the access token will serve for the two purposes.
access_tokens with an audience are JWT (long format), whereas access_tokens issued without an audience are (currently) short opaque strings.

@nico.sabena1 I added the audience to the scope of the lock, but the access token still fails to let me authorize against my api. I also tried id_token.

In the exact same code though, if I copy and paste the access token from the TEST Dashboard here, authorizes fine. What am I missing?

Maybe I’m not specifying it correctly in the lock?

The embedded lock instructions no longer exist…

   var lock = new Auth0Lock('@Model.ClientId', '@Model.Domain', {
                      container: 'root',
                      socialButtonStyle: 'small',
                    auth: {
                      redirectUrl: '@Model.CallbackUrl',
                      responseType: 'code',
                      params: {
                        scope: 'openid name picture email type roles',  // Learn about scopes:
                        audience: 'http://localhost:1181/',
                        state: '@Model.State' ,
                        nonce: '@Model.Nonce'
                    theme: {
                        backgroundColor: '#ffffff',
                        logo: '@Model.LoginLogoURL',
                        primaryColor: '#34b889'
                    languageDictionary: {
                        emailInputPlaceholder: "",
                        title: ""


I get an error with the above code -

OpenIdConnectProtocolException: Message contains error: 'access_denied', error_description: 'Service not found: http://localhost:1181/', error_uri: 'error_uri is null'.
Unknown location

I looked at this URL

and then here

Basically it doesn’t tell me much about this Audience thing. Is it the URL for my API? The API from here?

The documentation seems really scattered. Although my knowledge of oAuth is limited, I don’t feel like it should be this complicated.

I do feel like I’m getting to understand this - but kind of the point was I didn’t have to understand it and Im gonna pay Auth0 to understand it for me :slight_smile:

This is really really frustrating.

Hey Harry. We are hijacking 4constanzas17’s question a little here :).
You are passing the audience in the correct place. Sorry about the docs, adding the audience from client applications is a new feature and the doc are still work in progress. You can find more information here: Call Your API Using the Authorization Code Flow, although it refers to the /authorize call (that uses Auth0’s hosted Lock) instead of embedding Lock in your app.
The error message you are getting suggests an incorrect API identifier. Are you sure you are using the right one?