I am creating a new Angular 2+ application that has an ASP.Net Core Web API backend.
I have followed the Angular 2+ quickstart documentation, https://auth0.com/docs/quickstart/spa/angular2, and that is working.
Likewise, for the ASP.Net Core Web API, I followed the quickstart https://auth0.com/docs/quickstart/backend/aspnet-core-webapi which uses the new API section in the dashboard. I successfully tested the web API authorization in isolation using Postman and an access token provided by the Test Client in the Dashboard.
The next step is to make a web API call from the Angular app. It seemed that the best approach is to import AuthHttp
, ie:
import { AuthHttp } from 'angular2-jwt/angular2-jwt';
However, AuthHttp
get
uses id_token
in localStorage
and this didn’t work. I then discovered that an access_token
is needed, not an id_token
. I then tried the solution in https://auth0.com/forum/t/lock-not-always-passing-audience/5121/21. I can get an access_token
but not an id_token
token.
I have read the API Authorization documentation, in particular Calling APIs from Client-side Web Apps, https://auth0.com/docs/api-auth/grant/implicit and I understand the high level principle of what needs to be done.
I would like to know the best practice for using Auth0Lock
in an Angular app to authenticate a user but also get an access_token
. It seems than an id_token
is also needed so that the Angular app can still call tokenNotExpired()
. I think that a client app with a Web API would be a common scenario so it would be great if a complete set of instructions for achieving this as I am a bit confused at the moment.
Edit:
Using just responseType: 'token id_token'
does return both tokens. However, the access token is only 16 characters and therefore not suitable as a bearer token for calling the API.
https://auth0.com/forum/t/lock-not-always-passing-audience/5121/23 seems to suggest using the following:
lockOptions = {
oidcConformant: true,
autoClose: true,
auth: {
params: { audience: 'https://myapi.example.com' }
}
};
In this case, a long accessToken is returned and it can be successfully used as a bearer token. However, idToken is undefined. If responseType: 'token id_token'
is added, as in the example below, idToken is still undefined.
lockOptions = {
oidcConformant: true,
autoClose: true,
auth: {
responseType: 'token id_token',
params: { audience: 'https://myapi.example.com' }
}
};
Is there any way to return an idToken as well as a long accessToken?