ASP Core 7 : Examples on how to consume opaque access tokens in pair with JWT?

Hi all,

I’m building up a backend with ASP .NET Core 7 with a Blazor WASM front end.
All my authentication flow works fine following the Auth0 documentation (JWT Bearer auth).

Now that I have added Swashbucles SwaggerUI to my backend, I want to be able to authenticate so it can add the proper Authorization header in my requests.
However, SwaggerUI only supports bearer tokens copy pasted manually in the API KEY section. Which is a tedious and repetitive work that I would like to avoid.

I could successfully achieve automatic filling of the authorization header by using OAuth endpoints (Implicit, AuthCode, ClientCredentials, all of those flows works) like shown in this example :

    c.AddSecurityDefinition("oidc", new OpenApiSecurityScheme
    {
        Type = SecuritySchemeType.OpenIdConnect,
        OpenIdConnectUrl = new Uri("[REDACTED]/.well-known/openid-configuration", UriKind.Absolute),
        Flows = new OpenApiOAuthFlows
        {
            ClientCredentials = new OpenApiOAuthFlow
            {
                AuthorizationUrl = new Uri("[REDACTED]/authorize", UriKind.Absolute),
                TokenUrl = new Uri("[REDACTED]/oauth/token", UriKind.Absolute),
                Scopes = new Dictionary<string, string>
                {
                    { "readAccess", "Access read operations" },
                    { "writeAccess", "Access write operations" }
                }
            },
            AuthorizationCode = new OpenApiOAuthFlow
            {
                AuthorizationUrl = new Uri("[REDACTED]/authorize"),
                TokenUrl = new Uri("[REDACTED]/oauth/token"),
                Scopes = new Dictionary<string, string>
                {
                    {"api1", "Demo API - full access"}
                }
            }
        }
    });

And this OperationFilter :

public class SecurityRequirementsOperationFilter : IOperationFilter
{
    /// <summary>
    /// Applies the this filter on swagger documentation generation.
    /// </summary>
    /// <param name="operation"></param>
    /// <param name="context"></param>
    public void Apply(OpenApiOperation operation, OperationFilterContext context)
    {
        var hasAuthorize =
          context.MethodInfo.DeclaringType.GetCustomAttributes(true).OfType<AuthorizeAttribute>().Any()
          || context.MethodInfo.GetCustomAttributes(true).OfType<AuthorizeAttribute>().Any();

        if (hasAuthorize)
        {
            operation.Responses.TryAdd("401", new OpenApiResponse { Description = "Unauthorized" });
            operation.Responses.TryAdd("403", new OpenApiResponse { Description = "Forbidden" });

            operation.Security = new List<OpenApiSecurityRequirement>
            {
                new OpenApiSecurityRequirement
                {
                    [
                        new OpenApiSecurityScheme {Reference = new OpenApiReference
                        {
                            Type = ReferenceType.SecurityScheme,
                            Id = "oidc"}
                        }
                    ] = new[] {"api1"}
                }
            };
        }
    }
}

Doing so gives me an OPAQUE token (not JWT) and adds it to the header successfully.

However my backend refuses the calls. Probably because I need to setup a proper OAuth/OIDC authentication scheme to be able to authentify with the opaque token.

So there would be :

  • JWT Bearer scheme : for the blazor wasm frontend to call my backend
  • OAuth / OIDC scheme : only for swaggerUI to call the backend

However I can’t find any Auth0 documentation on how to consume opaque tokens in my dotnet 7 backend (most of the documentation regarding this is outdated).

Can you help ?

Thanks a lot !

Hi @gogetenk1,

Welcome to the Auth0 Community!

Are you sure you want an opaque token? I’m not very familiar with some of the tools you are using, but it sounds like your backend may be expecting a JWT. You might just be missing registering your API, and requesting a JWT instead of an opaque token.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.