(For context, I am not new to development, but I am new to understanding how to code up authentication / authorization, web calls, etc, so pardon me if I ask stupid questions)
I am implementing a Xamarin mobile application that connects to a rest api exposed from an ASP.Net Core application hosted in Azure. In the Xamarin application, I have followed the quickstarts and have the login implemented successfully and get back the successful LoginResult which has the Access and Identity Tokens.
In the RazorPages in AspNet Core that I am using on the admin website I also have Auth0 login implemented. Here I successfully get the User ClaimsPrincipal hooked up with the email address, etc for the claims I have enabled for that api / application.
The part I am missing is what tokens do I pass to the server on the Rest calls from the Xamarin Application? And what Auth0 api do I call to get the claims for that token in order to authorize it? Right now I am passing the access token:
request.AddHeader("Authorization", "Bearer " + App.Current.AuthenticationResult.AccessToken);
In the ASP.Net Core controller the User ClaimsPrincipal that comes in doesn’t have any of the claims I need (such as the email addr is the most important). I am calling the /userInfo api to get the email address associated with that token, but realize this is definitely not the correct way to do it, especially since there are call limits of 5/min for this api.
I have too many questions.
Is there a walkthrough that shows / explains how to do this from a mobile application?
Do I call the /authorize api to verify the bearer token?
How do I correctly get the claims for that token?
In the admin website scenario, what automatically hooks up the claims on the User ClaimsPrincipal object?
Thank you for any points / directions you may offer.