We are currently using angular-lock (for our angular app) and ASP.NET Web API (OWIN) (in our API app). Currently we are able to generate a user token in the app but when we try to run it through our API we get a deny for the token. We tried generating a token using the client_id and client_secret of the API app and that token verified just fine (as it should).
The audience is set in the angular app to the audience defined in the auth0 dashboard for the API app. Our angular app also has the client Id of the angular app and domain for our authorization namespace configured properly.
We can’t figure out why our tokens aren’t authorizing in the API. If I have left out any information which is pertinent to resolving this issue let me know and I will update the question. Any help is appreciated.
Thanks!
EDIT
We are using angular-lock on our app side and we set the audience to the unique identifier for our API. But when we verify the token on jwt.io it says the audience is the app’s client ID. Is there something wrong here or is that how its supposed to be?
Also after setting the verbose logs on we get the following error:
The string needs to be in compact JSON format, which is of the form: '..'. at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ReadToken(String tokenString) at Microsoft.Owin.Security.Jwt.JwtFormat.Unprotect(String protectedText)
What could be causing this error? We have verified both app and API are using RS256.