Auth0 issues malformed access token

Get Help
,
1

I have my regular web application that is signing in a user. Next the user may request my api for some data. Unfortunately Auth0 issues malformed access token and WebApi is not able to validate it - it thinks that is encrypted.

My code is very simple - this is how I configure regular web app:

builder.Services.AddAuth0WebAppAuthentication(o =>
{
    builder.Configuration.GetSection("Auth0").Bind(o);
    o.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    o.CallbackPath = new PathString("/auth-callback");
    o.ResponseType = OpenIdConnectResponseType.Code;
    o.Scope = "openid profile email offline_access";
    o.SkipCookieMiddleware = false;
});

My appsettings are:

"Auth0": {
  "ClientId": "<client id>",
  "ClientSecret": "<client secret>",
  "Domain": "<my domain>.eu.auth0.com"
}

Next, my configuration for WebApi is also simple:

builder.Services.AddAuthentication(o =>
{
    o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(o =>
{
    o.Authority = builder.Configuration["Authentication:Authority"];
    o.Audience = builder.Configuration["Authentication:Audience"];
});

And my appsettings:

"Authentication": {
  "Authority": "https://<my domain>.eu.auth0.com/",
  "Audience": "api://weather"
}

After some reading I tried to add “audience” to my regular web app, but there is no way to do it in Auth0 configuration. So I tried like this:

builder.Services.AddAuth0WebAppAuthentication(o =>
{
    builder.Configuration.GetSection("Auth0").Bind(o);
    o.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    o.CallbackPath = new PathString("/auth-callback");
    o.ResponseType = OpenIdConnectResponseType.Code;
    o.Scope = "openid profile email offline_access";
    o.SkipCookieMiddleware = false;
    o.LoginParameters = new Dictionary<string, string>
    {
        { "audience", "api://weather" }
    };
});

But this also does not work.

Issued tokens are malformed. Even jwt.io cannot parse them.

My Auth0 configuration is default.

Especially token settings for API application:

image
image1001Ă—485 30.1 KB

as you can see - encryption is turned off.

So what is the problem?

2

Hi @ajachocki

Welcome to the Auth0 Community!

Thank you for posting your question. Based on your description, it looks like you’re getting the opaque token instead of the intended JWT. In Auth0’s case, opaque tokens can be used only with the /userinfo endpoint to return a user’s profile. → https://auth0.com/docs/secure/tokens/access-tokens#opaque-access-tokens

Here → auth0-aspnetcore-authentication/EXAMPLES.md at main · auth0/auth0-aspnetcore-authentication · GitHub, you can find an example of adding the audience parameter in the ASP.NET Core SDK. This should fix your issue with wrong token.

services
    .AddAuth0WebAppAuthentication(options =>
    {
        options.Domain = Configuration["Auth0:Domain"];
        options.ClientId = Configuration["Auth0:ClientId"];
        options.ClientSecret = Configuration["Auth0:ClientSecret"];
    })
    .WithAccessToken(options =>
    {
        options.Audience = Configuration["Auth0:Audience"];
    });

Thanks!
Dawid

1 Like
3

Thanks! That works :slight_smile: