Auth0 + Swagger

Hi

I am having an issue authenticating using client_credentials flow and SwaggerUI/SwashBuckle in a dotnetcore web api.

It appears that i am unable to pass the audience parameter in the payload using swashbuckle, however i found suggestion that it works in the querystring Here

However this does not appear to be the case, having tried the following examples.

This works with audience in payload

curl --request POST --url http://auth0.com/oauth/token --header 'content-type: application/json' --data '{"client_id":"XXX","client_secret":"XXX,"audience":"AUDIENCE","grant_type":"client_credentials"}'

This fails when moving to querystring

curl --request POST --url http://auth0.com/oauth/token?audience=AUDIENCE --header 'content-type: application/json' --data '{"client_id":"XXX","client_secret":"XXX","grant_type":"client_credentials"}'

If also found this article here with a workaround which i’m keen to avoid.

Any ideas why it doesn’t work in the querystring when the previous post suggests it should ?

Hey there @rookard, can you share the error you are receiving when you try to pass through a query-string? Thanks in advance!

Sure

I get

non global clients are not allowed to access apiv1

And in the raw data in the log audience is null

The /authorize request takes the audience in the query string. I’ve linked our doc below that dives into the Authentication API. This should be able to help you in your quest. Please let me know if you have any questions!

https://auth0.com/docs/api/authentication#regular-web-app-login-flow

Thanks for the reply, I’m talking about the /token endpoint.
When I move it from the body to the querystring it fails every time with error above.

Try the cUrl as posted, one with it in the body and one with querystring - client credentials flow.

After digging into this with our Support team, it appears this is a grant call which means that the audience must be declared in the body of the call and cannot be delivered via the querystring. Please let me know if this helps you in your quest. Thanks!

Unfortunately swagger for dotnet core does not allow you to specify this in the body only the querystring.
I have a workaround I will post that basically copies it from the querystring to the body in the swagger ui.

Thank you for being willing to share the workaround @rookard ! I look forward to checking it out :+1:

This is a bit of a hack, but basically copies the audience from the url querystring into the body on each request - providing the request contains ‘client_credentials’ in the body already - ie: is an auth token request.

Create a js file, in this case Auth0.js

var f = window.fetch;
window.fetch = function(url, opts) {
    if (opts && opts.body && opts.body.indexOf('client_credentials') !== -1) {
        // Copy from Query string to body
        const urlParams = new URLSearchParams(opts.url.split('?')[1]);
        const audience = urlParams.get('audience');
        opts.body += '&audience=' + audience;
    }
    return f(url, opts);
};

Register this in Startup.cs

app.UseSwaggerUI(c =>
{
    
    c.OAuthAdditionalQueryStringParams(new Dictionary<string, string>()
    {
        {"audience", “MyAudience”}
    });
    
    
    c.InjectJavascript("/Auth0.js");

    //Other setup stuff..
});
2 Likes

Fantastic! Thank you for sharing @rookard!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.