I have downloaded couple of C#/.net based gitshubs projects as suggested in the auth0 client and API setup pages. One is the authentication project and the other is the actual web API.
I have updated the config settings as per the values setup on the auth0 Client/API interface, such as appDomain, cleintID, clientSecret on the authentication project. And I set Audience, domain on the web API configs.
On the callback URL for the client, I am able to get all the info from social login along with access ID and access Token. But when the webAPI is called using the “bearer ACEESS_TOKEN” , its not authorizing. Some problem with the access tokens perhaps. I tried with Postman, and its the same error.
One discrepancy I see in the “token.IdToken” that is generated in the middleware when decoded using jwt.io, is the audience value actually shows the clientId value instead of the value I set in the autho API interface for the identifier. I don’t know why its taking this value.
But the actual bearer token is not the jwt token, but the accessToken, so not sure if it matters.
It will be nice if anyone has done a .net/C# flow for authentication and share any samples. thanks
But the actual bearer token is not the jwt token, but the accessToken, so not sure if it matters.
The access_token should be a JWT as well. If it is not an access_token, then this is your problem. How are you obtaining that access_token? What flow are you using? Please read the Using the API document I linked to above.
what I mean to say is the access_token doesn’t show all the userinfo data when I inspect it on jwt.io interface. Its the id_token that contains the info such as issuer, issue date, expiry date, audience etc along with other user info which is obtained from the userinfo end point. I read that sample I am using for the middleware actually sets the clientID as the audience so what I am seeing in the jwt for id_token for audience value is correct.
I think its the WEBAPI end its not reading the access_tokens sent. This value is much shorter in length compared to the token_ID value. And when I try to inspect access_token value through jwt.io, I get nothing.
This is the project I am using…Our authentication to the WEBAPI scenario will more or less like this.
This is exactly what I have been telling you: That access_token you have is not a JWT.
It is probably because you did not specify the audience when requested the access_token. You need to specify the audience as the value of your API identifier when calling the Auth0 authorization endpoint.
The problem is not with the Web API. The problem is with how you obtain the access_token.