Authenticating a WEBAPI using auth0

Hello, can someone give me step by step instructions on authenticating a WEB API. Any help is appreciated. Thanks in advance

I tried all the steps as in the auth0 tutorials:

  • My technology is C#, .NET
  • Setup client and API.
  • downloaded gitshub projects for both authentication and web api samples.
  • I am getting the tokens created in the authentication project fine.
  • but when I use the token as bearer authentication using postman to call my web api, I am getting authentication errors.

I like to know if I am missing any steps.

It would be helpful to get the errors you are getting as well as any sample code (minus any secure, private items)

I have downloaded couple of C#/.net based gitshubs projects as suggested in the auth0 client and API setup pages. One is the authentication project and the other is the actual web API.

I have updated the config settings as per the values setup on the auth0 Client/API interface, such as appDomain, cleintID, clientSecret on the authentication project. And I set Audience, domain on the web API configs.
On the callback URL for the client, I am able to get all the info from social login along with access ID and access Token. But when the webAPI is called using the “bearer ACEESS_TOKEN” , its not authorizing. Some problem with the access tokens perhaps. I tried with Postman, and its the same error.

I have placed the 2 project code files at this location:

Can you let us know the error you’re receiving?

401 Unauthorized error

“Message”: “Authorization has been denied for this request.”

1 Like

Did you work through the troubleshooting guides?

Here are the ones for OWIN and ASP.NET Core (depending in which you are using)

Chances are those will help you sort out your issue…

One discrepancy I see in the “token.IdToken” that is generated in the middleware when decoded using, is the audience value actually shows the clientId value instead of the value I set in the autho API interface for the identifier. I don’t know why its taking this value.
But the actual bearer token is not the jwt token, but the accessToken, so not sure if it matters.

It will be nice if anyone has done a .net/C# flow for authentication and share any samples. thanks

Yes, that is correct. But you should not be sending the id_token to the API. You should be sending the access_token to the API.

Did you read the section on Using the API?

But the actual bearer token is not the jwt token, but the accessToken, so not sure if it matters.

The access_token should be a JWT as well. If it is not an access_token, then this is your problem. How are you obtaining that access_token? What flow are you using? Please read the Using the API document I linked to above.

1 Like

Sorry, meant to say if it is not a JWT then that is your problem

what I mean to say is the access_token doesn’t show all the userinfo data when I inspect it on interface. Its the id_token that contains the info such as issuer, issue date, expiry date, audience etc along with other user info which is obtained from the userinfo end point. I read that sample I am using for the middleware actually sets the clientID as the audience so what I am seeing in the jwt for id_token for audience value is correct.

I think its the WEBAPI end its not reading the access_tokens sent. This value is much shorter in length compared to the token_ID value. And when I try to inspect access_token value through, I get nothing.

This is the project I am using…Our authentication to the WEBAPI scenario will more or less like this.

This is exactly what I have been telling you: That access_token you have is not a JWT.

It is probably because you did not specify the audience when requested the access_token. You need to specify the audience as the value of your API identifier when calling the Auth0 authorization endpoint.

The problem is not with the Web API. The problem is with how you obtain the access_token.

Thank you. My problem is resolved. Thanks for your help.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.