Hi,
I’m struggling to manage authorize my front end (Angular 6) and back end Web Api 2 owin application. On the backend site how the application should be configured? I use this example: https://auth0.com/docs/quickstart/backend/webapi-owin/01-authorization but it’s not working.
I passed parameters:
but still when trying login via my Angular 6 app I have error 401.
Just to double check, are these things working properly:
you are passing the access_token JWT when making requests to the backend using the Authorization header
your access_token JWT contains the required information for your backend (from the sample you’ll need custom scopes such as read:messages, you can use jwt.io to view the payload of your JWT)
I forgot add read:messages but still authorization is not working. On front end I have:
auth0 = new auth0.WebAuth({
clientID: ‘xxxxxxx’,
domain: ‘xxxxx.eu.auth0.com’,
responseType: ‘token id_token’,
audience: ‘http://xxxxx.api.com’,
redirectUri: ‘http://localhost:4200/callback’,
scope: openid profile read:messages write:messages
});
And pass access_token via header to backend.
Backend I use:
public void Configuration(IAppBuilder app)
{
var domain = $“https://{ConfigurationManager.AppSettings[“Auth0Domain”]}/”;
var apiIdentifier = ConfigurationManager.AppSettings[“Auth0ApiIdentifier”];
var keyResolver = new OpenIdConnectSigningKeyResolver(domain);
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
TokenValidationParameters = new TokenValidationParameters()
{
ValidAudience = apiIdentifier,
ValidIssuer = domain,
IssuerSigningKeyResolver = (token, securityToken, kid, parameters) => keyResolver.GetSigningKey(kid)
}
});
// Configure Web API
WebApiConfig.Configure(app);
}
The Auth0Domain is an API identifier and the parameter: Auth0ApiIdentifier I use signing secret of the API. T|he domain is the same as audience in the front end.
Yes, I can confirm the settings. I created two additional API services. Is there any special configuration of the App like Application Type and the API for example Signing Algorithm?
There shouldn’t be any special configuration required.
I don’t see anything wrong with the information provided so far.
Can you please post (or DM) the logs from ASP.NET for the request that fails, a .HAR file of the request, and the payload of the JWT used (all with sensitive information obfuscated)?
After taking a look through the .HAR file you sent me through DM I can see a problem with the access_token.
From what I can see the Authorization header contained an opaque token instead of a JWT (relevant docs).
This is usually caused by the web authentication request to Auth0 missing the audience parameter so double check that your requests when logging in have an audience parameter.
Another thing to check is that your API config in Auth0 Management dashboard has the signing algorithm set to RS256.
The last thing of note is that your API returned a 500 error instead of a 401 but this is probably due to the access_token not being a JWT.