Authorization Angular 6 and Web Api 2 Owin

Hi,
I’m struggling to manage authorize my front end (Angular 6) and back end Web Api 2 owin application. On the backend site how the application should be configured? I use this example: https://auth0.com/docs/quickstart/backend/webapi-owin/01-authorization but it’s not working.
I passed parameters:

but still when trying login via my Angular 6 app I have error 401.

I can login to my front end.

Hi @madartsoft

Just to double check, are these things working properly:

  1. you are passing the access_token JWT when making requests to the backend using the Authorization header
  2. your access_token JWT contains the required information for your backend (from the sample you’ll need custom scopes such as read:messages, you can use jwt.io to view the payload of your JWT)

Hi, thank you for reply.

I forgot add read:messages but still authorization is not working. On front end I have:
auth0 = new auth0.WebAuth({
clientID: ‘xxxxxxx’,
domain: ‘xxxxx.eu.auth0.com’,
responseType: ‘token id_token’,
audience: ‘http://xxxxx.api.com’,
redirectUri: ‘http://localhost:4200/callback’,
scope: openid profile read:messages write:messages
});

And pass access_token via header to backend.
Backend I use:

public void Configuration(IAppBuilder app)
{
var domain = $“https://{ConfigurationManager.AppSettings[“Auth0Domain”]}/”;
var apiIdentifier = ConfigurationManager.AppSettings[“Auth0ApiIdentifier”];

        var keyResolver = new OpenIdConnectSigningKeyResolver(domain);
        app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidAudience = apiIdentifier,
                    ValidIssuer = domain,
                    IssuerSigningKeyResolver = (token, securityToken, kid, parameters) => keyResolver.GetSigningKey(kid)
                }
            });

        // Configure Web API
        WebApiConfig.Configure(app);
    }

The Auth0Domain is an API identifier and the parameter: Auth0ApiIdentifier I use signing secret of the API. T|he domain is the same as audience in the front end.

Just want to clarify this portion of your response.

In appSettings, the values for the following parameters should be:

  • Auth0Domain: this is your auth0 tenant domain (e.g. xxxxx.eu.auth0.com)
  • Auth0ApiIdentifier: this is your api domain / audience (e.g. http://xxxxx.api.com)

Can you confirm this is the case?

Hi,

Yes, I can confirm the settings. I created two additional API services. Is there any special configuration of the App like Application Type and the API for example Signing Algorithm?

There shouldn’t be any special configuration required.

I don’t see anything wrong with the information provided so far.

Can you please post (or DM) the logs from ASP.NET for the request that fails, a .HAR file of the request, and the payload of the JWT used (all with sensitive information obfuscated)?

1 Like

Hi @madartsoft

After taking a look through the .HAR file you sent me through DM I can see a problem with the access_token.

From what I can see the Authorization header contained an opaque token instead of a JWT (relevant docs).

This is usually caused by the web authentication request to Auth0 missing the audience parameter so double check that your requests when logging in have an audience parameter.

Another thing to check is that your API config in Auth0 Management dashboard has the signing algorithm set to RS256.

The last thing of note is that your API returned a 500 error instead of a 401 but this is probably due to the access_token not being a JWT.

Hi,

I noticed that when add audience then the token is in JWT format but still getting 401 error. I will check the algorithm.

Thanks

I found the problem. The algorithm was the problem.

1 Like

Thanks a lot @madartsoft for sharing that with the rest of community!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.