Auth0 Home Blog Docs

Building and Securing Web APIs with ASP.NET Core 3.0

Learn how to build a web API with ASP.NET Core 3.0 as well as how to secure this API with Auth0’s robust authentication and authorization features.

Read on :hammer_and_wrench:

Brought to you by @andrea.chiarelli :man_technologist:t2:

1 Like

Hi there, please reach out to me for any comment and/or issue.
Have a good reading!

1 Like

Excellent explanation, thank you. One question–how does the calling app get the token at runtime? In your walk-though you have the user visit the Auth0 site and get a test token.

Hi @tregan3,
Thanks for appreciating the article :slight_smile:
The way a client gets the access token depends on the type of the client itself. You have different flows if your client is a Web application, a SPA, a mobile app, and so on.
You can take a look at the Auth0 official documentation for more information.
If you want to see some code and your client is a Single Page Application, you can take a look at the quickstarts here
Let me know if need more help.

Hi Andrea, are there any updates to how scope validation would work in .NET Core 3.0 compared to how it was done in the 2.0 quick start at ASP.NET Core Web API v2.0: Authorization ?

It would be good to see an example of scoped authorizations in this example as well, such as decorating with [Authorize(“read:messages”)]. Thanks for all the great info!

Thank you!

1 Like

Hi Andrea, thanks for the article!

And agree with we need to get more details, since quick start at quick start ASP .Net Core v 2.0 isn’t applicable for .Net Core 3.0.

I’ve just tried to migrate a workable solution with Auth0 to .Net Core 3.0 - and seems like authorization doesn’t work at all. I use such attributes like [Authorize(Auth0Configuration.WRITE_PERMISSION)] with HasScopeRequirement, AuthorizationHandler and IAuthorizationHandler.

That would be great if you create one more comprehensive guide for .Net Core 3.0 Web API + Auth0



Hi and @reshifa,
Thank you very much for your feedback. I’m going to plan a tutorial on this topic soon.
Stay tuned!


Thanks a lot @andrea.chiarelli for catching that feedback!


I’ve really enjoyed this tutorial! I’m new to auth0 and I’ve hit a roadblock at the very end of your tutorial. I’ve tried this in my code and also after cloning your git. I keep getting a 500 error when I try to post to the api using my token. I’m thinking I’ve messed up the syntax of either my auth0 domain or how I’ved added the token. Here’s a code snippet from my appsettings.json:

{ "Logging": { "LogLevel": { "Default": "Information", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } }, "AllowedHosts": "*", "Auth0": { "Domain": "", "Audience": "" } }

Does that look alright? Also, is this how I’m supposed to format the post:

curl --insecure
–request POST
–url https://localhost:5001/api/glossary
–header ‘content-type: application/json’
–header ‘authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlJEZERNRFpFTXpNek1ERkNORGd4TVRBME9ESXlNVUZGUkRJeE1EQTFORGxFTlVJeVFqTkJNdyJ9.eyJpc3MiOiJodHRwczovL2Rldi01OXRtOWNhaC5hdXRoMC5jb20vIiwic3ViIjoiNlpVaVh5UnpRTzNvejlTYk9lcE1KVVVFc2RCUWtreE1AY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vZ2xvc3NhcnkuY29tIiwiaWF0IjoxNTczMjY1NzQ5LCJleHAiOjE1NzMzNTIxNDksImF6cCI6IjZaVWlYeVJ6UU8zb3o5U2JPZXBNSlVVRXNkQlFra3hNIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.PAvK9yOYmeHdlx4Aoidlf83Sh_EXnhJlXn-d1I4TYUdKoLSPmO3N-HEjX_-umAm2S9pYKT9uuNxXaKVk7CKfwT_9-Aq5NDkIfOGGfFJSID_iE6PWBPnqfUw0ja1r9KzTpQas41GVGZ8NSiQX-KgNoQctBP4lhCxjIoyzvghT2XMfn3QeJUr_Y8ZYyVT3aUAuVp0TVRIeQCXH7ZMRbpLMbrq18uFy2dBbn0f2nfpWdJWfnBnAJOkEKZ2FUFpb2Gsm8YWnkza-F4QhMgch6za-Hw9Br1xGWxUHBgQ0RVElfj7QnKm5hMnKXkV5edTMkN4l1ILpR7VSxAuvucd-oCb8CA’
–data ‘{ “term”: “MFA”, “definition”: “An authentication process that considers multiple factors.”}’

It would also be helpful if you could explain how I could use postman in lieu of the terminal for this. Thanks!

Hey, thank you for reading my tutorial.
I’m afraid that you are getting that error because of the value of the Domain key in the appsettings.json file. You provided a URL, but it should be just a domain. In your case, you should just assign, without https://.
Try with this change and let me know.

If you want to use Postman instead of cUrl, you should simply map those parameters to the corresponding UI fields. For example, the following picture shows how you should insert the Authorization header

You should also provide the Content-Type header:

And the body:

I hope this can help you in completing your journey with Auth0.

Thanks! Worked great


Super glad to hear that @joshisplutar!