Auth0 Home Blog Docs

Configure ASP .NET Web API middleware to accept HS256 and RS256

aspnet-core
aspnet
middleware

#1

I am developing an restful API using ASP .NET Web API, as you can imaging there will be many clients using it developed in many different languages. I see that in Auth0 samples for .NET core example they setup to use HS256. So my question is can I setup my ASP .NET Web API middleware to accept both algorithms?


#2

In general there is no point in doing what you describe because assuming the client application will obtain the access token to call your API through an OAuth2 flow then the access token being issued is meant to be treated as an opaque value by the client application. The application only has to obtain and send the token in the requests to the API.

With the above in mind the only parties that care about the access token format/signing approach are the authorization server (who has to issue it) and possibly the API (who has to validate it assuming the token is a self-contained one).

In conclusion, you can have/develop as many client application that you want and implemented with as many different languages as you desire because the only thing they will have to is talk OAuth2 (HTTP) to get the token and then call the API.


#3

Hi,
Thanks for your reply, my api application is using ID Token so that I can get all the required information (client is passing me ID Token not access token). The client which is connecting to auth0 and getting the token can be anything as described in my original question. So how do you deal with this?

Thanks and Regards
Murali


#4

Hi,
Thanks for your reply, my api application is using ID Token so that I can get all the required information (client is passing me ID Token not access token). The client which is connecting to auth0 and getting the token can be anything as described in my original question. So how do you deal with this?

Thanks and Regards
Murali


#5

The issue is that you’re sending an ID token to an API as a method of authorization and that is incorrect; as mentioned in the answer you should be sending an access token. See the following for more info on this topic: https://auth0.com/docs/api-auth/why-use-access-tokens-to-secure-apis


#6