Auth0 Home Blog Docs

How to get API (MVC) authenticated from token generated by an Angular SPA?


Hi I am pretty new to Auth0 and work has asked me to integrate Auth0 to the project. Project is very simple and is classic Angular 2 SPA with C# MVC API.

I have created/download an Angular app from quickstart and it is successfully generates id_token in the local storage after I login with my account.

Second step is I have downloaded sample(preconfigured with my domain and client credentials) C# MVC API. I can access the public methods in controller via postman but when I try to access Private (Authorize) decorators on method I get the message Authorization denied. I am passing the id token appended with “Bearer” in front for Authorization in the header but it keeps denying access.

Could please someone help me or guide me of what should I pass? I have tried both the RS256 and HS256 still it cannot get valid token.
Many thanks in advance


Do you have access to server logs? It’s hard to debug this without knowing why the server denied access in the first place.

Couple of additional questions:

  • Are you using a custom domain?
  • Did you use to verify the contents of the JWT match what the server expects (things like sub, aud and iss?


Thank you so much for your reply.
In the server logs I have a log which says “successful login” which is correct because that is the default SPA that connects to Autho0 to get authenticated and returns token. But then there are no other logs after that.

Are you using custom domain?
I am not sure what is custom domain. I am just using what the Auth0 registration process created. In my case it is []
I did use to verify and it is decoding all the contents correctly and getting following contents:
“typ”: “JWT”,
“alg”: “RS256”,

Payload data is

“iss”: “”,
“sub”: “auth0|5b629b31868fba2c7e6234c3”,
“aud”: “Qg0OzdBgXhQl7gjImXfNi6jHuuVzXu-F”,
“iat”: 1533558700,
“exp”: 1533594700,
“at_hash”: “uuE_ri_c28KvrXBBRVFAsA”,
“nonce”: “4i1zV7gD3Z.D_.IMhKRDNcNo~Aj9Huj4”
Kind regards


In the web api project written in C# with OWIN middleware the startup class is like below: My apologies for copy paste:

using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Jwt;
using Owin;
using System.Configuration;
using Auth0.Owin;
using Microsoft.IdentityModel.Tokens;

[assembly: OwinStartup(typeof(WebApi.Startup))]

namespace WebApi
public class Startup
public void Configuration(IAppBuilder app)
var domain = $“https://{ConfigurationManager.AppSettings[“Auth0Domain”]}/”;
var apiIdentifier = ConfigurationManager.AppSettings[“Auth0ApiIdentifier”];

        var keyResolver = new OpenIdConnectSigningKeyResolver(domain);
            new JwtBearerAuthenticationOptions
                AuthenticationMode = AuthenticationMode.Active,
                TokenValidationParameters = new TokenValidationParameters()
                    ValidAudience = apiIdentifier,
                    ValidIssuer = domain,
                    IssuerSigningKeyResolver = (token, securityToken, kid, parameters) => keyResolver.GetSigningKey(kid)

        // Configure Web API



Sorry, I should’ve been more specific: I meant the logs for the C# API server. Your Auth0 logs make sense: the C# API doesn’t communicate directly with Auth0, it only verifies the signature of the JWT with the Auth0 public token. I’d be curious to know for what reason the C# API is denying access. Any chance you can get it to spit that out? Once we know it’s a mismatch in the signature or a wrong audience or something like that, you could probably fix it within a minute.

So far I don’t see anything wrong with either the JWT or your code (but my C# ain’t great, so that doesn’t say that much).

Usually these errors arise from a misconfiguration on your server (so the API, not the Auth0 server), so can you confirm the domain and apiIdentifier variables are actually set to the right values through the ConfigurationManager?


Thank you again. Unfortunately I do not have access to code environment right now as it is bit late here in Australia(EST). I remember it kept on crashing on invalid signature on the following line in the C# api startup.cs

IssuerSigningKeyResolver = (token, securityToken, kid, parameters) => keyResolver.GetSigningKey(kid)

I will do some more troubleshooting tomorrow and will paste all the output here. If you have some spare time please have a look at it. Once again thank you for your time and effort!


SOLVED: The issue was the default client app from quickstart did not have the same audience key as that of an API. Make sure both the audience are same otherwise API authorization fails. To check the audience is passed correctly in your access token please decode token with anyone stumbles on this issue please feel free to contact me :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.