HttpClient call to Auth0 always returns "Forbidden" but RestSharp/Postman works

asif.bhat · September 23, 2021, 11:03am

Hi

This is my HttpClient in .NET 5 calling Auth0 API to return access token


client.DefaultRequestHeaders.Clear();
    client.BaseAddress = new Uri("https://");
    client.DefaultRequestHeaders.Accept.ParseAdd("application/json");
    var payload = new RequestDto();
     var result = await _client.PostAsJsonAsync("/oauth/token/", payload);

This is the response I am getting back.

{StatusCode: 403, ReasonPhrase: 'Forbidden', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
    {
      Date: Wed, 22 Sep 2021 12:31:41 GMT
      Transfer-Encoding: chunked
      Connection: keep-alive
      CF-Ray: 692b8d3a38c649cc-SIN
      Cache-Control: no-store, no-transform, must-revalidate, no-cache, private, post-check=0, pre-check=0
      Set-Cookie: did=s%3Av0%3A0a216c90-1ba1-11ec-862f-7f7d0c0038bd.FfNrxIGNlX8dwlcRnTLb71MJd01Ue9iTugWYvtM1SfM; Max-Age=31557600; Path=/; Expires=Thu, 22 Sep 2022 18:31:41 GMT; HttpOnly; Secure; SameSite=None
      Set-Cookie: did_compat=s%3Av0%3A0a216c90-1ba1-11ec-862f-7f7d0c0038bd.FfNrxIGNlX8dwlcRnTLb71MJd01Ue9iTugWYvtM1SfM; Max-Age=31557600; Path=/; Expires=Thu, 22 Sep 2022 18:31:41 GMT; HttpOnly; Secure
      Set-Cookie: __cf_bm=IANhQTEutD_pHhdSx8v3Cetr8OZDRfyo5gXgmUgzT4o-1632313901-0-AXr7JfwUm61xGTYFBK7h/7tOvYIaMIA/kBY7DhTEw5JdRx3/wELr8mhfIrHi/2Af5kchdQ01ICCA7vqSXlP2BGA=; path=/; expires=Wed, 22-Sep-21 13:01:41 GMT; domain=.eu.auth0.com; HttpOnly; Secure
      Strict-Transport-Security: max-age=31536000
      Vary: Accept-Encoding
      Vary: Origin
      CF-Cache-Status: DYNAMIC
      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
      ot-baggage-auth0-request-id: e6c47d2660b5db418ce58eda8c0ea29e
      ot-tracer-sampled: true
      ot-tracer-spanid: 2bcc27ab466a78ea
      ot-tracer-traceid: 19bf472018220614
      X-Auth0-RequestId: 7cf64438c76e838edb7b
      X-Content-Type-Options: nosniff
      X-RateLimit-Limit: 30
      X-RateLimit-Remaining: 29
      X-RateLimit-Reset: 1632313902
      Server: cloudflare
      Alt-Svc: h3=":443"
      Alt-Svc: h3-29=":443"
      Alt-Svc: h3-28=":443"
      Alt-Svc: h3-27=":443"
      Content-Type: application/json
    }}

nicolas_sabena · September 26, 2021, 5:46pm

Hi @asif.bhat.

The /oauth/token endpoint expects the payload as application/x-www-form-urlencoded values.
Take a look at our Authentication API SDK source code (auth0.net/AuthenticationApiClient.cs at master · auth0/auth0.net · GitHub) for examples on how to talk to that API (or possibly use the SDK instead).

fishmoose · September 27, 2021, 7:07am

Hi @nicolas_sabena and @asif.bhat, I just ran into the same issue.

It seems like the quick start docs on the Machine-to-Machine application page refers to using application/json like below. Maybe it needs an update?

// does NOT work
var client = new RestClient("https://MY-URL/oauth/token");
var request = new RestRequest(Method.POST);
request.AddHeader("content-type", "application/json");
// etc

I can confirm that a form encoded call works (using RestSharp):

var client = new RestClient("https://MY-URL/oauth/token");
var request = new RestRequest(Method.POST);
request.AddHeader("content-type", "application/x-www-form-urlencoded");
request.AddParameter(
  "application/x-www-form-urlencoded", 
  $"grant_type=client_credentials&" +
    $"client_id={clientId}&" +
    $"client_secret={clientSecret}&" +
    $"audience={audience}",
  ParameterType.RequestBody);
var response = await client.ExecuteAsync(request);