I am trying to obtain the access token in the frontend, but my code sends the ClientID as Audience?

Ready to post? :mag: First, try searching for your answer.
(i am using .NET 8 and also all the packages that i use related to .net/auth0 8.0)
(i am using the Blazor template)

I am trying to obtain the access token in the frontend, because finally i want to use roles inside the access token to send requests to a rest api which requires certain roles.

in my code i configure the clientID as clientID and inside the tokenvalidation i use my authority

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(options =>
{
    options.Authority = $"https://{builder.Configuration["Auth0:Domain"]}";
    options.ClientId = builder.Configuration["Auth0:ClientId"];
    options.ClientSecret = builder.Configuration["Auth0:ClientSecret"];
    options.ResponseType = "code";
    options.Scope.Add("openid");
    options.Scope.Add("profile");
    options.Scope.Add("email");

    // Set the audience in the Token Validation Parameters
    options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
    {
        ValidAudience = builder.Configuration["Auth0:Audience"] // This should be the API identifier you want to access
    };

    options.SaveTokens = true;
    options.CallbackPath = "/signin-auth0";
});

as error i get that the value of the clientID is not in the audiences (see error below)

Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login.
 ---> Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'lMzCtrFAeBCX8VpFdKDkgvZSRUwb9Mle'. Did not match: validationParameters.ValidAudience: 'https://vvt-en-de-kansen-van-ai.eu.auth0.com/api/v2/' or validationParameters.ValidAudiences: 'null'.
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateTokenUsingHandlerAsync(String idToken, AuthenticationProperties properties, TokenValidationParameters validationParameters)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

My questions are

  1. am i on the right track to authorize endpoints using roles.
  2. how is it even possible that the value of the clientID is being saved in the audiences?

(yes i triple checked my appsettings.json the variables are configured correctly)

Hi,
A thought…Instead of setting the ValidAudience to your management API URL or any client ID, could you try pointing it towards the audience identifier for your backend application’s API as configured under Auth0