Id_token invalid on jwt.io site

jsheehan · May 21, 2017, 11:42pm

I build into my server The example server code :
public void ConfigureAuth(IAppBuilder app)
{
var domain = $“https://{ConfigurationManager.AppSettings"Auth0Domain”]}/“;
var apiIdentifier = ConfigurationManager.AppSettings"Auth0ApiIdentifier”];

        var keyResolver = new OpenIdConnectSigningKeyResolver(domain);
        app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidAudience = apiIdentifier,
                    ValidIssuer = domain,
                    IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) => keyResolver.GetSigningKey(identifier)
                }
            });

        // Configure Web API
        // WebApiConfig.Configure(app);

        var issuer = domain;
        var audience = apiIdentifier;

        byte] byt = System.Text.Encoding.UTF8.GetBytes("MYCLEARTEXTSECRET");
        var secret = Convert.ToBase64String(byt);

        app.UseJwtBearerAuthentication(
           new JwtBearerAuthenticationOptions
           {
               AuthenticationMode = AuthenticationMode.Active,
               AllowedAudiences = new] { audience },
               IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider]
             {
              new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret)
             },
           });
    }

In my Controller I add
[Authorize]
[HttpGet]
[Route(“ping/secure”)]
public IHttpActionResult PingSecured()
{
return Ok(new
{
Message = “All good. You only get this message if you are authenticated.”
}
);
}
Finally from Postman I try to get on server/api/ping/secure with header beaerer set to id_token
I get id-token from another client which deserializes var url = “https://railcomm.auth0.com/oauth/ro” into a class called AuthoBits0, which is simply public class Auth0bits
{
[DataMember]
public string id_token;
[DataMember]
public string access_token;
[DataMember]
public string token_type;
}

anyways, this id_token , when put into https://jwt.io/ returns invalid.
The GET with postman passing this id_token also fails.

prashantT · May 22, 2017, 10:08am

To make secured calls to your API, you should be passing the access_token in the Authorization header, rather than the id_token. Your API also seems to be configured for HS256 tokens - please ensure that your API in Auth0 is configured to generate HS256 tokens. Note: We highly suggest the use of RS256 tokens rather than HS256; the Quickstart outlines how this can be setup in your API:

Update:

In order to call a secured API, you need to use an access_token that has been obtained from OIDC conformant endpoints, with the appropriate audience - /oauth/ro is not an OIDC conformant endpoint. You can use the /oauth/token endpoint instead,

jsheehan · May 22, 2017, 7:30pm

Prashant,
Thank you. I know I read online that you need to pass id_token. I’ll try to find that reference and forward it.
Thanks again
John

jsheehan · May 22, 2017, 7:48pm

Hi Prashant,
Can you tell me where my API says HS256? I’m following the quickstart from GitHub.
John

jsheehan · May 22, 2017, 9:37pm

Prashant
My server code is reduced to :
var domain = $“https://{ConfigurationManager.AppSettings"Auth0Domain”]}/“;
var apiIdentifier = ConfigurationManager.AppSettings"Auth0ApiIdentifier”];

        var keyResolver = new OpenIdConnectSigningKeyResolver(domain);
        app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidAudience = apiIdentifier,
                    ValidIssuer = domain,
                    IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) => keyResolver.GetSigningKey(identifier)
                }
            });

My auth0 client is configured to RS256

Postmand
https://localhost:44309/api/railroads/ping/secure Authorization header : bearer access_token

Sill 401 Unauthorized. I use this accent_token in another client to access Autho0 and it works fine.

The code sample shows :

// Configure Web API
WebApiConfig.Configure(app);

what does this do … I do not have Configure method on my WebApiConfig , just a Register

jsheehan · May 23, 2017, 1:11am

Our ASP.NET MVC project is newer and seems to have a newer structure. Anyways we are still failing if you have any ideas.

jsheehan · May 22, 2017, 7:30pm

Prashant,
Thank you. I know I read online that you need to pass id_token. I’ll try to find that reference and forward it.
Thanks again
John

jsheehan · May 22, 2017, 7:48pm

Hi Prashant,
Can you tell me where my API says HS256? I’m following the quickstart from GitHub.
John

jsheehan · May 23, 2017, 1:11am

Our ASP.NET MVC project is newer and seems to have a newer structure. Anyways we are still failing if you have any ideas.

prashantT · May 23, 2017, 9:21am

Please see my updated answer above. As a side note, if providing additional information or replying to a comment, please either update the questions, or use the comment feature, rather than posting as an answer.

Topic		Replies	Views
Jwt.verify fails although token and key work in the JWT.io debugger JWT.io auth0 , lambda	2	7129	October 14, 2018
Jwt audience invalid - It's client_id instead of the real audience Help	3	15003	August 29, 2019
Can't validate JWT token JWT.io jwt , auth0	10	2708	September 14, 2023
OWIN Web Auth Identifier Bug Help jwt , auth0 , api	9	6732	December 17, 2018
Auth0 Issued JWT has invalid issuer Help jwt , auth0 , api	2	9495	March 5, 2020

Id_token invalid on jwt.io site

Related topics