Auth0 Home Blog Docs

Id_token invalid on jwt.io site

jwt

#1

I build into my server The example server code :
public void ConfigureAuth(IAppBuilder app)
{
var domain = $“https://{ConfigurationManager.AppSettings"Auth0Domain”]}/";
var apiIdentifier = ConfigurationManager.AppSettings"Auth0ApiIdentifier"];

        var keyResolver = new OpenIdConnectSigningKeyResolver(domain);
        app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidAudience = apiIdentifier,
                    ValidIssuer = domain,
                    IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) => keyResolver.GetSigningKey(identifier)
                }
            });

        // Configure Web API
        // WebApiConfig.Configure(app);

        var issuer = domain;
        var audience = apiIdentifier;

        byte] byt = System.Text.Encoding.UTF8.GetBytes("MYCLEARTEXTSECRET");
        var secret = Convert.ToBase64String(byt);

        app.UseJwtBearerAuthentication(
           new JwtBearerAuthenticationOptions
           {
               AuthenticationMode = AuthenticationMode.Active,
               AllowedAudiences = new] { audience },
               IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider]
             {
              new SymmetricKeyIssuerSecurityTokenProvider(issuer, secret)
             },
           });
    }

In my Controller I add
[Authorize]
[HttpGet]
[Route(“ping/secure”)]
public IHttpActionResult PingSecured()
{
return Ok(new
{
Message = “All good. You only get this message if you are authenticated.”
}
);
}
Finally from Postman I try to get on server/api/ping/secure with header beaerer set to id_token
I get id-token from another client which deserializes var url = “https://railcomm.auth0.com/oauth/ro” into a class called AuthoBits0, which is simply public class Auth0bits
{
[DataMember]
public string id_token;
[DataMember]
public string access_token;
[DataMember]
public string token_type;
}

anyways, this id_token , when put into https://jwt.io/ returns invalid.
The GET with postman passing this id_token also fails.


#2

To make secured calls to your API, you should be passing the access_token in the Authorization header, rather than the id_token. Your API also seems to be configured for HS256 tokens - please ensure that your API in Auth0 is configured to generate HS256 tokens. Note: We highly suggest the use of RS256 tokens rather than HS256; the Quickstart outlines how this can be setup in your API:

Update:

In order to call a secured API, you need to use an access_token that has been obtained from OIDC conformant endpoints, with the appropriate audience - /oauth/ro is not an OIDC conformant endpoint. You can use the /oauth/token endpoint instead,

https://auth0.com/docs/quickstart/backend/webapi-owin/00-getting-started


#3

Prashant,
Thank you. I know I read online that you need to pass id_token. I’ll try to find that reference and forward it.
Thanks again
John


#4

Hi Prashant,
Can you tell me where my API says HS256? I’m following the quickstart from GitHub.
John


#5

Prashant
My server code is reduced to :
var domain = $“https://{ConfigurationManager.AppSettings"Auth0Domain”]}/";
var apiIdentifier = ConfigurationManager.AppSettings"Auth0ApiIdentifier"];

        var keyResolver = new OpenIdConnectSigningKeyResolver(domain);
        app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidAudience = apiIdentifier,
                    ValidIssuer = domain,
                    IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) => keyResolver.GetSigningKey(identifier)
                }
            });

My auth0 client is configured to RS256

Postmand
https://localhost:44309/api/railroads/ping/secure Authorization header : bearer access_token

Sill 401 Unauthorized. I use this accent_token in another client to access Autho0 and it works fine.

The code sample shows :

// Configure Web API
WebApiConfig.Configure(app);

what does this do … I do not have Configure method on my WebApiConfig , just a Register


#6

Our ASP.NET MVC project is newer and seems to have a newer structure. Anyways we are still failing if you have any ideas.


#7

Prashant,
Thank you. I know I read online that you need to pass id_token. I’ll try to find that reference and forward it.
Thanks again
John


#8

Hi Prashant,
Can you tell me where my API says HS256? I’m following the quickstart from GitHub.
John


#9

Our ASP.NET MVC project is newer and seems to have a newer structure. Anyways we are still failing if you have any ideas.


#10

Please see my updated answer above. As a side note, if providing additional information or replying to a comment, please either update the questions, or use the comment feature, rather than posting as an answer.


#11