Auth0 Home Blog Docs

I'm Receiving An 'Unauthorized' Response When Trying to Access my WebAPI using the IdentityToken as my Bearer token

net
#1

I have the user login to my WPF application using the Auth0 SDK. I then want the user to be able to access a WebAPI that I have. The WebAPI is setup in Auth0 as well. I can’t find any code examples that illustrate this process. I’ve followed the troubleshooter found here: Troubleshooting . I’ve had no success.

  1. I’ve confirmed my Domains match
  2. I’ve confirmed my ClientID \ Audiences match.
  3. I’ve confirmed I am using the correct decryption.
  4. I’ve configured the JWT middleware correctly using the code examples on the Auth0 website.
  5. My token has not expired.

I don’t receive an error in the Output window in Visual Studio. I simply receive a ‘StatusCode: 401, Unauthorized’ response.

I LOGIN AS FOLLOWS:

        var client = new Auth0Client(new Auth0ClientOptions
        {
            Domain = "DOMAIN.auth0.com",
            ClientId = "ABC123", //<-- ClientID of my application, NOT my WebAPI
            Scope = "openid profile offline_access"
        });           

        LoginResult loginResult = await client.LoginAsync();

I THEN TRY TO ACCESS MY API AS FOLLOWS:

    using (HttpClient httpClient = new HttpClient())
    {
        httpClient.DefaultRequestHeaders.Accept.Add( new MediaTypeWithQualityHeaderValue("application/json"));
        httpClient.BaseAddress = new Uri("https://localhost:12345/");
        httpClient.SetBearerToken(loginResult.IdentityToken);

        HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, "api/products");
        // request.SetBearerToken(loginResult.AccessToken);
        
        HttpResponseMessage response = await httpClient.SendAsync(request);
    }
#2

I’ve made some progress. I now realize the reason this does not work is because I am receiving an access token as an opaque string rather in the JWT format. This is likely because I have not set the ‘audience’ parameter for my API above when I login. Set the Access Token Format. As far as I can see there is no way to set the audience parameter using the Auth0Client.

Given this, my solution will be to follow this Quick Start Guide: Mobile Login Flow Quick Start Guide

#3

OK. I’m fairly certain I’ve figured this out. This took ALOT of digging to find the only useful code example in C# found here: Web API Authorization Example in C# Using SDK [setting the ‘audience’] .

This post was what led me to the answer.

Hope this helps others!

#4

I could not find any documentation on what ‘extraParameters’ Auth0Client.LoginAsync accepts as arguments. However, the Auth0OidcClient library is just a wrapper for the IdentityModel.OidcClient2 library. If you trace the source code it brings you to this AuthorizeClient class. Search for the method ‘CreateAuthorizeParameters’ to see what parameters are accepted. The only thing I do not understand is why this method accepts ‘audience’ as a parameter as it is not listed in this method from what I can see.