JWT audience invalid when posting to controller with [Authorize]

Platform: C#, Visual Studio ASP.NET 2.1 Core

I am trying to POST a form to a controller, and am using the AuthHttp service to make the post inside of a service:

create(volunteer) {
    return this.authHttp.post(this.volunteerEndpoint + '/CreateVolunteer', volunteer)
        .map(result => result.json());

Inside of my startup.cs file, I have the standard code in ConfigureServices:

        services.AddAuthentication(options =>
            options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;

        }).AddJwtBearer(options =>
            options.Authority = "https://mydomain.auth0.com/";
            options.Audience = "https://api.mydomain.com/";

along with the app.UseAuthentication() call in Configure.

Inside of auth.service.ts, I initialize the authentication.

auth0 = new auth0.WebAuth({
    clientID: AUTH_CONFIG.clientID,
    domain: 'auth.mydomain.tech',
    responseType: 'token id_token',
    audience: `https://${AUTH_CONFIG.domain}/userinfo`,
    redirectUri: AUTH_CONFIG.callbackURL,
    scope: 'openid email profile'

With the following variables

export const AUTH_CONFIG: AuthConfig = {
clientID: ‘xxxClientIDStringxxx’,
domain: ‘mydomain.auth0.com’,
callbackURL: ‘http://localhost:62659/

In the controller, I have post with the authorize tag

    public async Task<IActionResult> CreateVolunteer([FromBody] VolunteerSaveResource volunteerResource)
        if (!ModelState.IsValid) return BadRequest(ModelState);
        ----  code ----
        return Ok(result);

When I call the controller, I get the error from postman : WWW-Authenticate →Bearer error=“invalid_token”, error_description=“The audience is invalid”

I have read documentation, and I think the problem is that my the aut from the token doesn’t match the audience, but I think I have some fundamental misunderstanding of how to make that right. If I grab the HAR of the request, I see the bearer, and decoding it, I get aud equaling the xxxClientIDStringxxx as above.

So, is my problem in the startup.cs file, with the audience that I have specified? What is the relationship between the API and the Application? Do I need to somehow specify an audience there that is the same as the Application?

Matt was nice enough to assist me. Here is what worked.

The key link is here: https://auth0.com/docs/quickstart/spa/angular2/03-calling-an-api

I needed to make sure

  1. that the audience in startup.cs (options.Audience) and auth.service.ts was exactly the same.
  2. make sure that the authority in startup.cs (options.Authority) matches the one stored in “access_token”, which you can verify at http://jwt.io.

The problem then is that I needed to set the “token” field in local storage to the “access_token”. I stored “idToken” then as “id_token”, which contains the user personal information. “access_token” doesn’t contain user information.

My confusion was due to the application Quick Start guide, showed:

auth0 = new auth0.WebAuth({
clientID: 'xxClientIDxx,
domain: ‘mydomain.auth0.com’,
responseType: ‘token id_token’,
audience: ‘https://mydomain.auth0.com/userinfo’,
redirectUri: ‘http://localhost:3000/callback’,
scope: ‘openid’

This is really to grab user info, and I changed it as above, and a proper reading of the first link should have cleared it up for me. I think Matt indicated that I had to change it also because I was using a custom domain, but that was beyond me.

I’m having the same exact problem and keep reading your reply again and again for it to sink in but so far it’s not working.

Are you sending the id_token or access_token to the API when making a call from frontend client?


I’m having the same problem. I’m using the id_token because when I try the access_token it tells me it’s malformed. Have you figured this out?

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?

1 Like