I have a web app using Auth0 (configured as regular web app) calling an API (also authorized with Auth0). I added the openid, profile, and email scopes when requesting and ID token. Following the tutorial here on Auth0, I am also getting an access token on user login by saving the token.
options.SaveTokens = true;
options.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = context =>
{
context.ProtocolMessage.SetParameter("audience", "https://myapi/api");
return Task.FromResult(0);
};
}
I call my API using a typed httpclient. I initialize the base URI and authorization header by getting the access token from the httpcontext and calling the appropriate URI for the API.
public RepositoryClient(HttpClient httpClient, IHttpContextAccessor httpContextAccessor)
{
_httpContextAccessor = httpContextAccessor;
_httpClient = httpClient;
var context = _httpContextAccessor.HttpContext;
var token = context.GetTokenAsync("access_token").Result;
if (token != null)
{
_httpClient.BaseAddress = new Uri("https://localhost:44335/");
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
}
}
I am able to access my API public and private methods correctly. In my API, the only validation is being done by the build in Jwt Middleware:
string domain = $"https://{Configuration["Auth0:Domain"]}/";
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.Authority = domain;
options.Audience = Configuration["Auth0:ApiIdentifier"];
});
Based on this setup, do I need to do any additional validation? I read that the ASP .NET Core built in JWT Middleware will decode, validate, and do all the heavy lifting needed. All that is needed in the configuration above. Is this right or do I need to do any additional validation?
Does the above configuration use the Authorization Code Grant or Client Credentials grant type? With authorization code grant, you need to get an authorization code to get a new access token. How would I do it in this case where the user is already logged in? The only way I could get a new access token was by using client credentials grant (and I had to also authorize my regular web app in the auth0 API in order to even request a new access token). How do I go about it without a client credentials grant or is that not possible? Should I instead be getting a refresh token and going that way (by enabling offline_scope)? My web app will only be used when you have internet access so wanted to clarify.
Also in my repository client, I am not checking to verify that the access token has not expired. Should I always be checking this? I.e., is the correct thing to do to extract the access token, store in a secure cookie, validate expiry, get a new access token, and update the cookie?
If anyone could help me with above questions, that would be really appreciated.