I think the problem is that in my web app controller, when I read the access_token, I should (I think) be reading the authorization code? Which I will in turn exchange for an access token? But if I look at my “User.Claims” object, it has “access_token”, “id_token”, etc. but not “code”. Unless the authorization has already been exchanged for an access token in the background (by some middleware)? That’s the problem with not fully understanding what I’m doing 
For example, at which point does User.Claims get populated? Never thought I’d struggle so much with this… 
In my Configure() method in Startup.cs, I do tell it to use “authentication code” response:
// Add the OIDC middleware
var options = new OpenIdConnectOptions("Auth0")
{
// Set the authority to your Auth0 domain
Authority = $"https://{auth0Settings.Value.Domain}",
// Configure the Auth0 Client ID and Client Secret
ClientId = auth0Settings.Value.ClientId,
ClientSecret = auth0Settings.Value.ClientSecret,
// Do not automatically authenticate and challenge
AutomaticAuthenticate = false,
AutomaticChallenge = false,
// Set response type to code
ResponseType = OpenIdConnectResponseType.Code,
.....
So I guess maybe that is swapping the code for a token in the background? But why is the token so short? Probably like you mentioned, it’s because I’m not specifying an audience (i.e. my API) but I am… unless I’m doing it incorrectly?
//Set up JWT Bearer authentication first
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Audience = auth0Settings.Value.ApiIdentifier,
Authority = $"https://{auth0Settings.Value.Domain}/"
});