Securing Blazor WebAssembly Apps

As far as I understand, your Action adds the custom claim to the ID token with a statement like the following:

api.idToken.setCustomClaim(`${namespace}/username`,  event.user.username);

You need to add the same custom claim to the access token with a statement like the following:

api.accessToken.setCustomClaim(`${namespace}/username`,  event.user.username);

This way, you will find the custom claim on the server side as well.

Remember: the API receives the access token, not the ID token, which is used to populate the client-side identity.

I hope this clarifies.

1 Like

That’s exactly what i needed thank you so much. Such a simple mistake. Sometimes all you need is that extra set of eyes to see. :smile:

1 Like

Hello, I’m having a headache trying to get my WASM application to authenticate through auth0.

I’ve followed the tutorial.

These are my client’s Program.cs and appsettings.json files:

These are the api’s Program.cs and appsettings.json files

I’ve set up the SPA and API applications in the Auth0 dashboard. When running the application, I can successfully log in and I see the pages which are attributed as Authorized only when logged in.

However, the calls to my [Authorized] controller endpoints always result in 401, which I’ve noticed is a reoccurring problem here. I’m running .NET 6 and despite that I’ve tried setting up the tenant’s default audience, which did not help.

The request’s header does contain a bearer:

If anyone would help me figure the mistake I keep doing, please, I would highly appreciate it.

Hi @magoc.dan,
Welcome to the Auth0 Community!

I noticed that your API uses the following code to register authentication and authorization middleware:


The middleware registration order is important. You should first register the authentication middleware and then the authorization middleware, as proposed in the tutorial. In other words, your code should be as follows:


Check out this article to learn more about securing an ASP.NET Web API.

That… actually worked. Thank you very much for pointing it out!

1 Like

You are welcome! :slightly_smiling_face:

This was my issue. I missed this line and couldn’t figure out why my access token was invalid! Thanks a bunch. :grinning: