Swagger OpenId Security Scheme on ASPNET Core

I’ve followed the instructions found in this post on setting up a swagger security scheme to authenticate during testing. When I click on “Authorize”, I am prompted to login as expected and am taken through my social login flow as expected. The problem comes after I’ve successfully authenticated.

The issue is that it appears to be using the incorrect token in order to talk to the server. The token seems really short and my server rejects with the following message

content-length: 0
date: Sun,05 Dec 2021 19:09:46 GMT
server: Kestrel
www-authenticate: Bearer error=“invalid_token”

In my Auth0 dashboard, I’ve created a separate application in my environment just for swagger, so it can have all it’s own configuration. It’s created as a SPA, and as I said, it redirects as expected and the auth flow appears to work.

In my Startup.cs, I’ve configured swagger as follows.

services.AddSwaggerGen(c =>
	c.CustomSchemaIds(type => type.ToString());
	c.SwaggerDoc("v1", new OpenApiInfo
		Title = "cannect Bridge",
		Description = "REST API Definition",
		Version = "v1"
	c.AddSecurityDefinition(JwtBearerDefaults.AuthenticationScheme, new OpenApiSecurityScheme
		Name = "Authorization",
		Scheme = JwtBearerDefaults.AuthenticationScheme,
		In = ParameterLocation.Header,
		Type = SecuritySchemeType.OAuth2,
		Flows = new OpenApiOAuthFlows
			Implicit = new OpenApiOAuthFlow
				Scopes = new Dictionary<string, string>
					{"openid", "Open Id"},
					{"email", "User Email"},
					{"sub", "User ID"},
					{"aud", "Audience"},
					{"offline_access", "Offline Access"}
				AuthorizationUrl = new Uri($"{Configuration["Auth0:Authority"]}/authorize")
	c.AddSecurityRequirement(new OpenApiSecurityRequirement
			new OpenApiSecurityScheme
				Reference = new OpenApiReference
					Type = ReferenceType.SecurityScheme,
					Id = JwtBearerDefaults.AuthenticationScheme
				Scheme = "oauth2",
				Name = JwtBearerDefaults.AuthenticationScheme,
				In = ParameterLocation.Header

	.AddJwtBearer(options =>
		options.Authority = Configuration["Auth0:Authority"];
		options.Audience = Configuration["Auth0:Audience"];
		// If the access token does not have a `sub` claim, `User.Identity.Name` will be `null`. Map it to a different claim by setting the NameClaimType below.
		options.TokenValidationParameters = new TokenValidationParameters
			NameClaimType = ClaimTypes.NameIdentifier

And when I configure SwaggerUI

app.UseSwaggerUI(c =>
	c.SwaggerEndpoint("/swagger/v1/swagger.json", "cannect Bridge v1");

Am I missing something obvious here? How come I cannot get a full JWB Bearer Token when authenticating this way? The AuthToken isn’t enough for my system, and ASPNET Core complains.

1 Like