tonven
April 19, 2019, 10:24pm
1
Hi. I am using auth0 with .net core and swagger UI (swashbuckle package). Everything works as expected and I am getting token and scope permissions.
Still, I am not able to get email, openid and profile information from token, because this data is not included in token. I am talking now only about swagger UI.
Is there any specific configuration for Swagger or Auth0 that’s need to be done in order get this information into token?
I could find any example how to include additional claims to token.
Thank you.
1 Like
Could you post an example response you are receiving? Please make sure to omit sensitive data.
tonven
April 19, 2019, 10:53pm
4
{
“iss”: “https://domain.auth0.com/ ”,
“sub”: “auth0|…”,
“aud”: “https://example.api ”,
“iat”: 1555704973,
“exp”: 1555712173,
“azp”: “…”,
“scope”: “read:books write:books”
}
tonven
April 19, 2019, 10:56pm
5
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultSignInScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Authority = Configuration["Auth0:Authority"];
options.Audience = Configuration["Auth0:Audience"];
options.RequireHttpsMetadata = false;
});
services.AddAuthorization(options =>
{
options.AddPolicy("read:books", policy => policy.Requirements.Add(new HasScopeRequirement("read:books", Configuration["Auth0:Authority"])));
options.AddPolicy("write:books", policy => policy.Requirements.Add(new HasScopeRequirement("write:books", Configuration["Auth0:Authority"])));
});
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new Info { Title = "Predictor API", Version = "v1" });
var xmlFile = $"{Assembly.GetExecutingAssembly().GetName().Name}.xml";
var xmlPath = Path.Combine(AppContext.BaseDirectory, xmlFile);
c.IncludeXmlComments(xmlPath);
c.AddSecurityDefinition("oauth2", new OAuth2Scheme
{
Type = "oauth2",
Flow = "implicit",
AuthorizationUrl = $"{Configuration["Auth0:Authority"]}authorize?audience={Configuration["Auth0:Audience"]}",
Scopes = new Dictionary<string, string>
{
{ "read:books", "Access read book operations" },
{ "write:books", "Access write book operations" }
}
});
c.OperationFilter<SecurityRequirementsOperationFilter>();
});
This is my code.
1 Like
Do you have any custom rules that limit scopes?
Support clarified what was happening here, maybe this will help others.
The request I posted was doing two things: Asking for authorization for the https://localhost audience, and requesting an id token. The audience parameter appears unnecessary in this case. The id token scopes were being ignored because I had a rule running that restricted access token scopes. It turns out that in order to request e.g. the “email” scope for the id token, rules must allow that scope on access tokens as well.
…
tonven
April 20, 2019, 7:12am
7
No, I don’t. Running request from SPA result in returning all required scopes.
tonven
April 23, 2019, 1:31pm
8
@dan.woda any other recommendations?
@tonven Sorry for the delay, taking another look at this.
Take a look at scoping for a profile and email. You may need to add those to your request:
Just to double check, are you looking for an ID token or an access token?
Question: What is the difference between idToken and accessToken and why can’t I just use idToken to call my API?
Answer:
Auth0 uses two types of tokens:
JSON Web Tokens (JWT): Tokens that conform to the JSON Web Token (JWT) standard and contain information about an identity in the form of claims. They are self-contained in that it is not necessary for the recipient to call a server to validate the token.
Opaque tokens: Tokens in a proprietary format that typically contain some identifier …
1 Like
tonven
April 24, 2019, 8:43am
10
I am looking for ID token. If I understand it correctly it should include openid and profile information.
For authorizationUrl I am providing audience in order to get it.
But I guess I am still getting access token. Do I need to use access token to get user information from Auth0 Api or I can directly get ID token using Swagger?
1 Like