Two different token fetched via swagger and python

Hi,
I am building a Webapi .net core 3. I have setup Auth0 with API and the Test Application.
I can use the quick start example code to fetch the token with no issues. The token has the scopes I required.
But when I setup my swagger with code piece as below

 options.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
                {
                    Type = SecuritySchemeType.OAuth2,
                    In = ParameterLocation.Header,
                    Name = "Authorisation",
                    Scheme = "bearer",
                    Flows = new OpenApiOAuthFlows
                    {
                        Implicit = new OpenApiOAuthFlow
                        {
                            TokenUrl = new Uri($"https://{configuration["Authorization:Domain"]}/oauth/token"),
                            AuthorizationUrl = new Uri($"https://{configuration["Authorization:Domain"]}/authorize?audience={configuration["Authorization:Audience"]}"),
                            Scopes = new Dictionary<string, string>
                            {
                                { "FullAccess",
                                 "FullAccess"
                                },
                            }
                        }
                    }
                });
                options.AddSecurityRequirement(new OpenApiSecurityRequirement
                {
                    {
                        new OpenApiSecurityScheme
                        {
                            Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "oauth2" }
                        },
                        new string[]{ }
                    }
                });

The token was different from the one via quickstart example.

The correct one is this.
image
But the one with no scopes returned like this.

Both use the same credentials and audience, looks like they are reaching at different flows?
Any advice and help would be highly appreciated.

Hi @kun.leeing :wave:

Iā€™m no .Net Core 3 expert, so I canā€™t help you with the specifics of your code. But I can see from the tokens you shared a few different things that you might want to investigate further, in no particular order:

  1. The ā€œcorrectā€ token seems to have been issued using Client Credentials Flow, while the one with ā€œno scopesā€ appears to have been issued using Authorization Code Flow. These flows behave very differently: the former typically has the scope of access pre-defined, while the latter typically requires explicit user consent for any desired scopes (though that very much depends on how your API is set up in Auth0). With the latter token generation, might it be the case that the user explicitly denies the required scope(s)? :thinking:

  2. The token with ā€œno scopesā€ seems to have email custom claims added, so this suggests you have some Action(s) or Rule(s) executing. So you may want to double-check that these arenā€™t doing anything untoward :slightly_smiling_face:

2 Likes

Hi @peter.fernandez :wave: :grinning:,

Thanks a million for your reply and this wonderful analysis.
You are absolutely right! Then my focus becomes to how to add that same ā€˜scopeā€™ from ClientCredential flow to Authorization Code flow now.
I guess I probably need to create/edit an Action for adding the scopes to the specific user?

And if I would like to use ClientCredential flow, I see I canā€™t transfer Audience via query string like

new Uri($ā€œhttps://{configuration[ā€œAuthorization:Domainā€]}/authorize?audience={configuration[ā€œAuthorization:Audienceā€]}ā€)

1 Like

Thanks for the update @kun.leeing :slightly_smiling_face: As I say, Iā€™m not a .Net Core 3 expert. However our Auth0 ASP.NET Core Web API SDK Quickstarts: Authorization might be able to provide you what youā€™re looking for :thinking:

I guess I probably need to create/edit an Action for adding the scopes to the specific user?

So one can use an Action to modify the scopes returned if need be. But typically you would use standard operation defined as part of OAuth 2 workflow: namely by adding the required permissions to the the scope parameter typically passed to /Authorize (see here for an example). The Auth0 SDKs typically take care of the format for this, so you should be able to see how this is done by looking at Auth0 ASP.NET Core Web API SDK Quickstarts: Authorization.

And if I would like to use ClientCredential flow, I see I canā€™t transfer Audience via query string like
new Uri($ā€œhttps://{configuration[ā€œAuthorization:Domainā€]}/authorize?audience={configuration[ā€œAuthorization:Audienceā€]}ā€)

Client Credentials flow doesnā€™t use the /Authorize endpoint, but rather uses the /token endpoint directly - see here for details. Because there is no user context associated with Client Credentials, obtaining tokens using the grant does not require any browser based workflow. So the call to the /token endpoint is typically performed via an HTTP post. The audience parameter is definitely supported - so Auth0 know which API (resource sever) is being targeted. But scope is not a supported parameter as there is no need/way to obtain consent.

Hope this helps :sunglasses:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.