Hi,
I am building a Webapi .net core 3. I have setup Auth0 with API and the Test Application.
I can use the quick start example code to fetch the token with no issues. The token has the scopes I required.
But when I setup my swagger with code piece as below
options.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
{
Type = SecuritySchemeType.OAuth2,
In = ParameterLocation.Header,
Name = "Authorisation",
Scheme = "bearer",
Flows = new OpenApiOAuthFlows
{
Implicit = new OpenApiOAuthFlow
{
TokenUrl = new Uri($"https://{configuration["Authorization:Domain"]}/oauth/token"),
AuthorizationUrl = new Uri($"https://{configuration["Authorization:Domain"]}/authorize?audience={configuration["Authorization:Audience"]}"),
Scopes = new Dictionary<string, string>
{
{ "FullAccess",
"FullAccess"
},
}
}
}
});
options.AddSecurityRequirement(new OpenApiSecurityRequirement
{
{
new OpenApiSecurityScheme
{
Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "oauth2" }
},
new string[]{ }
}
});
The token was different from the one via quickstart example.
Iām no .Net Core 3 expert, so I canāt help you with the specifics of your code. But I can see from the tokens you shared a few different things that you might want to investigate further, in no particular order:
The ācorrectā token seems to have been issued using Client Credentials Flow, while the one with āno scopesā appears to have been issued using Authorization Code Flow. These flows behave very differently: the former typically has the scope of access pre-defined, while the latter typically requires explicit user consent for any desired scopes (though that very much depends on how your API is set up in Auth0). With the latter token generation, might it be the case that the user explicitly denies the required scope(s)?
The token with āno scopesā seems to have email custom claims added, so this suggests you have some Action(s) or Rule(s) executing. So you may want to double-check that these arenāt doing anything untoward
Thanks a million for your reply and this wonderful analysis.
You are absolutely right! Then my focus becomes to how to add that same āscopeā from ClientCredential flow to Authorization Code flow now.
I guess I probably need to create/edit an Action for adding the scopes to the specific user?
And if I would like to use ClientCredential flow, I see I canāt transfer Audience via query string like
new Uri($āhttps://{configuration[āAuthorization:Domainā]}/authorize?audience={configuration[āAuthorization:Audienceā]}ā)
I guess I probably need to create/edit an Action for adding the scopes to the specific user?
So one can use an Action to modify the scopes returned if need be. But typically you would use standard operation defined as part of OAuth 2 workflow: namely by adding the required permissions to the the scope parameter typically passed to /Authorize (see here for an example). The Auth0 SDKs typically take care of the format for this, so you should be able to see how this is done by looking at Auth0 ASP.NET Core Web API SDK Quickstarts: Authorization.
And if I would like to use ClientCredential flow, I see I canāt transfer Audience via query string like
new Uri($āhttps://{configuration[āAuthorization:Domainā]}/authorize?audience={configuration[āAuthorization:Audienceā]}ā)
Client Credentials flow doesnāt use the /Authorize endpoint, but rather uses the /token endpoint directly - see here for details. Because there is no user context associated with Client Credentials, obtaining tokens using the grant does not require any browser based workflow. So the call to the /token endpoint is typically performed via an HTTP post. The audience parameter is definitely supported - so Auth0 know which API (resource sever) is being targeted. But scope is not a supported parameter as there is no need/way to obtain consent.