Valid Auth0 token no longer works after upgrade app to .net core 3.0

Hi,

We just upgrade our web api project from .net core 2.2 to .net core 3.0. After fixing all the breaking changes, finally I can test my api. But found authentication is broken. The valid token from Auth0 no longer passes the authentication. I always get 401 Unauthorized error.

Anybody has seen the same problem?

Hi there @sally.xu and welcome to the Auth0 Community!

Are you seeing any more details related to the 401 in console or your Auth0 logs? Can you share a HAR file capture of the broken workflow and pass it through a direct message to me please? Be sure to select “Preserve log” to catch redirects and scrub the file of user passwords before passing, thanks!

Hi James,

Thanks for the response.

I’m sure the problem is not with auth0 token, but rather the way how .NET 3.0 decode the token. I’m using Postman to test my API. No browser is involved.

Here is the steps to reproduce this problem:

  1. Download the sample code from Auth0 quick start for my project. (which is based on .net core 2.0).

  2. Test the project as is to make sure it works fine. Using Postman to test private API route with a valid Auth0 token: http://localhost:3010/api/private. Working as expected.

  3. Migrated the project to .net core 3.0 (followed the migration steps given by Microsoft : Migrate from ASP.NET Core 2.2 to 3.0 | Microsoft Learn). After the migration, re-test the API call. The public route works fine. Getting 401 error on private call. The token is no longer decoded correctly.

Basically we need a new quick start project which works for .Net 3.0. Seems Microsoft is pushing to move to 3.0. The end support to v2.2 will be the end of Dec.

Thanks again.

You are correct @sally.xu, we don’t have a quick start focused around 3.0. I will reach out to our team and see what the plan is there.

In the mean time, can this blog article we released at the end of September be of any help as it dives into the changes of .net 3.0?

I read that blog a few times, didn’t help with the issue. I’m guessing just one configuration setting we need to set on Startup.cs when calling service.AddJwtBearer(). But not sure which setting.

Great news @sally.xu, @andrea.chiarelli just released his latest building and securing Web APIs with ASP.NET Core 3.0 which touches on the JwtBearer. Take a look and let me know if this helps!

1 Like

Yes, the sample code provided in the blog helped. My project is working now.

The trick is in the following line in the config function in Startup.cs:

app.UseAuthentication();
app.UseAuthorization(); // new in .Net Core 3.0

Also make sure add app.UseAuthorization() AFTER app.UseAuthentication(). The order is important !!!

2 Likes

Happy to know that my post has been useful! :wave:

1 Like

That’s fantastic news @sally.xu! Thanks @andrea.chiarelli for putting that together!

Please let us know if you have any questions in the future Sally!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.