Auth0 Home Blog Docs

Web api 2, owin, and secret

.net
owin
authnticate-api
web-api

#1

I have followed tutorials on pluralsight (https://app.pluralsight.com/library/courses/authenticating-angular-spa-aspnet-webapi-auth0/table-of-contents), the article you all did, https://auth0.com/blog/authenticating-your-angular-app-with-auth0-and-asp-net-owin/, and I still cannot connect.

public void ConfigureAuth(IAppBuilder app)
{
            const string domain = "https://MY_DOMAIN.auth0.com/";
            var auth0ClientId = "COPIED_CLIENT_ID";
            var auth0ClientSecret = "COPIED_SECRET";

            var base64Key = TextEncodings.Base64.Encode(TextEncodings.Base64Url.Decode(auth0ClientSecret));

            // note: I have also tried base64Key = TextEncodings.Base64Url.Decode(auth0ClientSecret) and this does not work either
            app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                AllowedAudiences = new] { auth0ClientId },
            IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider]
            {
                new SymmetricKeyIssuerSecurityTokenProvider(
                    domain,
                    base64Key)
            },
        });
}

No matter what, I attempt to log in and it fails.

I’ll sign in via postman by using the followowing:

URL: https://MY_DOMAIN.auth0.com/oauth/ro
Method: POST  
Body: {
  "client_id": "MY_COPIED_CLIENT_ID",
  "connection": "Username-Password-Authentication",
  "username": "THE_USER@gmail.com",
  "password": "*********",
  "scope": "openid user_metadata scope"
}

I’ll try to hit the service by doing the following:

URL: http://localhost:53629/api/me/user
Method: GET
Headers: 
    Authorization: Bearer *received token id*
    Content-Type: application/json
    Accept: application/json

My tokenid is valid, and does have the proper payload:

 {
  "user_metadata": {
    "edit-news": "write",
    "role": "admin"
 },
 "iss": "https://MY_DOMAIN.auth0.com/",
 "sub": "auth0|57d466cd42c0a9fe799ec97a",
 "aud": "AUTH_0_CLIENT_ID",
 "exp": 1493779997,
 "iat": 1493743997
 }

My response is always the same:

{
  "message": "Authorization has been denied for this request."
}

Every time I run this, nothing happens and it’s driving me crazy. I love this tool, and we use it work, but for some reason, I am struggling when it comes to setting this up with a personal project. I’m at the point where I started a new web api project just to see if I could get this working with hopes of transferring it the actual project. I have even updated the secret to a new key via the dashboard in hopes of that fixing something.

This is the end point I’m hitting:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
using System.Web;
using System.Web.Http;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.EntityFramework;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin.Security;
using Owin;
using WebApplication3.Models;

namespace WebApplication3.Controllers
{
    [Authorize]
    public class MeController : ApiController
    {

        public MeController()
        {
        }

        [Authorize]
        [HttpGet]
        [Route("user")]
        public async Task<IHttpActionResult> GetUser()
        {
            var claimsIdentity = User.Identity as ClaimsIdentity;

            // Extract tokens
            string accessToken = claimsIdentity?.Claims.FirstOrDefault(c => c.Type == "access_token")?.Value;
            string idToken = claimsIdentity?.Claims.FirstOrDefault(c => c.Type == "id_token")?.Value;
            string refreshToken = claimsIdentity?.Claims.FirstOrDefault(c => c.Type == "refresh_token")?.Value;

            return await Task.FromResult(Ok(new { accessToken, idToken, refreshToken }));
        }
    }
}

In the end, all I want is to be able to see the Bearer token in action

Also, this is the package config It’s a default of everything.

<?xml version="1.0" encoding="utf-8"?>
<packages>
  <package id="Antlr" version="3.4.1.9004" targetFramework="net462" />
  <package id="bootstrap" version="3.0.0" targetFramework="net462" />
  <package id="EntityFramework" version="6.1.3" targetFramework="net462" />
  <package id="jQuery" version="1.10.2" targetFramework="net462" />
  <package id="Knockout.Validation" version="1.0.1" targetFramework="net462" />
  <package id="knockoutjs" version="2.3.0" targetFramework="net462" />
  <package id="Microsoft.AspNet.Identity.Core" version="2.2.1" targetFramework="net462" />
  <package id="Microsoft.AspNet.Identity.EntityFramework" version="2.2.1" targetFramework="net462" />
  <package id="Microsoft.AspNet.Identity.Owin" version="2.2.1" targetFramework="net462" />
  <package id="Microsoft.AspNet.Mvc" version="5.2.3" targetFramework="net462" />
  <package id="Microsoft.AspNet.Razor" version="3.2.3" targetFramework="net462" />
  <package id="Microsoft.AspNet.Web.Optimization" version="1.1.3" targetFramework="net462" />
  <package id="Microsoft.AspNet.WebApi" version="5.2.3" targetFramework="net462" />
  <package id="Microsoft.AspNet.WebApi.Client" version="5.2.3" targetFramework="net462" />
  <package id="Microsoft.AspNet.WebApi.Core" version="5.2.3" targetFramework="net462" />
  <package id="Microsoft.AspNet.WebApi.HelpPage" version="5.2.3" targetFramework="net462" />
  <package id="Microsoft.AspNet.WebApi.Owin" version="5.2.3" targetFramework="net462" />
  <package id="Microsoft.AspNet.WebApi.WebHost" version="5.2.3" targetFramework="net462" />
  <package id="Microsoft.AspNet.WebPages" version="3.2.3" targetFramework="net462" />
  <package id="Microsoft.CodeDom.Providers.DotNetCompilerPlatform" version="1.0.0" targetFramework="net462" />
  <package id="Microsoft.Net.Compilers" version="1.0.0" targetFramework="net462" developmentDependency="true" />
  <package id="Microsoft.Owin" version="3.1.0" targetFramework="net462" />
  <package id="Microsoft.Owin.Host.SystemWeb" version="3.0.1" targetFramework="net462" />
  <package id="Microsoft.Owin.Security" version="3.1.0" targetFramework="net462" />
  <package id="Microsoft.Owin.Security.Cookies" version="3.0.1" targetFramework="net462" />
  <package id="Microsoft.Owin.Security.Facebook" version="3.0.1" targetFramework="net462" />
  <package id="Microsoft.Owin.Security.Google" version="3.0.1" targetFramework="net462" />
  <package id="Microsoft.Owin.Security.Jwt" version="3.1.0" targetFramework="net462" />
  <package id="Microsoft.Owin.Security.MicrosoftAccount" version="3.0.1" targetFramework="net462" />
  <package id="Microsoft.Owin.Security.OAuth" version="3.1.0" targetFramework="net462" />
  <package id="Microsoft.Owin.Security.Twitter" version="3.0.1" targetFramework="net462" />
  <package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net462" />
  <package id="Modernizr" version="2.6.2" targetFramework="net462" />
  <package id="Newtonsoft.Json" version="7.0.1" targetFramework="net462" />
  <package id="Owin" version="1.0" targetFramework="net462" />
  <package id="Respond" version="1.2.0" targetFramework="net462" />
  <package id="Sammy.js" version="0.7.4" targetFramework="net462" />
  <package id="System.IdentityModel.Tokens.Jwt" version="4.0.0" targetFramework="net462" />
  <package id="WebGrease" version="1.5.2" targetFramework="net462" />
</packages>

Any help is greatly appreciated.

Thanks,
Kelly


#2

Our recommended approach to securing API’s is to use our new API Authorization features, which use access_token rather than id_token to secure your API. Have a read through the following docs that outline the new features:
https://auth0.com/docs/api-auth

We have a WebAPI (OWIN) quickstart you can follow to get this up and running:
https://auth0.com/docs/quickstart/backend/webapi-owin/00-getting-started


#3

Hi Prashant,

Thanks for the response, and from it, are you implying that there way I’m trying to do no longer works?

For the stuff you did mention, will you please help clarify this? I actually started going down that path, but I read that was for backend apps that connected without user interaction.

For example,

The server could connect. It found the create:messages role, but I do not understand how a user connects to this. I did not understand how a user could log in, and it connect to the segregated API.

Thanks,
Kelly


#4

Hi Prashant,

Thanks for the response, and from it, are you implying that there way I’m trying to do no longer works?

For the stuff you did mention, will you please help clarify this? I actually started going down that path, but I read that was for backend apps that connected without user interaction.

For example,

The server could connect. It found the create:messages role, but I do not understand how a user connects to this. I did not understand how a user could log in, and it connect to the segregated API.

Thanks,
Kelly


#5

Using id_token can still work, however is not our recommended approach to securing API’s, now that we have rolled out our API Authentication/Authorization features. Can you please describe a your use case in a bit more details, e.g. The user flow, who you want to allow/prevent access to your API, etc


#6