auth0-samples / auth0-aspnetcore-webapi-samples Goto Github PK

There appears to be no way to make this work. The calls always result in unauthorized 401 errors.

Will support come for this for .NET 6? I was using the tutorial here; https://auth0.com/docs/quickstart/backend/aspnet-core-webapi/01-authorization but it doesn't seem for the recent version, which has no more startup.cs , and it looks like a lot of the project was updated last years ago.

Click on that link results with

in the 01-Authorization example or in the official website there is nothing about the validation issuer signing key,
but in old versions ".net framework", there was an example in validation it,

in this example, is this just fine to validate the token?

var domain = $"https://{Configuration["Auth0:Domain"]}/";
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
  options.Authority = domain;
  options.Audience = Configuration["Auth0:Audience"];
});

or I need to write IssuerSigningKeyResolver to get jwks from the ".well-known/jwks.json" path, like this?

var domain = $"https://{Configuration["Auth0:Domain"]}/";
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
  options.Authority = domain;
  options.Audience = Configuration["Auth0:Audience"];
  options.TokenValidationParameters = new TokenValidationParameters
     {
         ValidateIssuerSigningKey = true,
         IssuerSigningKeyResolver = (token, securityToken, kid, parameters) =>
         {
             var client = new HttpClient();
             var jwksUri = new Uri($"{domain}.well-known/jwks.json");
             var jwksJson = client.GetStringAsync(jwksUri).GetAwaiter().GetResult();

             var jwks = JsonConvert.DeserializeObject<JsonWebKeySet>(jwksJson);
             return jwks.Keys;
         }
     };

});

Following the same setup,

Here is a fiddler request

Host: localhost:5000
Connection: keep-alive
Authorization: Bearer jXFxGSgB3thqIQ0O
Origin: http://localhost:4200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Access-Control-Allow-Origin: *
Accept: application/json, text/plain, */*
Referer: http://localhost:4200/home/devices
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8

If I subscribe to the OnChallenge event:

 var options = new JwtBearerOptions
            {
                Audience = Configuration["Auth0:ApiIdentifier"],
                Authority = $"https://{Configuration["Auth0:Domain"]}/",
                Events = new JwtBearerEvents
                {
                    OnChallenge = context =>
                    {
                        var ctx = context;
                        return Task.CompletedTask;
                    }
            };

I am getting the following error:
No SecurityTokenValidator available for token: <access_token>

I've followed this and the handler never finds the claims because their always empty. Either the documentation is incomplete or this is out of date because it doesn't work and there no decent documentation on how to do this. None of the guides on the website work either.

User.Claims is empty in HandleRequirementAsync.

The sample makes use of Fiddler, so it might be nice to find a few words on how to set this tool up to match the experience shown at

The template DotNetCore v1.1 work fine, but this one with DotNetCore v2.0 the ping method return code 401:

info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 OPTIONS http://localhost:5000/api/ping/secure
info: Microsoft.AspNetCore.Cors.Infrastructure.CorsService[4]
Policy execution successful.
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 18.6146ms 204
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET http://localhost:5000/api/ping/secure application/json
info: Microsoft.AspNetCore.Cors.Infrastructure.CorsService[4]
Policy execution successful.
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed for user: (null).
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[3]
Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
info: Microsoft.AspNetCore.Mvc.ChallengeResult[1]
Executing ChallengeResult with authentication schemes ().
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[2]
Successfully validated the token.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[12]
AuthenticationScheme: Bearer was challenged.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action WebAPIApplication.Controllers.PingController.PingSecured (WebAPIApplication) in 482.9601ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 522.6374ms 401

https://speakerdeck.com/leastprivilege/implementing-authorization-for-applications-and-apis?slide=19

(AUTH-4024)
See: dotnet/announcements#12
Need to updated samples dependencies version to fix vulnerabilities in ASP.NET Core

There's no error message displayed while calling the API without a proper access_token

It should be displayed an error message specifing the error code.

I have used your sample code to retrieve the user information. But the response only includes the 'sub' claim. All the other properties are null.

Also a manuel request with Postman has the same outcome.

I only get a real result if I request the userinfo-endpoint with the POST method and add the access_token to the post data. Is the API outdated or do I something wrong?

auth0-samples/auth0-aspnetcore-mvc-samples#32