While implementing Auth0 Authentication/Authorization with a normal embedded login, I am able to authenticate the user and gets back the valid accessToken/idToken.
Initialization
webAuth = new auth0.WebAuth({
domain: 'xxx.auth0.com',
clientID: 'myclientid',
responseType: 'token id_token'
});
Successfully getting token.
webAuth.client.login({
realm: _Connection,
username: '[email protected]',
password: 'password',
audience: 'https://xxx.auth0.com/api/v2/',
scope: 'openid profile email'
}, function (err, args) {
if (!err)
{
webAuth.client.userInfo(token, function (args, authUserData) {
var ajaxAdapter = breeze.config.getAdapterInstance("ajax");
***Setting bearer token to Global level.**
ajaxAdapter.defaultSettings = {
headers: ({ "Authorization": "Bearer " + token })
};
myAPICall(args.email).then({}).fail({});
});
}
});
Server code which is validating RS256 signed JWT with OWIN.
private void ConfigureAuthZero(IAppBuilder app)
{
var issuer = $"https://{ConfigurationManager.AppSettings["Auth0:Domain"]}/";
var audience = ConfigurationManager.AppSettings["Auth0:ClientID"];
var apiIdentifier = ConfigurationManager.AppSettings["Auth0:ApiIdentifier"];
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
string certificatePath = HostingEnvironment.MapPath("~/mycertificate.cer");
var certificate = new X509Certificate2(certificatePath);
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
TokenValidationParameters = new TokenValidationParameters()
{
ValidAudience = audience,
ValidIssuer = issuer,
IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) => new X509SecurityKey(certificate)
}
});
}
My Problem:
The above server code won't authorize the user.
But if I set ValidAudience = "https://xxx.auth0.com/api/v2/"
i.e to Auth0 API Identifier, then the API method successfully authorizes (status 200) the user.
But this time it won't give ClaimsIdentity.Claims with ClaimTypes.Email
What am I missing here?
My mistakes:
(User.Identity as ClaimsIdentity)?.Claims.FirstOrDefault(c => c.Type == "you-have-set-this-rule-in-auth0")?.Value;
Just to Add-on, The Link worth reading while implementing the Auth0. Auth0 has provided a nice nuget package Auth0.OpenIdConnectSigningKeyResolver which has a nice use in the above provided link.