Auth0 - Authenticating with RS256 using JWT on Owin with bearer-accessToken

Question

While implementing Auth0 Authentication/Authorization with a normal embedded login, I am able to authenticate the user and gets back the valid accessToken/idToken.

• Initialization

  webAuth = new auth0.WebAuth({
      domain: 'xxx.auth0.com',
      clientID: 'myclientid',
      responseType: 'token id_token'
  });
  

• Successfully getting token.

  webAuth.client.login({
      realm: _Connection,
      username: '[email protected]',
      password: 'password',
      audience: 'https://xxx.auth0.com/api/v2/',
      scope: 'openid profile email'
  }, function (err, args) {
      if (!err) 
        {
         webAuth.client.userInfo(token, function (args, authUserData) {
          var ajaxAdapter = breeze.config.getAdapterInstance("ajax");
          ***Setting bearer token to Global level.**
          ajaxAdapter.defaultSettings = {
           headers: ({ "Authorization": "Bearer " + token })
          };
          myAPICall(args.email).then({}).fail({});
         });
      }
  });
  

• Server code which is validating RS256 signed JWT with OWIN.

  private void ConfigureAuthZero(IAppBuilder app)
  {
      var issuer = $"https://{ConfigurationManager.AppSettings["Auth0:Domain"]}/";
      var audience = ConfigurationManager.AppSettings["Auth0:ClientID"];
      var apiIdentifier = ConfigurationManager.AppSettings["Auth0:ApiIdentifier"];
      app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
      string certificatePath = HostingEnvironment.MapPath("~/mycertificate.cer");
      var certificate = new X509Certificate2(certificatePath);
      app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
      app.UseJwtBearerAuthentication(
          new JwtBearerAuthenticationOptions
          {
              AuthenticationMode = AuthenticationMode.Active,
              TokenValidationParameters = new TokenValidationParameters()
              {
                  ValidAudience = audience,
                  ValidIssuer = issuer,
                  IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) => new X509SecurityKey(certificate)
              }
          });
  }
  

My Problem:

The above server code won't authorize the user. But if I set ValidAudience = "https://xxx.auth0.com/api/v2/" i.e to Auth0 API Identifier, then the API method successfully authorizes (status 200) the user.

But this time it won't give ClaimsIdentity.Claims with ClaimTypes.Email

What am I missing here?

Answer 1

My mistakes:

1. I should pass ApiIdentifier to ValidAudience value.
2. As I was passing accessToken while authorizing the user, by the time the accessToken claims doesn't contain the ClaimTypes.Email, so I need to set the rules in Auth0 as:How to set the rules in Auth0. Which later I can check in my server api logic as(below code) to validate the user.
   (User.Identity as ClaimsIdentity)?.Claims.FirstOrDefault(c => c.Type == "you-have-set-this-rule-in-auth0")?.Value;

Just to Add-on, The Link worth reading while implementing the Auth0. Auth0 has provided a nice nuget package Auth0.OpenIdConnectSigningKeyResolver which has a nice use in the above provided link.