Auth0 - Authenticating with RS256 using JWT on Owin with bearer-accessToken

1
votes

While implementing Auth0 Authentication/Authorization with a normal embedded login, I am able to authenticate the user and gets back the valid accessToken/idToken.

  • Initialization

    webAuth = new auth0.WebAuth({
    domain: 'xxx.auth0.com',
    clientID: 'myclientid',
    responseType: 'token id_token'
});

  • Successfully getting token.

    webAuth.client.login({
    realm: _Connection,
    username: '[email protected]',
    password: 'password',
    audience: 'https://xxx.auth0.com/api/v2/',
    scope: 'openid profile email'
}, function (err, args) {
    if (!err) 
      {
       webAuth.client.userInfo(token, function (args, authUserData) {
        var ajaxAdapter = breeze.config.getAdapterInstance("ajax");
        ***Setting bearer token to Global level.**
        ajaxAdapter.defaultSettings = {
         headers: ({ "Authorization": "Bearer " + token })
        };
        myAPICall(args.email).then({}).fail({});
       });
    }
});

  • Server code which is validating RS256 signed JWT with OWIN.

    private void ConfigureAuthZero(IAppBuilder app)
{
    var issuer = $"https://{ConfigurationManager.AppSettings["Auth0:Domain"]}/";
    var audience = ConfigurationManager.AppSettings["Auth0:ClientID"];
    var apiIdentifier = ConfigurationManager.AppSettings["Auth0:ApiIdentifier"];
    app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
    string certificatePath = HostingEnvironment.MapPath("~/mycertificate.cer");
    var certificate = new X509Certificate2(certificatePath);
    app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
    app.UseJwtBearerAuthentication(
        new JwtBearerAuthenticationOptions
        {
            AuthenticationMode = AuthenticationMode.Active,
            TokenValidationParameters = new TokenValidationParameters()
            {
                ValidAudience = audience,
                ValidIssuer = issuer,
                IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) => new X509SecurityKey(certificate)
            }
        });
}

My Problem:

The above server code won't authorize the user. But if I set ValidAudience = "https://xxx.auth0.com/api/v2/" i.e to Auth0 API Identifier, then the API method successfully authorizes (status 200) the user.

But this time it won't give ClaimsIdentity.Claims with ClaimTypes.Email

What am I missing here?

1
asp.net-web-api2owinauth0

1 Answers

0
votes

My mistakes:

  1. I should pass ApiIdentifier to ValidAudience value.
  2. As I was passing accessToken while authorizing the user, by the time the accessToken claims doesn't contain the ClaimTypes.Email, so I need to set the rules in Auth0 as:How to set the rules in Auth0. Which later I can check in my server api logic as(below code) to validate the user.
    (User.Identity as ClaimsIdentity)?.Claims.FirstOrDefault(c => c.Type == "you-have-set-this-rule-in-auth0")?.Value;

Just to Add-on, The Link worth reading while implementing the Auth0. Auth0 has provided a nice nuget package Auth0.OpenIdConnectSigningKeyResolver which has a nice use in the above provided link.