siacomuzzi

project.json

{
  // ...
  "dependencies": {
    "Microsoft.AspNet.Server.IIS": "1.0.0-beta1",
    "Microsoft.AspNet.Mvc": "6.0.0-beta1",
    "Microsoft.AspNet.Owin": "1.0.0-beta1",
    "Microsoft.Owin": "3.0.0",

siacomuzzi

Since Auth0 exposes OIDC discovery documents (https://{YOU}.auth0.com/.well-known/openid-configuration), we can use the OpenID Connect middleware for Katana v3 (OWIN) to read that information and automatically configure our web app, so you don’t have to provide all the configuration values:

How to use it

1. Install the nuget package Microsoft.Owin.Security.OpenIdConnect (v3.x.x)
2. Go to App_Start\Startup.Auth.cs, and replace your implementation with the following:

siacomuzzi

With Auth0, you can specify the algorithm used to sign your JWT tokens:

So in scenarios when you are signing JWTs with RSRS256 algorithm, you need to perform some changes in your ASP.NET Web Api in order to validate them properly.

NOTE: You can download your .cer file from https://{YOU}.auth0.com/cer endpoint.

ASP.NET Web Api (OWIN)

From app.UseJwtBearerAuthentication method, just replace SymmetricKeyIssuerSecurityTokenProvider with X509CertificateSecurityTokenProvider specifying your public signing key:

siacomuzzi

Repro steps

1. For JS backend, create a table (TodoItem) and set the READ permission to "Authenticated User only".

2. For .NET backend, set AuthorizationLevel.User in TodoItemController and publish the service:

// GET tables/TodoItem
[AuthorizeLevel(AuthorizationLevel.User)]
public IQueryable GetAllTodoItems()

siacomuzzi

class Program
{
	private const string Auth0Domain = "{YOU}.auth0.com";
	private const string clientId = "{AUTH0_CLIENT_ID}";
	private const string targetClientId = "{THE_WAMS_CLIENT_ID_IN_AUTH0}";
	private const string id_token = "{USER_ID_TOKEN}";
	private const string wamsEndpoint = "https://auth0-tests.azure-mobile.net/tables/people";
	
	static void Main(string[] args)
	{