Setting up ASP.NET Core Web API - ob1dev/Auth0 GitHub Wiki
Now you need to create the Web API (green box) and wire it up with Auth0 (orange box).
In Visual Studio 2017, create a new project ASP.NET Core Web Application using the template API.
For more information see Web API - Init
Configure the Web API with Auth0 API credentials such as Domain and ApiIdentifier. You will need them for the next step.
-
Domain:
olegburov.auth0.com -
ApiIdentifier:
https://onegit-webapi.azurewebsites.net/api/
For more information see Web API - AppSettings
To restrict access to Web API endpoints wire it up with Auth0, so that ASP.NET Core checks the incoming HTTP requests for valid authorization information. The authorization information is stored in the JSON Web Token (JWT) created for Auth0 user and needs to be sent in the header Authorization. To see if the token is valid, ASP.NET Core checks it against the JSON Web Key Set (JWKS) for your Auth0 account.
NOTE
To learn more about validating Access Tokens, read the Verify Access Tokens tutorial.
As I said before, ASP.NET Core Team has done a terrific job. What you need to do is just configure Authentication middleware as a service using the JWT (that warps a bearer Access Token), and then enable it. It will do all heavy things for you like check that the JWT is well formed, check the signature, validate the standard claims, check the API permissions (scopes).
For more information see Web API - Middleware
To make sure that the Access Token contains the correct scope, use the Policy-Based Authorization feature in ASP.NET Core. And then apply policies by using the attribute [Authorize] with the policy name against Web API endpoints.
For more information see Web API - Authorization
You now have a complete Web API with protected endpoints and delegated authorization to Auth0. When endpoint is requested, the Web API check the header Authorization for JWT Bearer token and validate it with the Issuer - Auth0. At the end of the flow, the Web API extracts scopes with access rights from the Access Token and accept access to protected endpoints if condition is satisfied. The next tutorial shows how to obtain the Access Token for specific Web API when authenticate a user at Auth0.