Setting up ASP.NET Core Web API
Now you need to create the Web API (green box) and wire it up with Auth0 (orange box).
In Visual Studio 2017, create a new project ASP.NET Core Web Application using the template API.
For more information see Web API - Init
Configure the Web API with Auth0 API credentials such as Domain and ApiIdentifier. You will need them for the next step.
-
Domain:
olegburov.auth0.com -
ApiIdentifier:
https://onegit-webapi.azurewebsites.net/api/
For more information see Web API - AppSettings
How to check if the token is valid with the standard ASP.NET Core JWT middleware
To restrict access to Web API endpoints wire it up with Auth0, so that ASP.NET Core checks the incoming HTTP requests for valid authorization information. The authorization information is stored in the JSON Web Token (JWT) created for Auth0 user and needs to be sent in the header Authorization. To see if the token is valid, ASP.NET Core checks it against the JSON Web Key Set (JWKS) for your Auth0 account.
NOTE
To learn more about validating Access Tokens, read the Verify Access Tokens tutorial.
As I said before, ASP.NET Core Team has done a terrific job. What you need to do is just configure Authentication middleware as a service using the JWT (that warps a bearer Access Token), and then enable it. It will do all heavy things for you like check that the JWT is well formed, check the signature, validate the standard claims, check the API permissions (scopes).
For more information see Web API - Middleware
To make sure that the Access Token contains the correct scope, use the Policy-Based Authorization feature in ASP.NET Core. And then apply policies by using the attribute [Authorize] with the policy name against Web API endpoints.
For more information see Web API - Authorization