In the APIs section in dashboard, click the Create API button. Provide a Name and Identifier for your API. You must choose the RS256 signing algorithm. Once it is created, navigate to the Scopes tab and create the applicable scopes for your API.
<% } else { %> -Create an Auth0 account (or login) navigate to the APIs section in Dashboard. Click the Create API button and provide a Name and Identifier for your API. You must choose the RS256 signing algorithm. Once it is created, navigate to the Scopes tab and create the applicable scopes for your API.
+Create an Auth0 account (or log in) navigate to the APIs section in Dashboard. Click the Create API button and provide a Name and Identifier for your API. You must choose the RS256 signing algorithm. Once it is created, navigate to the Scopes tab and create the applicable scopes for your API.
<% } %> \ No newline at end of file diff --git a/articles/quickstart/backend/_includes/_api_troubleshooting.md b/articles/quickstart/backend/_includes/_api_troubleshooting.md index 892df4b22d..d2c956f6bd 100644 --- a/articles/quickstart/backend/_includes/_api_troubleshooting.md +++ b/articles/quickstart/backend/_includes/_api_troubleshooting.md @@ -28,7 +28,7 @@ A quick way to inspect a JWT is by using the [JWT.io](https://jwt.io/) website.  -In the screenshot above you can see that the token was signed using the **RS256** algorithm. The **Issuer** of the token is **https://jerrie.auth0.com/**, and the **Audience** is **https://rs256.test.api**. +In the screenshot above, you can see that the token was signed using the **RS256** algorithm. The **Issuer** of the token is **https://jerrie.auth0.com/**, and the **Audience** is **https://rs256.test.api**. So, in other words, these values in your JWT validation configuration registration must match **exactly** - including the trailing slash for the Issuer, such as @@ -42,5 +42,5 @@ For a token signed using HS256, the debugger view will look a little different:  -In the screenshot above you can see that the token was signed using the **HS256** algorithm. The **Issuer** of the token is **https://jerrie.auth0.com/**, and the **Audience** is **https://hs256.test.api**. +In the screenshot above, you can see that the token was signed using the **HS256** algorithm. The **Issuer** of the token is **https://jerrie.auth0.com/**, and the **Audience** is **https://hs256.test.api**. diff --git a/articles/quickstart/backend/_includes/_api_using.md b/articles/quickstart/backend/_includes/_api_using.md index c85b97671b..9d62d88881 100644 --- a/articles/quickstart/backend/_includes/_api_using.md +++ b/articles/quickstart/backend/_includes/_api_using.md @@ -16,12 +16,12 @@ You can call the API from your application by passing an Access Token in the `Au ## Obtaining an Access Token -If you are calling the API from a Single-Page Application or a Mobile/Native application, after the authorization flow is completed, you will get an Access Token. How you get the token and how you make the call to the API will be dependent on the type of application you are developing and the framework you are using. For more information refer to the relevant application Quickstarts which contain detailed instructions: +If you are calling the API from a Single-Page Application or a Mobile/Native application, after the authorization flow is completed, you will get an Access Token. How you get the token and how you make the call to the API will be dependent on the type of application you are developing and the framework you are using. For more information, refer to the relevant application Quickstarts which contain detailed instructions: * [Single-Page Applications](/quickstart/spa) * [Mobile / Native Application](/quickstart/native) -If you are calling the API from a command-line tool or another service, where there isn't a user entering their credentials, you need to use the [OAuth Client Credentials flow](/api/authentication#client-credentials). To do that, register a [Machine to Machine Application](${manage_url}/#/applications), and then subsequently use the **Client ID** and **Client Secret** of this application when making the request below and pass those along in the `client_id` and `client_secret` parameters respectively. Also include the Audience for the API you want to call. +If you are calling the API from a command-line tool or another service, where there isn't a user entering their credentials, you need to use the [OAuth Client Credentials flow](/api/authentication#client-credentials). To do that, register a [Machine-to-Machine Application](${manage_url}/#/applications), and then subsequently use the **Client ID** and **Client Secret** of this application when making the request below and pass those along in the `client_id` and `client_secret` parameters, respectively. Also include the Audience for the API you want to call. :::note Read [Application Settings](https://auth0.com/docs/get-started/dashboard/application-settings) for more information on getting the Client ID and Client Secret for your machine-to-machine app. @@ -59,7 +59,7 @@ Read [Application Settings](https://auth0.com/docs/get-started/dashboard/applica ``` :::note -Auth0 customers are billed based on the number of Machine to Machine Access Tokens issued by Auth0. Once your application gets an Access Token it should keep using it until it expires, to minimize the number of tokens requested. +Auth0 customers are billed based on the number of Machine-to-Machine Access Tokens issued by Auth0. Once your application gets an Access Token, it should keep using it until it expires, to minimize the number of tokens requested. ::: For testing purposes, you can also get an Access Token from the **Test** tab in your [API settings](${manage_url}/#/apis). diff --git a/articles/quickstart/backend/aspnet-core-webapi/01-authorization.md b/articles/quickstart/backend/aspnet-core-webapi/01-authorization.md index f2fbe4fe37..b588a3b67e 100644 --- a/articles/quickstart/backend/aspnet-core-webapi/01-authorization.md +++ b/articles/quickstart/backend/aspnet-core-webapi/01-authorization.md @@ -51,7 +51,7 @@ The ASP.NET Core JWT Bearer authentication handler downloads the JSON Web Key Se In your application, register the authentication services: 1. Make a call to the `AddAuthentication` method. Configure `JwtBearerDefaults.AuthenticationScheme` as the default schemes. -2. Make a call to the `AddJwtBearer` method to register the JWT Bearer authentication scheme. Configure your Auth0 domain as the authority, and your Auth0 API identifier as the audience. In some cases the access token will not have a `sub` claim which will lead to `User.Identity.Name` being `null`. If you want to map a different claim to `User.Identity.Name` then add it to `options.TokenValidationParameters` within the `AddAuthentication()` call. +2. Make a call to the `AddJwtBearer` method to register the JWT Bearer authentication scheme. Configure your Auth0 domain as the authority, and your Auth0 API identifier as the audience. In some cases, the access token will not have a `sub` claim which will lead to `User.Identity.Name` being `null`. If you want to map a different claim to `User.Identity.Name`, then add it to `options.TokenValidationParameters` within the `AddAuthentication()` call. ```csharp // Program.cs diff --git a/articles/quickstart/backend/aspnet-core-webapi/03-troubleshooting.md b/articles/quickstart/backend/aspnet-core-webapi/03-troubleshooting.md index 5b80f0b41e..44acfc07a7 100644 --- a/articles/quickstart/backend/aspnet-core-webapi/03-troubleshooting.md +++ b/articles/quickstart/backend/aspnet-core-webapi/03-troubleshooting.md @@ -19,7 +19,7 @@ This document will help you troubleshoot your JWT middleware configuration. ## Check the Token Validation -There are 5 criteria for validating a JWT token. +There are five criteria for validating a JWT token. 1. **Is the token formed properly?** Check if the structure of the token matches the structure of a JSON Web Token. Read more about the [JSON Web Token structure](/jwt#what-is-the-json-web-token-structure-). diff --git a/articles/quickstart/backend/aspnet-core-webapi/download.md b/articles/quickstart/backend/aspnet-core-webapi/download.md index 667eb06da6..287101e24c 100644 --- a/articles/quickstart/backend/aspnet-core-webapi/download.md +++ b/articles/quickstart/backend/aspnet-core-webapi/download.md @@ -1,4 +1,4 @@ -To run the sample you need [.NET Core](https://www.microsoft.com/net/download) installed, and run the following commands: +To run the sample, you need [.NET Core](https://www.microsoft.com/net/download) installed, and run the following commands: ```bash dotnet restore diff --git a/articles/quickstart/backend/django/01-authorization.md b/articles/quickstart/backend/django/01-authorization.md index e4a427cddc..aa67e4978f 100644 --- a/articles/quickstart/backend/django/01-authorization.md +++ b/articles/quickstart/backend/django/01-authorization.md @@ -208,7 +208,7 @@ def requires_scope(required_scope): <%= include('../_includes/_api_endpoints') %> -In the file `views.py` add `public` and `private` endpoints. Add the `@api_view` decorator to all the endpoints to indicate that the method requires authentication. Lastly, add the decorator `@permission_classes([AllowAny])` to the `public` endpoint to accept unauthenticated requests. +In the file `views.py`, add `public` and `private` endpoints. Add the `@api_view` decorator to all the endpoints to indicate that the method requires authentication. Lastly, add the decorator `@permission_classes([AllowAny])` to the `public` endpoint to accept unauthenticated requests. ```python # auth0authorization/views.py diff --git a/articles/quickstart/backend/java-spring-security5/01-authorization.md b/articles/quickstart/backend/java-spring-security5/01-authorization.md index fa3cf07bb4..3461567a5d 100644 --- a/articles/quickstart/backend/java-spring-security5/01-authorization.md +++ b/articles/quickstart/backend/java-spring-security5/01-authorization.md @@ -27,7 +27,7 @@ This Quickstart uses Spring MVC. If you are using Spring WebFlux, the steps to s ## Configure the Sample Project -The sample project uses a `/src/main/resources/application.yml` file, which configures it to use the correct Auth0 **Domain** and **API Identifier** for your API. If you download the code from this page it will be automatically configured. If you clone the example from GitHub, you will need to fill it in yourself. +The sample project uses a `/src/main/resources/application.yml` file, which configures it to use the correct Auth0 **Domain** and **API Identifier** for your API. If you download the code from this page, it will be automatically configured. If you clone the example from GitHub, you will need to fill it in yourself. ```yaml okta: @@ -40,7 +40,7 @@ okta: | Attribute | Description| | --- | --- | -| `okta.oauth2.audience` | The unique identifier for your API. If you are following the steps in this tutorial it would be `https://quickstarts/api`. | +| `okta.oauth2.audience` | The unique identifier for your API. If you are following the steps in this tutorial, it would be `https://quickstarts/api`. | | `okta.oauth2.issuer` | The issuer URI of the resource server, which will be the value of the `iss` claim in the JWT issued by Auth0. Spring Security will use this property to discover the authorization server's public keys and validate the JWT signature. The value will be your Auth0 domain with an `https://` prefix and a `/` suffix (the trailing slash is important). | ## Install dependencies diff --git a/articles/quickstart/backend/java-spring-security5/files/security-config.md b/articles/quickstart/backend/java-spring-security5/files/security-config.md index 257bdbaa32..ec3a918770 100644 --- a/articles/quickstart/backend/java-spring-security5/files/security-config.md +++ b/articles/quickstart/backend/java-spring-security5/files/security-config.md @@ -22,7 +22,7 @@ public class SecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { /* - This is where we configure the security required for our endpoints and setup our app to serve as + This is where we configure the security required for our endpoints and set up our app to serve as an OAuth2 Resource Server, using JWT validation. */ return http diff --git a/articles/quickstart/backend/java-spring-security5/interactive.md b/articles/quickstart/backend/java-spring-security5/interactive.md index 792d04b587..2826e38e53 100644 --- a/articles/quickstart/backend/java-spring-security5/interactive.md +++ b/articles/quickstart/backend/java-spring-security5/interactive.md @@ -35,11 +35,11 @@ Each Auth0 API uses the API Identifier, which your application needs to validate ## Configure the sample project {{{ data-action=code data-code="application.yml#1:8" }}} -The sample project uses a `/src/main/resources/application.yml` file, which configures it to use the correct Auth0 **domain** and **API Identifier** for your API. If you download the code from this page it will be automatically configured. If you clone the example from GitHub, you will need to fill it in yourself. +The sample project uses a `/src/main/resources/application.yml` file, which configures it to use the correct Auth0 **domain** and **API Identifier** for your API. If you download the code from this page, it will be automatically configured. If you clone the example from GitHub, you will need to fill it in yourself. | Attribute | Description| | --- | --- | -| `okta.oauth2.audience` | The unique identifier for your API. If you are following the steps in this tutorial it would be `https://quickstarts/api`. | +| `okta.oauth2.audience` | The unique identifier for your API. If you are following the steps in this tutorial, it would be `https://quickstarts/api`. | | `okta.oauth2.issuer` | The issuer URI of the resource server, which will be the value of the `iss` claim in the JWT issued by Auth0. Spring Security will use this property to discover the authorization server's public keys and validate the JWT signature. The value will be your Auth0 domain with an `https://` prefix and a `/` suffix (the trailing slash is important). ## Install dependencies {{{ data-action=code data-code="application.yml#1:8" }}} diff --git a/articles/quickstart/backend/laravel/01-authorization.md b/articles/quickstart/backend/laravel/01-authorization.md index f1611bab94..c9a9bbb4b5 100644 --- a/articles/quickstart/backend/laravel/01-authorization.md +++ b/articles/quickstart/backend/laravel/01-authorization.md @@ -95,7 +95,7 @@ You should also create a new API: This produces two files in your project directory that configure the SDK. -As these files contain credentials it's important to treat these as sensitive. You should ensure you do not commit these to version control. If you're using Git, you should add them to your `.gitignore` file: +As these files contain credentials, it's important to treat these as sensitive. You should ensure you do not commit these to version control. If you're using Git, you should add them to your `.gitignore` file: ```bash echo ".auth0.*.json" >> .gitignore diff --git a/articles/quickstart/backend/laravel/interactive.md b/articles/quickstart/backend/laravel/interactive.md index 0efae4e396..787bd6b5c9 100644 --- a/articles/quickstart/backend/laravel/interactive.md +++ b/articles/quickstart/backend/laravel/interactive.md @@ -40,7 +40,7 @@ As their name implies, [access tokens](https://auth0.com/docs/secure/tokens/acce composer create-project --prefer-dist laravel/laravel auth0-laravel-api ^9.0 ``` -All the commands in this guide assume you are running them from the root of your Laravel project, directory so you should `cd` into the new project directory: +All the commands in this guide assume you are running them from the root of your Laravel project directory, so you should `cd` into the new project directory: ```shell cd auth0-laravel-api @@ -54,7 +54,7 @@ Run the following command within your project directory to install the [Auth0 La composer require auth0/login:^7.8 --update-with-all-dependencies ``` -Then generate an SDK configuration file for your application: +Then, generate an SDK configuration file for your application: ```shell php artisan vendor:publish --tag auth0 @@ -68,7 +68,7 @@ Run the following command from your project directory to download the [Auth0 CLI curl -sSfL https://raw.githubusercontent.com/auth0/auth0-cli/main/install.sh | sh -s -- -b . ``` -Then authenticate the CLI with your Auth0 account, choosing "as a user" when prompted: +Then, authenticate the CLI with your Auth0 account, choosing "as a user" when prompted: ```shell ./auth0 login @@ -101,7 +101,7 @@ You should also create a new API: This produces two files in your project directory that configure the SDK. -As these files contain credentials it's important to treat these as sensitive. You should ensure you do not commit these to version control. If you're using Git, you should add them to your `.gitignore` file: +As these files contain credentials, it's important to treat them as sensitive. You should ensure you do not commit them to version control. If you're using Git, you should add them to your `.gitignore` file: ```bash echo ".auth0.*.json" >> .gitignore @@ -163,7 +163,7 @@ Route::get('/', function () { You can retrieve information about the user who created the access token from Auth0 using the [Auth0 Management API](https://github.com/auth0/laravel-auth0/blob/main/docs/Management.md). The SDK provides a convenient wrapper for this API, accessible through the SDK's `management()` method. -**Before making Management API calls you must enable your application to communicate with the Management API.** This can be done from the [Auth0 Dashboard's API page](https://manage.auth0.com/#/apis/), choosing `Auth0 Management API`, and selecting the 'Machine to Machine Applications' tab. Authorize your Laravel application, and then click the down arrow to choose the scopes you wish to grant. +**Before making Management API calls, you must enable your application to communicate with the Management API.** This can be done from the [Auth0 Dashboard's API page](https://manage.auth0.com/#/apis/), choosing `Auth0 Management API`, and selecting the 'Machine to Machine Applications' tab. Authorize your Laravel application, and then click the down arrow to choose the scopes you wish to grant. For the following example, you should grant the `read:users` scope. A list of API endpoints and the required scopes can be found in [the Management API documentation](https://auth0.com/docs/api/management/v2). diff --git a/articles/quickstart/backend/php/01-authorization.md b/articles/quickstart/backend/php/01-authorization.md index 5bf983addd..4a556a8197 100644 --- a/articles/quickstart/backend/php/01-authorization.md +++ b/articles/quickstart/backend/php/01-authorization.md @@ -121,7 +121,7 @@ if ($jwt !== null) { define('ENDPOINT_AUTHORIZED', true); } catch (\Auth0\SDK\Exception\InvalidTokenException $exception) { // The token wasn't valid. Let's display the error message from the Auth0 SDK. - // We'd probably want to show a custom error here for a real world application. + // We'd probably want to show a custom error here for a real-world application. die($exception->getMessage()); } } diff --git a/articles/quickstart/backend/python/interactive.md b/articles/quickstart/backend/python/interactive.md index dfbeffb192..f1ac0f4aa1 100644 --- a/articles/quickstart/backend/python/interactive.md +++ b/articles/quickstart/backend/python/interactive.md @@ -48,13 +48,13 @@ The validator will validate the Access Token that we pass to the resource by che We can use AuthLib's `JWTBearerTokenValidator` validator with a few tweaks to make sure it conforms to our requirements on [validating Access Tokens](https://auth0.com/docs/secure/tokens/access-tokens/validate-access-tokens). -To create our `Auth0JWTBearerTokenValidator` we need to pass it our `domain` and `audience` (API Identifier). It will then get the public key required to verify the token's signature and pass it to the `JWTBearerTokenValidator` class. +To create our `Auth0JWTBearerTokenValidator`, we need to pass it our `domain` and `audience` (API Identifier). It will then get the public key required to verify the token's signature and pass it to the `JWTBearerTokenValidator` class. We'll then override the class's `claims_options` to make sure the token's expiry, audience and issue claims are validated according to our requirements. ## Create a Flask application {{{ data-action=code data-code="server.py" }}} -Next we'll create a Flask application with 3 API routes: +Next, we'll create a Flask application with 3 API routes: - `/api/public` A public endpoint that requires no authentication. - `/api/private` A private endpoint that requires a valid Access Token JWT. @@ -62,7 +62,7 @@ Next we'll create a Flask application with 3 API routes: The protected routes will have a `require_auth` decorator which is a `ResourceProtector` that uses the `Auth0JWTBearerTokenValidator` we created earlier. -To create the `Auth0JWTBearerTokenValidator` we'll pass it our tenant's domain and the API Identifier of the API we created earlier. +To create the `Auth0JWTBearerTokenValidator`, we'll pass it our tenant's domain and the API Identifier of the API we created earlier. The `require_auth` decorator on the `private_scoped` route accepts an additional argument `"read:messages"`, which checks the Access Token for the Permission (Scope) we created earlier. diff --git a/articles/quickstart/backend/rails/01-authorization.md b/articles/quickstart/backend/rails/01-authorization.md index 2d9d33bad0..243986a5c0 100644 --- a/articles/quickstart/backend/rails/01-authorization.md +++ b/articles/quickstart/backend/rails/01-authorization.md @@ -198,7 +198,7 @@ class Auth0Client end ``` -Next, in the `Secured` concern, define a new error constant `INSUFFICIENT_PERMISSIONS` to return a proper error message in case there was a attempt to request a resource without the right permissions. Next, update the return value of the `Auth0Client.validate_token` call and finally create a new method `validate_permissions` where to check if the token has the right permissions, or return a `403 FORBIDDEN` status code with the `INSUFFICIENT_PERMISSIONS` error message otherwise. +Next, in the `Secured` concern, define a new error constant `INSUFFICIENT_PERMISSIONS` to return a proper error message in case there was a attempt to request a resource without the right permissions. Next, update the return value of the `Auth0Client.validate_token` call, and finally, create a new method `validate_permissions` where to check if the token has the right permissions, or return a `403 FORBIDDEN` status code with the `INSUFFICIENT_PERMISSIONS` error message otherwise. Apply these changes in your `Secured` concern by adding the following code: @@ -256,7 +256,7 @@ class ApplicationController < ActionController::API end ``` -You only ned to protect the `PrivateController` as follows: +You only need to protect the `PrivateController` as follows: ```ruby class PrivateController < ApplicationController diff --git a/articles/quickstart/backend/rails/interactive.md b/articles/quickstart/backend/rails/interactive.md index 4a0af13b65..54f9341d88 100644 --- a/articles/quickstart/backend/rails/interactive.md +++ b/articles/quickstart/backend/rails/interactive.md @@ -53,7 +53,7 @@ Create a Concern called `Secured` which looks for the access token in the `Autho If the token is present, the `Auth0Client.validate_token` will use the `jwt` Gem to verify the token's signature and validate the token's claims. -In addition to verifying that the access token is valid, the Concern also includes a mechanism for confirming the token has the sufficient **scope** to access the requested resources. In this example we define a `validate_permissions` method that receives a block and checks the permissions by calling the `Token.validate_permissions` method from the `Auth0Client` class. +In addition to verifying that the access token is valid, the Concern also includes a mechanism for confirming the token has the sufficient **scope** to access the requested resources. In this example, we define a `validate_permissions` method that receives a block and checks the permissions by calling the `Token.validate_permissions` method from the `Auth0Client` class. For the `/private-scoped` route, the scopes defined will be intersected with the scopes coming in the payload, to determine if it contains one or more items from the other array. diff --git a/articles/quickstart/backend/webapi-owin/01-authorization.md b/articles/quickstart/backend/webapi-owin/01-authorization.md index 364e547522..2333d23a75 100644 --- a/articles/quickstart/backend/webapi-owin/01-authorization.md +++ b/articles/quickstart/backend/webapi-owin/01-authorization.md @@ -20,7 +20,7 @@ useCase: quickstart ## Configure the Sample Project -The sample code has an `appsettings` section in `Web.config` which configures it to use the correct Auth0 **Domain** and **API Identifier** for your API. If you download the code from this page it will be automatically filled. If you use the example from Github, you will need to fill it yourself. +The sample code has an `appsettings` section in `Web.config` which configures it to use the correct Auth0 **Domain** and **API Identifier** for your API. If you download the code from this page, it will be automatically filled. If you use the example from Github, you will need to fill it yourself. ```xml // web.config @@ -35,14 +35,14 @@ The sample code has an `appsettings` section in `Web.config` which configures it ### Install dependencies -To use Auth0 Access Tokens with ASP.NET you will use the OWIN JWT Middleware which is available in the `Microsoft.Owin.Security.Jwt` NuGet package. +To use Auth0 Access Tokens with ASP.NET, you will use the OWIN JWT Middleware which is available in the `Microsoft.Owin.Security.Jwt` NuGet package. ```bash Install-Package Microsoft.Owin.Security.Jwt ``` ### Verifying the token signature -As the OWIN JWT middleware doesn't use Open ID Connect Discovery by default, you will need to provide a custom `IssuerSigningKeyResolver`. To do this, add the following to the `Support/OpenIdConnectSigningKeyResolver.cs` file: +As the OWIN JWT middleware doesn't use OpenID Connect Discovery by default, you will need to provide a custom `IssuerSigningKeyResolver`. To do this, add the following to the `Support/OpenIdConnectSigningKeyResolver.cs` file: :::note Such a custom resolver was previously published as part of the `Auth0.OpenIdConnectSigningKeyResolver` package through Nuget. As [this package is not available anymore](https://github.com/auth0/auth0-aspnet-owin/blob/master/SECURITY-NOTICE.md), you will need to provide this yourself. diff --git a/articles/quickstart/backend/webapi-owin/03-troubleshooting.md b/articles/quickstart/backend/webapi-owin/03-troubleshooting.md index 329b9ef37e..8fe0c43d92 100644 --- a/articles/quickstart/backend/webapi-owin/03-troubleshooting.md +++ b/articles/quickstart/backend/webapi-owin/03-troubleshooting.md @@ -39,9 +39,9 @@ A quick way to inspect a JWT is by using the [JWT.io](https://jwt.io/) website.  -In the screenshot above you can see that the token was signed using the **RS256** algorithm. The **Issuer** of the token is **https://jerrie.auth0.com/**, and the **Audience** is **https://quickstarts/api**. +In the screenshot above, you can see that the token was signed using the **RS256** algorithm. The **Issuer** of the token is **https://jerrie.auth0.com/**, and the **Audience** is **https://quickstarts/api**. -So in other words these values in your JWT middleware registration must match **exactly** - including the trailing slash for the Issuer, such as +So, in other words, these values in your JWT middleware registration must match **exactly** - including the trailing slash for the Issuer, such as ```csharp var keyResolver = new OpenIdConnectSigningKeyResolver("https://jerrie.auth0.com/"); @@ -62,7 +62,7 @@ For a token signed using HS256, the debugger view will look a little different:  -In the screenshot above you can see that the token was signed using the **HS256** algorithm. The **Issuer** of the token is **https://jerrie.auth0.com/**, and the **Audience** is **https://quickstarts/api/hs256**. +In the screenshot above, you can see that the token was signed using the **HS256** algorithm. The **Issuer** of the token is **https://jerrie.auth0.com/**, and the **Audience** is **https://quickstarts/api/hs256**. In this case, the middleware needs to be configured as follows: @@ -128,7 +128,7 @@ To resolve this issue, be sure that the signature algorithm with which the JWT w ## 3. Has your token expired? -Each JSON Web Token is only valid until the time specified in the `exp` claim. If you and send a token which has expired, the token will be rejected: +Each JSON Web Token is only valid until the time specified in the `exp` claim. If you send a token which has expired, the token will be rejected:  diff --git a/articles/quickstart/backend/webapi-owin/interactive.md b/articles/quickstart/backend/webapi-owin/interactive.md index 956cd2da2d..c9d9e156d6 100644 --- a/articles/quickstart/backend/webapi-owin/interactive.md +++ b/articles/quickstart/backend/webapi-owin/interactive.md @@ -72,7 +72,7 @@ Create a class called `ScopeAuthorizeAttribute` which inherits from `System.Web. The JWT middleware integrates with the standard ASP.NET authentication and authorization mechanisms, so you only need to decorate your controller action with the `[Authorize]` attribute to secure an endpoint. -Update the action with the `ScopeAuthorize` attribute and pass the name of the required `scope` in the `scope` parameter. This ensures the correct scope is available to call a specific API endpoing. +Update the action with the `ScopeAuthorize` attribute and pass the name of the required `scope` in the `scope` parameter. This ensures the correct scope is available to call a specific API endpoint. ::::checkpoint