Azure App Services Getting 401 when accessing an web api endpoint that requires authentication. But works locally

Question

I'm using angular 7 as frontend and on the backend net core web api in a Azure App Service.

When I call an endpoint that requires authentication it works locally, but when it is deployed on azure through devops, only the public endpoints work but not the ones requiring authentication.

This is the error message i get in the console browser Http failure response for https://mysite.azurewebsites.net/api/test/private: 401 Unauthorized

My Angular web api call to backend in AZure

  public questsRead(quest_Id:string): Observable<IQuest_vmr>{

    const apiUrlPath = this.baseUrlBackend+'api/Quest/QuestRead';

    const obser = this.httpClient.get(apiUrlPath, {
      headers: new HttpHeaders().set('Authorization', `Bearer ${this.auth0IdToken}`),
      params: {
        "quest_Id": quest_Id,
      },
      })
      .map((response: IQuest_vmr) => response);

    return obser;
  }

This is the Startup in my web api app to run auth0 service

    public static void ConfigureServices(IServiceCollection services, IConfiguration Configuration)
    {

        string auth0_Config_Domain = Configuration["Auth0:Domain"];
        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;


        }).AddJwtBearer(options =>
        {


            options.Authority = auth0_Config_Domain;
            options.Audience = Configuration["Auth0:ApiIdentifier"];

            options.TokenValidationParameters = new TokenValidationParameters()
            {

                ValidAudience = Configuration["Auth0:ValidAudience"], 
                ValidIssuer = auth0_Config_Domain

            };
        });





        services.AddAuthorization(options =>
        {
            options.AddPolicy("read:messages", policy => policy.Requirements.Add(new HasScopeRequirement("read:messages", auth0_Config_Domain)));
        });


        // register the scope authorization handler
        services.AddSingleton<IAuthorizationHandler, HasScopeHandler>();



    }

Log from azure

2019-12-18 20:16:33.702 +00:00 [Information] Microsoft.AspNetCore.Hosting.Internal.WebHost: Request starting HTTP/1.1 GET https://dev-naodca-backend-webapi.azurewebsites.net/api/test/private
2019-12-18 20:16:33.702 +00:00 [Trace] Microsoft.AspNetCore.HostFiltering.HostFilteringMiddleware: All hosts are allowed.
2019-12-18 20:16:33.702 +00:00 [Warning] Microsoft.AspNetCore.Cors.Infrastructure.CorsService: The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time. Configure the policy by listing individual origins if credentials needs to be supported.
2019-12-18 20:16:33.702 +00:00 [Debug] Microsoft.AspNetCore.Cors.Infrastructure.CorsService: The request has an origin header: 'https://dev-naodca-ui-angular.azurewebsites.net'.
2019-12-18 20:16:33.702 +00:00 [Information] Microsoft.AspNetCore.Cors.Infrastructure.CorsService: CORS policy execution successful.
2019-12-18 20:16:33.702 +00:00 [Debug] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: AuthenticationScheme: Bearer was not authenticated.
2019-12-18 20:16:33.702 +00:00 [Trace] Microsoft.AspNetCore.HttpsPolicy.HstsMiddleware: Adding HSTS header to response.
2019-12-18 20:16:33.702 +00:00 [Debug] Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware: The request path /api/test/private does not match a supported file type
2019-12-18 20:16:33.702 +00:00 [Debug] Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware: The request path  does not match the path filter
2019-12-18 20:16:33.702 +00:00 [Debug] Microsoft.AspNetCore.Routing.Matching.DfaMatcher: 1 candidate(s) found for the request path '/api/test/private'
2019-12-18 20:16:33.702 +00:00 [Debug] Microsoft.AspNetCore.Routing.Matching.DfaMatcher: Endpoint 'WebApiNetCoreBaseProject.Controllers.Api.TestController.Private (WebApiNetCoreBaseProject)' with route pattern 'api/Test/private' is valid for the request path '/api/test/private'
2019-12-18 20:16:33.702 +00:00 [Debug] Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware: Request matched endpoint 'WebApiNetCoreBaseProject.Controllers.Api.TestController.Private (WebApiNetCoreBaseProject)'
2019-12-18 20:16:33.702 +00:00 [Information] Microsoft.AspNetCore.Routing.EndpointMiddleware: Executing endpoint 'WebApiNetCoreBaseProject.Controllers.Api.TestController.Private (WebApiNetCoreBaseProject)'
2019-12-18 20:16:33.702 +00:00 [Information] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Route matched with {action = "Private", controller = "Test"}. Executing controller action with signature Microsoft.AspNetCore.Mvc.IActionResult Private() on controller WebApiNetCoreBaseProject.Controllers.Api.TestController (WebApiNetCoreBaseProject).
2019-12-18 20:16:33.702 +00:00 [Debug] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Execution plan of authorization filters (in the following order): Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter
2019-12-18 20:16:33.702 +00:00 [Debug] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Execution plan of resource filters (in the following order): Microsoft.AspNetCore.Mvc.ViewFeatures.Internal.SaveTempDataFilter
2019-12-18 20:16:33.702 +00:00 [Debug] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Execution plan of action filters (in the following order): Microsoft.AspNetCore.Mvc.ModelBinding.UnsupportedContentTypeFilter (Order: -3000), Microsoft.AspNetCore.Mvc.Infrastructure.ModelStateInvalidFilter (Order: -2000), WebApiNetCoreBaseProject.Configuration.Startup.Service_Authentication.CustomFilter_Authentication
2019-12-18 20:16:33.702 +00:00 [Debug] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Execution plan of exception filters (in the following order): WebApiNetCoreBaseProject.Startup+MyExceptionFilter
2019-12-18 20:16:33.702 +00:00 [Debug] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Execution plan of result filters (in the following order): Microsoft.AspNetCore.Mvc.ViewFeatures.Internal.SaveTempDataFilter, Microsoft.AspNetCore.Mvc.Infrastructure.ClientErrorResultFilter (Order: -2000)
2019-12-18 20:16:33.702 +00:00 [Trace] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Authorization Filter: Before executing OnAuthorizationAsync on filter Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter.
2019-12-18 20:16:33.702 +00:00 [Information] Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Authorization failed.
2019-12-18 20:16:33.702 +00:00 [Trace] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Authorization Filter: After executing OnAuthorizationAsync on filter Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter.
2019-12-18 20:16:33.702 +00:00 [Information] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
2019-12-18 20:16:33.702 +00:00 [Trace] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Always Run Result Filter: Before executing OnResultExecuting on filter Microsoft.AspNetCore.Mvc.Infrastructure.ClientErrorResultFilter.
2019-12-18 20:16:33.702 +00:00 [Trace] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Always Run Result Filter: After executing OnResultExecuting on filter Microsoft.AspNetCore.Mvc.Infrastructure.ClientErrorResultFilter.
2019-12-18 20:16:33.702 +00:00 [Trace] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Before executing action result Microsoft.AspNetCore.Mvc.ChallengeResult.
2019-12-18 20:16:33.702 +00:00 [Information] Microsoft.AspNetCore.Mvc.ChallengeResult: Executing ChallengeResult with authentication schemes ().
2019-12-18 20:16:33.703 +00:00 [Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: AuthenticationScheme: Bearer was challenged.
2019-12-18 20:16:33.703 +00:00 [Trace] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: After executing action result Microsoft.AspNetCore.Mvc.ChallengeResult.
2019-12-18 20:16:33.703 +00:00 [Trace] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Always Run Result Filter: Before executing OnResultExecuted on filter Microsoft.AspNetCore.Mvc.Infrastructure.ClientErrorResultFilter.
2019-12-18 20:16:33.703 +00:00 [Trace] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Always Run Result Filter: After executing OnResultExecuted on filter Microsoft.AspNetCore.Mvc.Infrastructure.ClientErrorResultFilter.
2019-12-18 20:16:33.703 +00:00 [Information] Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Executed action WebApiNetCoreBaseProject.Controllers.Api.TestController.Private (WebApiNetCoreBaseProject) in 0.4337ms
2019-12-18 20:16:33.703 +00:00 [Information] Microsoft.AspNetCore.Routing.EndpointMiddleware: Executed endpoint 'WebApiNetCoreBaseProject.Controllers.Api.TestController.Private (WebApiNetCoreBaseProject)'
2019-12-18 20:16:33.703 +00:00 [Information] Microsoft.AspNetCore.Hosting.Internal.WebHost: Request finished in 1.3235ms 401

Answer 1

From fiddler it turns out the the Auth0 JWT token was was sending from angular to the wepapi a wrong audience.

HTTP/1.1 401 Unauthorized
Date: Fri, 20 Dec 2019 10:28:18 GMT
Server: Kestrel
Content-Length: 0
Vary: Origin
WWW-Authenticate: Bearer error="invalid_token", error_description="The audience is invalid"
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *

Plus the angular html interceptor was not adding the JWT token for the private request at every call, thus I had to add it manually for that specific request and all the others.