Add Authentication to .NET MAUI Apps with Auth0

@andrea.chiarelli Thank you so much for being available
First is it “myapp://callback” or “myapp”? Since this “myapp” seems to be not allowed in the dashboard
Second, where should I have it registered? I can not find any spot in the manifest file in my application project to add it but I have added it in the Auth0 dashboard.

 <Applications>
   <Application Id="App" Executable="$targetnametoken$.exe" EntryPoint="$targetentrypoint$">
     <uap:VisualElements
       DisplayName="$placeholder$"
       Description="$placeholder$"
       Square150x150Logo="$placeholder$.png"
       Square44x44Logo="$placeholder$.png"
       BackgroundColor="transparent">
       <uap:DefaultTile Square71x71Logo="$placeholder$.png" Wide310x150Logo="$placeholder$.png" Square310x310Logo="$placeholder$.png" />
       <uap:SplashScreen Image="$placeholder$.png" />
     </uap:VisualElements>
	<Extensions>
         <uap:Extension Category="windows.protocol">
         <uap:Protocol Name="myapp">
             <uap:DisplayName>MauiAuth0App</uap:DisplayName>
         </uap:Protocol>
         </uap:Extension>
     </Extensions>
   </Application>
 </Applications>

Is it ok to use
SecureStorage.RemoveAll();
instead ? what are the drawbacks?
finally, how can I close the browser after the user logs in for example the desktop app on Windows?

yeeeeeeeeeeeeeey I managed, thank you so much! However, I still can not get the browser to stop spinning after login!
P.S: I did not use the
SecureStorage.RemoveAll();
I managed to get to work with
await auth0Client.LogoutAsync();
the problem was that I did not have the match URIs. it should be “myapp://callback/” not something like “myapp://callback”

Happy to hear this!

A few notes for completeness:

First is it “myapp://callback” or “myapp”?

myapp is the scheme; myapp://callback is the URI.
You register the scheme in your manifest file in order to make the operating system call your app when an URL with this scheme is called. Your manifest file is correct.

how can I close the browser after the user logs in for example the desktop app on Windows?

You can’t at the moment. Unfortunately, this depends on the WebAuthenticator running on Windows.

it should be “myapp://callback/ ” not something like “myapp://callback ”

Yes. The trailing slash is required. BTW, this is required only on Windows, but if you are building a cross-platform app, you need to stick with it.

Thank you for this guide, it was really helpful!
I am a student and very much a beginner with all this, so pardon me if my question is irrelevant or out of scope for this tutorial…
I was wondering what you were thinking about the security aspect concerning the schemes (I read that there was potential interception and leakage?), and about when/how to use universal links and app links when dealing with iOS and Android?

Thanks in advance!

Hi @yoann.3d, and welcome to the community!

Thank you for the question, and I’m glad you’re enjoying the guide that @andrea.chiarelli has put together. I confess I’m not a MAUI or Android developer, but I might be able to give you some insight from a (native) iOS perspective and perhaps shed some additional light

Our Auth0 Swift SDK - as with all our SDKs - is available open source, and the accompanying documentation does go into some detail with regards to the use of Universal Links and/or (custom) URL Schemes; see here for more details. I also came across a really interesting article on Medium a while back (see here) though I note it was written some time ago.

As you can see from the aforementioned Auth0 Swift SDK doc (i.e. this), for iOS Swift development, at least, platform support can play a major part: depending on the minimum version of the OS you need to support will largely predicate what you can choose to use between Universal Links and custom URI Scheme. However, I’m not sure how that would translate with MAUI though. Additionally, the SDK doc illustrates how the various iOS settings in Auth0 play a role in the construction of the Universal Link/custom URI Scheme in order to mitigate against possible security concerns (such as a namespace clash that could lead to potential interception, etc). Again, though, I’m not sure how that translates in a MAUI context.

Hope this helps

Thank you Peter! Very precious ressources!
I will be trying myself at implementing this in .MAUI in some weeks, and will share my experience .

I could not activate the Authentication from the explanation and through the repository(clone) - only the Windows option works and activation through Android/IOS crashes the emulator after clicking on login.

In addition - I was unable to log out after clicking log-out button I reached the OnLogoutClicked function and executed var logoutResult = await auth0Client.LogoutAsync() and then get:

what seems to be the problems?

Hi @Hay98Abados,
I’m sorry you couldn’t get your application to work. Unfortunately, without any indication of the type of error you encountered, I’m not sure how to help you.
Have you tried scrolling through the posts in this thread? Other users have had similar problems and solved them. Pay attention to the versions of .NET, Android, and iOS you are using, as there may be differences.

As for the screenshot you shared, this type of errors usually happens when there is an incorrect application configuration on the dashboard. For example, make sure that the callback URL configured in the application is written exactly as it is on the dashboard. For Windows, you should also be aware of this issue.
You can take a look at the Auth0 logs for more details about the problem.

O.K let’s focus on the Android Emulator.
Today somehow I ran the app (a new project just with the code for auth0 authentication as in the tutorial). but after putting my Google email and password and agreeing for the terms I got this error:

and then the emulator shut down.

when I try to run the emulator again, it uploads but after it uploads and the program starts to run, the emulator shuts down again, and in the terminal, I have:

I checked to Auth0 logs as you suggested and this is what it have:

and this is the raw data from the log:
{
“date”: “2024-07-16T14:03:36.100Z”,
“type”: “mgmt_api_read”,
“description”: “Get client by ID”,
“client_id”: “7T7fXtWhFJfE2G4s4qGVv3cXu9P6****”,
“client_name”: “”,
“ip”: “2a0d:6fc2:6bd1:1e00:b870:b320:855f:",
“user_agent”: “Chrome 126.0.0 / Windows 10.0.0”,
“details”: {
“accessedSecrets”: [
“client_secret”
],
“request”: {
“method”: “get”,
“path”: "/api/v2/clients/wHPzCm3KMP0WV7uqAecsH5xQLjTf”,
“query”: {},
“userAgent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36”,
“channel”: “https://manage.auth0.com/”,
“ip”: “2a0d:6fc2:6bd1:1e00:b870:b320:855f:",
“auth”: {
“user”: {
“user_id”: "google-oauth2|10824466819936211”,
“name”: “Hay Abados”,
“email”: “abados9891@gmail.com”
},
“strategy”: “jwt”,
“credentials”: {
“jti”: “39467f03303c2399399dde7248f4****”
}
}
},
“response”: {
“statusCode”: 200,
“body”: {
“client_id”: “wHPzCm3KMP0WV7uqAecsH5xQLjTf****”
}
}
},
“user_id”: “google-oauth2|1082446681993621*****”,
“$event_schema”: {
“version”: “1.0.0”
},
“log_id”: “90020240716140336167256000000000000001223372052500******”,
“tenant_name”: “dev-qjf7hgqeu16fymem”,
“_id”: “900202407161403361672560000000000000012233720525005*****”,
“isMobile”: false,
“id”: “900202407161403361672560000000000000012233720525005*****”
}

what can be the problem?

Hey @Hay98Abados,
Thanks for sharing the details of the error.
I’m not a mobile developer, but I would say that it’s unlikely that this error is related to the interaction with Auth0.
Other users have had similar problems with emulators, sometimes due to graphics compatibility issues, sometimes due to problems with the debugger or certain versions of .NET and the Android SDK.
If you take a look at the other messages in this thread or other threads associated to other articles on MAUI, you will see several problems with possible solutions that have worked for some readers.

The closest example I could find to yours is this one, which was solved this way.

If this does not fix your issue, I would suggest investigating the MAUI+Emulator+Debugger side, perhaps opening an issue here.

Hi @andrea.chiarelli , @robertino.calcaterra, @Hay98Abados , @peter.fernandez

Could anyone provide suggestions or ideas on how to disable the popup that appears when using the logout async method in .NET MAUI on iOS devices? Has anyone successfully implemented a solution for this?

we want to logout the user in case the app is reinstalled after user logs in with SSO.

Please see below popup message which I don’t want to show.

Hey @pixelinindia07, not sure if this is an SDK issue or a platform requirement. Let me check this internally

Hi @andrea.chiarelli , Thanks for reply and please update your findings

Hi @andrea.chiarelli , @peter.fernandez and @robertino.calcaterra

I’m facing an issue with my iOS mobile application using Auth0 for authentication. Here’s the scenario:

1. I logged into my app using Auth0.
2. I uninstalled the app without logging out.
3. After reinstalling the app and attempting to log in again, I am able to access the app directly without seeing the login page.

I have identified two potential solutions but have concerns with both:

Solution 1:
Force login after app reinstallation.

Issue: If the user uninstalls the app without logging out and later accesses it on a new device, their Auth0 session data remains in the browser cookies of the old device.

Solution 2:
Use LogoutAsync before calling LoginAsync when the app is reinstalled.

Issue: This triggers a logout popup on iOS, which I would like to suppress for a smoother user experience.

Could you please provide guidance on how to approach this issue, particularly regarding how to handle browser cookies and session persistence on a device after app uninstallation? Also, is there a way to suppress the logout popup in the second solution?

Thanks in advance for your help!

Hello @andrea.chiarelli @robertino.calcaterra , I have followed above article. So as far as I understand I should call
await auth0Client.LoginAsync(); on login click and save same token to secure storage. So whenever user opens app in mobile, user does not need to redirect to login every time. I am not using a token in any further for web api calls. So my app wont get error when token is expired. Therefor I call Loginasync on app start which does not show user login screen if token is not expired but it takes almost 5 seconds for trip to auth0. Is it possible to reduce this time? Is there any other way to check if token is expired and call login only when needed?

Hi @vamsi.k,
Thank you for joining the Auth0 Community!

Regarding your question, Solution 2 seems more appropriate: use LogoutAsync before calling LoginAsync when the app is reinstalled.
Actually, it forces login after reinstallation, which is what you mention as Solution 1

Anyway, the logout popup, is an issue I already submitted to our SDK team (see here). I will update this thread as soon as I get an answer.

Hi @k.oak,
It’s not clear to me if you are reusing the ID token you stored in the secure storage for subsequent user access to your application or if you are restarting the user authentication process with Auth0

If you want to reuse the ID token stored in the secure storage, maybe this article can help.

Not sure what the 5 seconds you mention are related to. If you are using the ID token stored in the secure storage, there is no roundtrip to Auth0 unless you are also using a refresh token to get a new ID token when the current one has expired. Consider that in case of an interaction with Auth0, those 5 seconds include the network latency and possibly the debugging runtime if you are in a development environment.

I hope these hints can help you.