Add Authentication to Your ASP.NET Core MVC Application

Learn how to add authentication to your ASP.NET Core MVC Application by using Auth0.
Read more…

:writing_hand:t2: Brought to you by @andrea.chiarelli

What are your thoughts guys? Share it in the comments! 🧑‍💻🗣

I just have one question, where is the callback URL used in the app? So the callback URL seems to be → https://localhost:7095/callback, where is it used?

Hi @venky76v :wave:,
Welcome to the Auth0 Community!

The callback URL is automatically handled by the Auth0 ASP.NET Core Authentication SDK. Well, actually it is handled by the underlying OpenID Connect middleware, which takes care of validating and decoding the tokens received from Auth0 and all the protocol-related stuff.
Usually, you don’t need to change this standard behavior, but the SDK lets you customize it if you really need it.

Thanks Andrea for the response, really like and appreciate your tutorials. In fact I look forward to reading them. Thanks for the explanation about the callback URL. What you say makes sense, but what I don’t understand, maybe you can explain, is the call back url, is it passed back to the MVC / Razor app in the as a part of the authentication process? Does the set up need a callback URL to work with and what will happen if I don’t configure a call back URL while setting up the app on Auth0 dashboard?

Thanks for your kind words, @venky76v :slightly_smiling_face:

I really appreciate that you want to learn more about what happens under the hood. I think that developers should have at least a high-level idea of what an SDK, framework, protocol, etc. do. So, your question is welcome! :raised_hands:

The need for the callback URL has to do with the OpenID Connect/OAuth2 flows. In this specific case, we are using the Implicit Flow.
The following image outlines the interaction between the user, the application, and Auth0:

Step 5 is where Auth0 uses the callback URL. In this step, Auth0 redirects your user’s browser to that callback URL and provides the ID token, i.e., the token that proves that the authentication was successful and contains the user’s data.

The need for registering the callback URL on the Auth0 side is a required security measure to prevent an attacker can get your ID token by redirecting to another URL. Auth0 will redirect users only to registered URLs.
If you don’t register a callback URL, your users’ authentication attempt will fail.

I hope this helps you understand better the underlying flow.