This C# code sample demonstrates how to implement Role-Based Access Control (RBAC) in a ASP.NET Core Web API server using Auth0.
This post is linked in the doco page for ASP.NET Core Code Sample: Web API Role-Based Access Control so I hope I’m posting in the right spot.
I just came across this example whilst exploring Auth0’s new code example site and have some feedback. The current example is bit unusual in its implementation:
- Instead of using appsettings.json or dotnet-secrets, the default configuration setup has been wiped and replaced with .env files, which is not very common for .NET and does not follow Auth0’s own quickstart.
- CORS is configured but only for GET requests, which might be surprising behavior for a user unfamiliar with CORS.
- The port is being manually assigned via
AddUrls, ideally it would be done via appsettings.json or launchSettings.json - The SecureHeadersMiddleware serves no purpose, HSTS should be enforced via
app.UseHsts()call and the rest of the headers are not useful for an API-only application. - An error route controller is included but is never used as the error handling has been manually implemented instead.
I specifically reviewed the RBAC branch of the relevant repository, but other branches appear similar in implementation.
Thanks for your feedback! This is very helpful 
I’ll share it internally with our .NET advocates and look for a way to make this code sample more idiomatic and reflect practices or usage that .NET developers expect 