Can someone please clarify if Lock can be used for SSO in a traditional full-CLR ASP.NET Web Forms application?
Extensive searches hint that there are no samples available for that platform. Although confusingly, I did find a page that instructs you to use the Auth0-ASPNET NuGet package with an ashx callback method, however that package no longer exists so I presume the page is outdated.
I have spent many hours searching for help on Lock, SSO and Web Forms with no useful results at all, so I’d really appreciate it if someone could clarify this matter.
In the absence of replies I have answered this question myself after some more research. You can use Lock in a traditional ASP.NET Web Forms app by using plain JavaScript as described in the corresponding quick start.
Add the plain JS sample code to a script tag in an aspx page, remove the irrelevant demo code that manipulates elements. You just need the functions for load, some button click to fire the process, and handleAuthentication to receive the results.
A button click launches Lock via JS, the user interacts and the results are returned in the handler function. The token and id can be placed in the values of some text boxes or hidden controls. The client-side interaction places the authentication results into the rendered aspx page where they can become part of postback processing.
In the JS handler function you can call __doPostback passing the token, then in the page load look for the __EVENTARGUMENT and you can store it in session and transfer to another page. This creates a smooth effect where Lock is launched, the results from the client-side are pulled across the bridge to the server-side and you are redirected to a page where your authentication results are available to start working.
If the JS webAuth constructor contains scope: ‘openid profile’ then the returned 3-part base64 encoded token contains really useful information like name, unique id, picture url, etc (note that the base64 parts may need manual end padding with ‘=’).
So by a classical combination of aspx pages and plain JavaScript from the Auth0 sample you can launch Lock, handle the result and push the results through controls into a postback where they become part of your ASP.NET flow.
The authentication processing I’ve described is all I want for now. I have no need for integrating APIs with roles and fine-grained authorisation in this case.