Authorization Code Flow with PKCE utilizing package Auth0.AspNetCore.Authentication

arshad.sarfarz.1979 · February 15, 2022, 4:26pm

Our team would like to use Authorization Code Flow with PKCE for server side applications. Can we use the package Auth0.AspNetCore.Authentication for implementing Authorization Code Flow with PKCE in ASP.NET Core MVC? I explored the SDK and was able to find use of Authorization Code when a ClientSecret is provided. But could not find an option to use PKCE.

rueben.tiow · February 16, 2022, 12:29am

Hi @arshad.sarfarz.1979,

Welcome to the Auth0 Community!

First, I would like to emphasize that the ASP.NET Core MVC SDK is for Regular Web Apps, which are confidential clients. This uses the Authorization Code Flow for authentication and can securely store secrets.

Whereas the Authorization Code Flow with PKCE is used in Single Page Applications and Native Apps for authentication. This is needed because SPAs and Native Apps are public clients and cannot securely store secrets.

With that said, I can confirm that implementing the authorization code flow with PKCE with a Regular Web App will not work.

I have tested this myself and found that it throws a 401 Unauthorized error with a Regular Web App and works when using a SPA or Native App.

Hoped this helps!

Please do not hesitate to reach out if you have additional questions.

Thank you.

arshad.sarfarz.1979 · February 16, 2022, 8:53pm

Thanks @rueben.tiow for the information

Hawxy · February 17, 2022, 2:02am

It’s interesting that you say that, as the underlying OpenIdConnect integration in ASP.NET Core will automatically use PKCE if the response type is set to Code:
OpenIdConnectOptions.UsePkce Property (Microsoft.AspNetCore.Authentication.OpenIdConnect) | Microsoft Learn
That includes the Auth0 SDK.

Is there something different between PKCE in confidential/public clients?

Keanu · February 17, 2022, 11:04am

I faced similar kind of issue last time, I am still searching for some proper solution.

system · March 4, 2022, 11:05am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

arshad.sarfarz.1979 · March 24, 2022, 1:39am

Hi @rueben.tiow ,
As mentioned by @Hawxy, since the underlying OpenIdConnect integration supports PKCE, the package Microsoft.AspNetCore.Authentication.OpenIdConnect is actually using PKCE when the response type is set to Code. I checked the code in github for the library GitHub - auth0/auth0-aspnetcore-authentication: SDK for integrating Auth0 in ASPNET Core. This library sets the response type to Code when the method “WithAccessToken” is used. I inspected the authorize URL sent to Auth0 server and it contains the parameters “code_challenge” and “code_challenge_method”.