Learn how to secure an ASP.NET Web API by granting access only to authorized users through Auth0 authentication and authorization services.
Read more…
Brought to you by @andrea.chiarelli
What are you thoughts guys? Share it in the comments!
Is this article clear enough to help you implement Auth0 in your ASP.NET Web API?
Let me know
Hey @tom.randles, happy to hear this! 
Stay tuned and you’ll learn how to use permissions in next weeks 
Hi @andrea.chiarelli. Is there a tutorial for .Net framework 4.x (not Core)? All .net documentation I see only targets .Net Core.
Is it possible to add auth0 support for legacy .net applications? The nuget packages seem to target only core.
Hey @cossio.jorge, have you taken a look at the ASP.NET Web API (OWIN) Quickstart?
It should be the starting point for the .NET Framework
Great docs. Thank you!
Can you please create a new blog post on how to call a secured Minimal API from secured Blazor Web app in .NET 8? Also how would it work on cases when the secured Minimal API has multiple instances running (like in a micro services scenario)? Would love an example in this scenario. Thanks!
Hi @ashishk,
Welcome to the Auth0 Community! 
Content for .NET 8 is in the pipeline. Stay tuned! 
Regarding the microservices scenario, the actual implementation depends on many factors: architecture, purpose, infrastructure, security requirements, etc. Maybe these docs can give you an idea of how you can organize them:
Hello Andrea
Any news on .Net8?
I tried simply upgrading but I get a 403 when I try to post.
I asked a question about trying to get this working on .Net8 on Stack Overflow.
79276731/403-testing-auth0-sample-project-after-upgrade-to-net8
Hi @kirsteng,
As far as I know, there should be no problem with migrating this project to .NET 8. It should work as expected.
Since you get a 403 status code instead of a 401, it suggests that your API is expecting some permissions in the access token, but your access token does not have them.
However, the article you refer here does not explain how to deal with scopes and permissions. You may want to read this article instead to learn how to do it.
Let me know if I can help in some other way.
1 Like
Thank you. I had missed setting up the toggles “Enable RBAC” and “Add Permissions in the Access Token” in the API settings.
Now that it works I am still puzzled why I don’t need to add a user. Is the purpose of these toggles to skip the need for a user?
Hey @kirsteng, when you use a test token generated from the Auth0 dashboard, you simulate a call originating from an authenticated user. This allows you to focus on the API side of the development.
To close the circle and have a real user authenticate and call the API, you need a client application.
Depending on the specific type of client application, you may have different approaches to build and integrate it with Auth0. Here is a list of articles that explain how to call an API from different types of .NET client applications:
- Call Protected APIs in ASP.NET Core
- Call a Protected API from a .NET MAUI App
- Call Protected APIs from a Blazor Web App
If you want to learn more about .NET and Auth0, you may want to download this guide.
By the way, you can call your .NET API with non-NET clients as well, of course.
1 Like
Thanks Andrea. Am I correct understanding that by client application here you mean the one that is outside of Auth0 calling in to it?
I am a bit confused because inside Auth0 we also need an Application which has a “ClientId” and thus might be considered a “Client Application”
“Client” is a relative term
I mean, you have a server application exposing a Web API. Let’s call it S.
The application that calls your API is your API’s client. Let’s call it C.
If your client application C does not need authentication and your API are not protected, you have done. You have your server app S and your client app C.
If you need authentication and authorization and rely on an ID provider such as Auth0, your client application is also a client for the Auth0 authorization server (let’s call it AS).
So, to call your protected API you need an application C that has a twofold role as a client:
- it’s a client for your API application S
- it’s a client for the authorization server AS
I don’t know what you mean by “outside of Auth0”, but if you want to call your API protected with Auth0, you need to build a client application for your API that is also registered with Auth0 (a client application for Auth0) (Applications/Applications in the Auth0 dashboard).
I hope this helps clarify.
1 Like