C# native app with Authorization Code Grant questions

I’m building a C# application which I want to access the APIs for Openshift. From my investigations I believe I should be using the Authorization Code Grant (PKCE).

I’m confused whether I should be using the Auth0.AuthenticationAPI v3, Auth0.AuthenticationAPI v4, or the Auth0.OidcClient (notifying @jerrie1 as I saw you wrote this :)), or perhaps even just the .NET RestClient.

Auth0.AuthenticationAPI was upgraded from v3 to v4 to make it compatible with OIDC, however Auth0.OidcClient seems to be explictly about building a OIDC client. Which should be preferred for new projects?

Is it even possible to execute an Authorization Code Grant (PKCE) using the Auth0.OidcClient? When using this client the access_token I receive back appears to be a JWT - should this be what is sent to the API?

Thanks, Mark

If you want to use PKCE you can use the Auth0 OIDC Client.

If you’re using UWP, please look at this quickstart:

And for Windows Forms or WPF, you can look at this one:

To obtain an access_token which you can pass as authorization when calling your APIs, you need to pass the audience for your API when calling LoginAsync. See API Authorization

Great, thanks for the info @jerrie1. I still haven’t managed to authenticate correctly with the openshift api, but that might be misconfiguration on the resource server side. Will look into it further this evening. At least I know that the recommended client api is the Auth0.Oidc one now.

Might I suggest that you change the link on the WPF/Winforms quickstart page from Auth0 OIDC Client to
Authentication . With the former you don’t see the document navigation page elements, hence I never saw the link to the advanced page.

Hi, When I call the LoginAsync method with the audience set the login fails with “access_denied”. This is even before I have a chance to provide my credentials.

I’m using a native client type, OIDC conformant.

Any ideas gratefully received. I’m finding the documentation pretty confusing tbh.

Sure. I will change the link to the Documentation section (Auth0 OIDC Client).

Go to the Auth0 Dashboard and click on Logs. Does that give you any more information?

Alternatively, can you perhaps look at the network traffic with Fiddler and see whether the HTTP call that fails give you any more details for the response coming back from Auth0?

Oh dear, what a numpty I am - I had a typo between the name of the service in the management console and my code. It’s odd though, I’m pretty sure I clicked on the Logs tab last night, and it was just a blank page. Perhaps I was just being impatient :wink:

I have hopefully just one more question if you could permit me…

The “Authorization Bearer xxx” token that gets used when logging in with the openshift webconsole looks a bit like this: fdas3JzMf62BizlJdIhrsyJN7q-4h9LmbEFvcjPHKg4

However the JWT that comes back from Auth0 is much longer of course - and fails to authorize with the openshift REST API. The openshift documentation states “Using an OpenID Connect identity provider requires users to get a token using /oauth/token/request to use with command-line tools.”. Do you think this is what I need to do to exchange the JWT for a Bearer xxx token? Thanks agai


Aah OK. Sorry, I though OpenShift was your own application.

The access_token being returned by Auth0 cannot be used against external Identity Providers. That access_token can only be used against your own APIs.

We do however store the Identity Provider tokens, and you can retrieve them to call the OpenShift API.

For more information on how to do that please see this document:

For calling the Auth0 Management API from your C# application, you can use the Auth0.NET SDK (specifically the SDK for the Management API):

Ah, hmm… maybe I’m going about things the wrong way after all. The OpenShift identity provider is controlled and configured by me (it’s my own installation of the opensource project), but the I guess the OpenShift APIs need to receive a token issued by the OpenShift OAuth server. It’s all quite confusing unless you’re building a web client (where the OpenID Connect integration works out of the box with Auth0). More reading and research required…