So I’ve been asked to maintain a web app (ASPNet Core 3.1 mvc, hereafter known as WebApp) for my employer, and after wrestling with their custom-written identity provider for 6 months, and finding out the package they were basing it on has been abandoned, I did some research and got management and the architects to agree to using Auth0 for our IdP. Added the Auth0 universal login to the WebApp in a matter of a few days, all was well, users can log in and access the app.
The next phase of implementation is to add device flow authentication to a product we make, and have the device in question use the access token to call some APIs hosted on the WebApp.
I wrote a WinForms app in C# so I could have proof of concept code for the device team to base their code on. Cue many, many struggles.
Where I’m at now:
I can use my Device Flow Prototype (DFP) to successfully do the User Code challenge, correctly have the user authorize the user code and get the Access Token back from Auth0.
If I use DFP to call the Auth0 WebApi quickstart app with the access token, I can get the protected endpoint content (simple json string), no problem.
If I use DFP to call a similarly protected endpoint on the WebApp, I get back a blob of HTML - when I paste it into a text file and view it in a browser, it’s the Auth0 universal login page.
Question:
Is it possible for me to setup my WebApp to allow users to log in using universal login, AND process JWT bearer tokens from a device that authenticates through Device Flow? Knowing that I had to rip out the custom IdP stuff from WebApp as I was implementing Auth0 IdP, I get the feeling there’s something I missed, but I can’t figure out what. Please help.
Here’s the Authentication-related content in the WebApp startup.cs:ConfigureServices(IServiceCollection services) call:
string domain = $"https://{Configuration["Auth0:Domain"]}/";
services.AddCors(options =>
{
options.AddPolicy("CorsPolicy",
builder => builder.SetIsOriginAllowed(origin => true)
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials());
});
services.AddControllersWithViews(options =>
{
options.EnableEndpointRouting = false;
options.AllowEmptyInputInBodyModelBinding = true;
}).AddRazorRuntimeCompilation();
services.AddSingleton<IConfiguration>(Configuration);
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect("Auth0", options =>
{
// Set the authority to your Auth0 domain
options.Authority = $"https://{Configuration["Auth0:Domain"]}";
// Configure the Auth0 Client ID and Client Secret
options.ClientId = Configuration["Auth0:ClientId"];
options.ClientSecret = Configuration["Auth0:ClientSecret"];
// Set response type to code
options.ResponseType = OpenIdConnectResponseType.Code;
// Configure the scope
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("email");
options.Scope.Add("profile");
options.CallbackPath = new PathString("/callback");
options.ClaimsIssuer = "Auth0";
options.SaveTokens = true;
options.Events = new OpenIdConnectEvents
{
// handle the logout redirection
OnRedirectToIdentityProviderForSignOut = (context) =>
{
var logoutUri = $"https://{Configuration["Auth0:Domain"]}/v2/logout?client_id={Configuration["Auth0:ClientId"]}";
var postLogoutUri = context.Properties.RedirectUri;
if (!string.IsNullOrEmpty(postLogoutUri))
{
if (postLogoutUri.StartsWith("/"))
{
// transform to absolute
var request = context.Request;
postLogoutUri = request.Scheme + "://" + request.Host + request.PathBase + postLogoutUri;
}
logoutUri += $"&returnTo={ Uri.EscapeDataString(postLogoutUri)}";
}
context.Response.Redirect(logoutUri);
context.HandleResponse();
return Task.CompletedTask;
}
};
})
.AddJwtBearer("Bearer", options =>
{
options.Authority = domain;
options.Audience = Configuration["Auth0:Audience"];
});
services.AddAuthorization(options =>
{
});And here’s the same code from the Auth0 WebApi Quickstart for comparison.
services.AddCors(options =>
{
options.AddPolicy("AllowSpecificOrigin",
builder =>
{
builder
.WithOrigins("http://localhost:8080")
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials();
});
});
var domain = $"https://{Configuration["Auth0:Domain"]}/";
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = domain;
options.Audience = Configuration["Auth0:Audience"];
});
services.AddAuthorization(options =>
{
options.AddPolicy("read:messages", policy => policy.Requirements.Add(new HasScopeRequirement("read:messages", domain)));
});
services.AddControllers();