Hey everyone,
I’m attempting to persist some application state across my Auth0 authentication request, but I’m having trouble finding documentation surrounding how to do it.
I’m using the following technologies:
Asp.net core 2.2
Open Identity Connect (OIDC) middleware
Web application
So, based on two auth0 documentations it sounds like I should be able to not only persist state through my auth0 authentication requests, but I should also be able to validate the state and reject the request if the state is not valid. Here are the doc links:
From reading the documentation, it makes me think that there should be a feature called State or Nonce in the OIDC middleware that I can encode data into. It also seems like the OIDC middleware should have some type of hook/handler where I can validate the response from Auth0 and reject potential CSRF attacks while also being able to retrieve my app state. Unfortunately, I’m at a bit of a loss about if OIDC even has features like this.
This is the closest thing that I’ve found, OpenIdConnectOptions.NonceCookie
, but it seems different than what I was expecting based on the Auth0 docs linked above.
If someone has a link to some github code, or Auth0 examples that I may have missed that would be greatly appreciated. I’ve been sort of stuck at this point for a week now and not sure how to proceed.
Thanks,
Ruben