Custom State persistence and validation using Asp.net core Open Id Connect (OIDC) middleware

Hey everyone,

I’m attempting to persist some application state across my Auth0 authentication request, but I’m having trouble finding documentation surrounding how to do it.

I’m using the following technologies:
Asp.net core 2.2
Open Identity Connect (OIDC) middleware
Web application

So, based on two auth0 documentations it sounds like I should be able to not only persist state through my auth0 authentication requests, but I should also be able to validate the state and reject the request if the state is not valid. Here are the doc links:

From reading the documentation, it makes me think that there should be a feature called State or Nonce in the OIDC middleware that I can encode data into. It also seems like the OIDC middleware should have some type of hook/handler where I can validate the response from Auth0 and reject potential CSRF attacks while also being able to retrieve my app state. Unfortunately, I’m at a bit of a loss about if OIDC even has features like this.

This is the closest thing that I’ve found, OpenIdConnectOptions.NonceCookie, but it seems different than what I was expecting based on the Auth0 docs linked above.

If someone has a link to some github code, or Auth0 examples that I may have missed that would be greatly appreciated. I’ve been sort of stuck at this point for a week now and not sure how to proceed.

Thanks,
Ruben

I was able to figure out a good place to store the state in the OnRedirectToIdentityProvider in the OpenIdConnectEvents,

OnRedirectToIdentityProvider = (RedirectContext context) =>
{
	context.ProtocolMessage.State = "CUSTOM_STATE";
	return Task.CompletedTask;
} 

This is available as AuthenticationProperties later on in my app. Now I’m trying to find the proper way to deny access to the app given certain criteria in my state? Any insight is GREATLY appreciated :slight_smile: