Auth0 Home Blog Docs

Help with OIDC upgrade, .Net

impersonation
oidc-conformant
app_metadata
user-metadata

#1

After spending months doing some deep integration with Auth0, I have now come back to it, looking at the new version and trying to work out how to upgrade from version 3 to 4 of the .Net Libraries to support OIDC. Some notes say that Version 3 will still be supported but its all very confusing, not to mention the community forum that is now ridiculously bad compared to what was available before (and does not render properly in Safari).

Questions:

How does AppMetaData, UserMetaData and ProviderAttributes work in the new API?

I have a specific structure in AppMetaData to handle various multi-tenant permissions, this is a JSON structure, is this still supported, or do we need to use name/values in claims? I have seen some very basic info on this, how we do Add, Update and read these new additional NameSpaced claims?

Regarding UserMetaData, I have to add a first_name and last_name as these stopped getting updated via the API and needed to store them elsewhere, are these specific fields now supported in the standard claims?

We use the User.ProviderAttributes to check if users are impersonated and to get the impersonator, this doesn’t seem available? Is there any documentation that walks through this?


#2

This results in Invalid authorization code

var result = await client.GetTokenAsync(new ResourceOwnerTokenRequest
                    {
                        ClientId = Auth0Settings.ClientId,
                        Scope = "openid",
                        Realm = Auth0Settings.DatabaseConnection,
                        Username = model.EmailAddress,
                        Password = model.Password
                    });

#3

This code, does not provide any logs in Autho dashboard, but I get the exception:

Auth0.Core.Exceptions.ApiException: Grant type ‘http://auth0.com/oauth/grant-type/password-realm’ not allowed for the client.

  var result = await client.GetTokenAsync(new ResourceOwnerTokenRequest
                        {
                            ClientId = Auth0Settings.ClientId,
                            ClientSecret = Auth0Settings.ClientSecret,
                            Scope = "openid profile",
                            Realm = Auth0Settings.DatabaseConnection,
                            Username = model.EmailAddress,
                            Password = model.Password
                        });

#4

Having spend some frustrating hours trying to get this working, working with very disparate documentation/resources and a million popup windows, here is a basic outline to update the C# API library from version 3 to version 4, if you use user_metadata and app_metadata.

The critical bits of information you need (are you have updated to the latest nuget packages) are:

Client Setup
In the Advanced settings, OAuth tab, switch on the OIDC Conformant option.

Authenticating
Use GetTokenAsync as per the documentation.

something like:

var accessTokenResponse = await client.GetTokenAsync(new ResourceOwnerTokenRequest
                    {
                        ClientId = Auth0Settings.ClientId,
                        ClientSecret = Auth0Settings.ClientSecret,
                        Scope = "openid profile",
                        Realm = Auth0Settings.DatabaseConnection,
                        Username = model.EmailAddress,
                        Password = model.Password
                    });

then use accessTokenResponse to get the user info (id token is no longer used)

var user = await client.GetUserInfoAsync(accessTokenResponse.AccessToken);

This result of this is now a UserInfo object, not a User object, however elsewhere in the API Client libraries User is still used.

Additional Client Setup

This did not work until I added the grant_types to the Client account.
(I had created a new client account, which sis not work in V3, hence upgrading, but the Client account still doesn’t work out the box, you will need to “patch” the client account and add the grant_types)
This is done in the Management API tools, vi at the ‘Update a client’ form, see the Answer and comments here for more info: https://community.auth0.com/questions/3944/error-grant-type-password-not-allowed-for-the-clie

Metadata and Claims:
Everything regarding creating and retrieving users with associated metadata works exactly the same, the only exception is how the metadata is returned when getting user info above, in this case the app_metadata and user_metadata is no longer returned as they are not a standard OIDC claim. In order to have these returned, you need to add these to the “Additional Claims” returned in the user info as custom claims.
To return the meta data you will need to add a rule to add this metadata, I added this:

// Name: Custom Claims
function (user, context, callback) {
  var namespace = 'http://brightertools.com/';
  context.idToken[namespace + 'user_metadata'] = JSON.stringify(user.user_metadata);
  context.idToken[namespace + 'app_metadata'] = JSON.stringify(user.app_metadata);
  callback(null, user, context);
}

Then in the UserInfo you can get the metadata JSON strings:
e.g.:

  var AppMetaDataJsonString =  user.AdditionalClaims.Where(x => x.Key == $"{Auth0Settings.ClaimsNamespace}app_metadata").Select(x => x.Value.ToString()).FirstOrDefault()

Impersonation

To get impersonation working, you will need to get this feature switched on for your tenant account. The impersonation details are no longer in the User info, they will need to be returned within the users claims via a rule, and you may need to update your Client grant types: see these answers for more info:
https://community.auth0.com/answers/4823/view


#5