Hi @carlitos.
Lets break it down here.
When integrating ASP. NET app with Auth0, the ASP. NET (OWIN) SDK follows the standard Authorization Code Flow ( this is also when an SSO session cookie is created - see Auth0 Session Layer documentation), so after a code was exchanged for a token the session within your application is created by the cookie middleware ( as described in the Configuration of the middleware part of the SDK ).
Sure! You can integrate all this parts within Auth0.
- Legacy ASP. NET App: A “Regular Web Application” in Auth0.
- Modern .NET Core API: A separate “API” in Auth0.
- Mobile App: A “Native Application” that uses the Authorization Code Flow with PKCE
My guess is that you are referring to the mobile application. Auth0 returns a standard ID token when your users authenticate in the legacy app,but you can make a call using your modern API as an audience identifier so you can retrieve a token for your mobile app as well. If using one of our SDKs, this will check automatically for the auth0 SSO cookie created earlier and retrieve a new Access Token.
I hope this helps clarify things a bit better, and if you have other questions let me know.
Thanks,
Remus