Login via Postman on a .net core 3 app using Auth0

I have a .net app with login setup via Auth0 (works fine with user interaction) but I want to login with a script with no user interaction, which isn’t working. Basically I want to run a LogicApp or some script with hard coded user/pass at night that access a page inside my app.

I’ve tried Azure LogicApps and Postman with the same results. I try to access a page inside my app by passing user/password as basic auth. I get a few redirects and back to the signin page. Auth0 is no providing any logs, so I assume the authentication is not reaching Auth0.

Obs1: I had this setup that I’m sure was working about 6 months ago, just recently I realized that it had stopped working, could’ve been a change in Auth0 or due to migrating from .net core 2.1 to 3.

Obs2: I also started testing the login with a Bearer token, but there will be too many changes in the code that I want to leave this as plan b.

Snippet of Startup.cs

services.Configure(options =>’’’
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
options.Secure = CookieSecurePolicy.Always;

// Add authentication services
services.AddAuthentication(options =>
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
.AddOpenIdConnect(“Auth0”, options =>
// Set the authority to your Auth0 domain
options.Authority = $“https://login.myapp.net”;

// Configure the Auth0 Client ID and Client Secret
options.ClientId = "";
options.ClientSecret = "

//Set response type to code
options.ResponseType = “code”;

// Configure the scope

//Set the correct name claim type
options.TokenValidationParameters = new TokenValidationParameters
NameClaimType = “name”,
RoleClaimType = “https://schemas.myapp.net

// Set the callback path
options.CallbackPath = new PathString("/callback");

// Configure the Claims Issuer
options.ClaimsIssuer = “Auth0”;

Postman result (3 redirects and a found - login page):

GET https://myapp.net/

GET https://myapp.net/Account%2FLogin

GET https://login.myapp.net/authorize?client_id=****************&redirect_uri=https%3A%2F%2Fapp.myapp.net%2Fcallback&response_type=code&scope=openid%20profile%20email&code_challenge=******&code_challenge_method=S256&response_mode=form_post&nonce=&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=

GET https://login.myapp.net/login?state=&protocol=oauth2&redirect_uri=https%3A%2F%2Fapp.myapp.net%2Fcallback&response_type=code&scope=openid%20profile%20email&code_challenge=&code_challenge_method=S256&response_mode=form_post&nonce=&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=

Request Headers
Authorization: Basic **********
User-Agent: PostmanRuntime/7.22.0
Accept: /
Cache-Control: no-cache
Postman-Token: **************
Accept-Encoding: gzip, deflate, br
Cookie: did=
; auth0_compat=
Referer: https://login.myapp.net/authorize?client_id=
Connection: keep-alive
Response Headers
Server: nginx
Date: Wed, 11 Mar 2020 04:18:29 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
ot-tracer-spanid: 6ed01af3e
ot-tracer-traceid: 3d5f35a407
ot-tracer-sampled: true
X-Auth0-RequestId: 655374d6432978
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1583900310
set-cookie: _csrf=eML8VgsIOn-ONcU0u3TeTx7U; Max-Age=864000; Path=/usernamepassword/login; HttpOnly; Secure
X-Robots-Tag: noindex, nofollow
X-Robots-Tag: noindex, nofollow, nosnippet, noarchive
X-Frame-Options: deny
Content-Security-Policy: frame-ancestors ‘none’
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
ETag: W/“a6e-Dn+oh0+jgssgYbnM4PE”
cache-control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-transform
Content-Encoding: gzip
Strict-Transport-Security: max-age=15768000

Response Body
[sign in page]

I managed to make it work. Since I’m using cookie authentication I had to enable the interceptor feature in postman to grab the auth cookie from the browser.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.