Learn the best practices for securing ID, access, and refresh tokens in your .NET MAUI applications and keeping a consistent user experience.
Read more…
Brought to you by @andrea.chiarelli
How did you like this post? Please share any comments or feedback with us on this thread
I’ve noticed that once your Id token has expired that the oidc middleware throws an uncaught validationException when checking the expiry on the jwt.
I’ve caught this in the GetAuthenticatedUser method and called logoutasync. Is this an acceptable workaround, and is there a better way of managing this?
Hi @Aranict,
Welcome to the Auth0 Community! 
This is an acceptable approach if you want to close your user session when the ID token expires.
If you want to keep the session active (i.e., close it only when the user explicitly logs out), you can call the RefreshTokenAsync() method to refresh all the tokens.
The article focuses on refreshing access tokens, but it also applies to ID tokens
2 Likes
Hello,
I have followed this code precisely. Maui app, targeting Android, iOS and Windows. All .Net7, latest OS on each.
This sets the callback:
builder.Services.AddSingleton(new Auth0Client(new()
{
Domain = "mycompany.auth0.com",
ClientId = "xxxxxxxxxxxxxxxxx",
Scope = "openid profile email",
#if WINDOWS
RedirectUri = "http://localhost/callback"
#else
RedirectUri = "com.mycompany.mycompany://callback"
#endif
}));
I keep getting this error:
One or more errors occurred. (You need to declare the windows.protocol usage of the protocol/scheme "http" in your AppxManifest.xml file)'
[External Code]
mycompany.Auth0.WebBrowserAuthenticator.InvokeAsync(IdentityModel.OidcClient.Browser.BrowserOptions, System.Threading.CancellationToken) in WebBrowserAuthenticator.cs
[External Code]
mycompany.Auth0.Auth0Client.LoginAsync() in Auth0Client.cs
mycompany.MainPage..ctor.AnonymousMethod__0() in MainPage.xaml.cs
Cannot find much on editing the AppxManifest.xml file and no access to it in VS either unless I’m missing something.
Wonder if this might be a local Windows issue as I try run this on my local/dev machine.
EDIT: And in Android I get this:
One or more errors occurred. (You must subclass the WebAuthenticatorCallbackActivity and create an IntentFilter for it which matches your callbackUrl.)'
This sample I think needs to be expanded to include some of this info as there are obviously some new/additional steps missing. It is hard to keep up with the pace of change and moving technical targets, I do realize that!
Thanks