This C# code sample demonstrates how to implement Role-Based Access Control (RBAC) in a ASP.NET Core Web API server using Auth0.
This post is linked in the doco page for ASP.NET Core Code Sample: Web API Role-Based Access Control so I hope I’m posting in the right spot.
I just came across this example whilst exploring Auth0’s new code example site and have some feedback. The current example is bit unusual in its implementation:
- Instead of using appsettings.json or dotnet-secrets, the default configuration setup has been wiped and replaced with .env files, which is not very common for .NET and does not follow Auth0’s own quickstart.
- CORS is configured but only for GET requests, which might be surprising behavior for a user unfamiliar with CORS.
- The port is being manually assigned via
AddUrls
, ideally it would be done via appsettings.json or launchSettings.json - The SecureHeadersMiddleware serves no purpose, HSTS should be enforced via
app.UseHsts()
call and the rest of the headers are not useful for an API-only application. - An error route controller is included but is never used as the error handling has been manually implemented instead.
I specifically reviewed the RBAC branch of the relevant repository, but other branches appear similar in implementation.
1 Like
Thanks for your feedback! This is very helpful I’ll share it internally with our .NET advocates and look for a way to make this code sample more idiomatic and reflect practices or usage that .NET developers expect