Auth0 Home Blog Docs

Properly Setting up .Net WebApi using Owin for Multi Tenants



I’m working on a SaaS product that will need to allow for multiple tenants. This application will have fine-grained access control (think functions vs roles) and a low chance of a user spanning multiple tenants (User A has access to Company A and B’s data – Think a 3rd party consultant, for example)

The main application is an Angular2 SPA, and the back end is a .NET WebApi2 app. I’ve followed the quickstart documentation(this and this but modified for the newer HttpClient) for setting both up, and the access token is being sent properly, and claims are being populated. I then wrote some additional owin middleware to connect to the userinfo endpoint, to populate a second identity with that information. However, I’m running into issues where the middleware is failing somewhere, and never making it to the controller.

I’m assuming there is a better way (built in way?) to either retrieve the user information automatically, or cache it once retrieved for subsequent calls? I assume sending the id_token along with the access_token is frowned upon since it’s not a scenario covered in the OpenId Connect spec?

I’ve seen mention of the custom Auth0 middleware for owin, but these always seem to be used when it’s an MVC + WebApi application (like here). Is this something that is recommended to be used with the sort of setup I have, or is there an alternative?


I was going to try Auth0-ASPNET-Owin-Libs, but it looks like it has disappeared from NuGet. Is this intentional (aka - don’t use it?)


Yes. Previously the Auth0-ASPNET-Owin package took dependencies on Razor and MVC packages, so, therefore, the need for the Auth0-ASPNET-Owin-Libs package which did not take those dependencies, so it could be used in non-web environments.

But the new Auth0-ASPNET-Owin package also does not have the dependency on the Razor and MVC packages anymore, negating the need for Auth0-ASPNET-Owin-Libs

You can just use Auth0-ASPNET-Owin