Silent Authentication Using the Auth0 SDK to Obtain Access Tokens for Multiple APIs

Silent Authentication

Silent Authentication

Hi there. I am hoping someone can help me further with the thread above which is now closed. I am trying to perform ‘Silent Autentication’ using the Auth0 SDK. This is what I have so far:

        var client = new Auth0Client(new Auth0ClientOptions
        {
            Domain = "DOMAIN",
            ClientId = "CLIENTID",                
            Scope = "SCOPE",
            LoadProfile = true
        });
        
        // Passing the audience. 
        Dictionary<string, string> extraParameters = new Dictionary<string, string>()
        {
            { "audience", "API ID ONE"},
            { "scope", "SCOPE" },                
        };

        // A window that says 'Authenticating' pops up.
        loginResult = await client.LoginAsync(extraParameters);

        // Passing the audience. 
        extraParameters = new Dictionary<string, string>()
        {
            { "audience", "API ID TWO"},
            { "scope", "SCOPE" },                
            { "prompt", "none" } // <- According to the article, this should prevent the pop up.
        };

        // Again, a window that says 'Authenticating' pops up.
        loginResult = await client.LoginAsync(extraParameters);

How do I prevent the second ‘Authenticating’ window from popping up?

Hi there.
Just want to clarify concepts before arriving to the full answer.

The /authorize request used in any modern application with browsing capabilities is an interactive request: the service will return HTML for any required interaction with the user (login, MFA, consent and so on) until it finally redirects or POSTs the authorization result to the callback URL.

What the prompt=none parameter guarantees is that no interaction with the user will happen, from the perspective of the authorization server. The authorization server will either issue the token directly (because it has all the necessary information to do so) or it will return an error (because some form of user interaction is required). But the application still needs to open a browser (in the case of a native app) or redirect or open a popup (in the case of a web application) and point it to the /authorize endpoint anyway for the authorization request to happen.

A native application could potentially open a hidden browser to do this (because it is known that there will be no user interaction) if the platform supports this. I believe the Windows UWP platform supports this, but I’m not sure that’s the case for Android or iOS.

In any case, the .Net OIDC client currently does not support opening a hidden browser to do LoginAsync with prompt=none. If you pass prompt=none what you should get is a popup browser that shows up briefly and immediately closes (with no user interaction). Is that the behavior you are getting? Or is the popup staying open and/or the user being prompted for something?

1 Like

Hi Nicolas,

Thank you for your explanation.

As I am building a WPF application, the behavior I am getting is the popup browser shows up briefly and immediately closes.

In my application, I try to obtain a separate access code for each of 2 different APIs. It may be concerning to the user to see this pop up window appear and disappear twice.

I will explore some to see if there is a way to have the pop up window appear smaller and in the lower right hand corner so it is more obscure.

P.S. I explored using a Gateway API and scopes to control access to my two underlying APIs as I have read in another community post but opted against this.

Thanks!

LoneCoder

If you are in control of both APIs, aggregating them into one and using scopes to differentiate the different capabilities might be worth looking into again. An API gateway can facilitate or automate certain things for you, but it’s a hard requirement. If you have two separate apis running they can both share the same identifier and use the scope in the token to grant or deny access.
Take Google’s or Microsoft’s APIs as an example . The range covered is incredible vast (mail, calendar, social, storage, photos and so on), yet there’s only one API for which you request different scopes.

1 Like

Huh, I had no idea. Thanks! That’s certainly food for thought.

1 Like