We want to use username-password authentication and protect our APIs using Auth0. Our front end (both mobile and web app) should use Auth0 UI to login users. I have a few questions.
From the UI, if the user is not logged in we want to redirect and use Auth0 UI to login user using their username and password (no social media stuffs). If the user does not have an account we want to use Auth0 “create user” api to create user (using username-password combination).
Once login is completed, UI should call our backend API with tokens in the http header.
Backend should validate using the tokens
Backend is Asp.Net Web API. Front end is pure javascript UI application.
How do I do the above simple flow? Since Auth0 documentation is mixing up a lot of things , it is hard to understand. Some documentations are well written but there are key areas where it is missing the context and difficult to follow through.
then you’ll quickly get up to speed with a system that meets your requirements. By ensuring that the client application created in Auth0 only has a database connection and that connection has public signup enabled you’ll immediately meet your additional requirements for allowing new users to signup with username/password.
Thanks for the response. It is an Asp.Net MVC application and we have converted parts of it to JavaScript on the UI side. When Login button is clicked we expect to call the Account/Login method, which is expected to spawn authentication challenge, which is what we want. I created an application on Auth0 portal, I downloaded the sample and it asked me to set localhost:3000/callback as allowed callback URL. Where is this callback method located in the sample? I had tough time getting it to work (in VS2017), added a controller for callback (added http://localhost:3000/api/Test/Callback to application settings on Auth0) and I was able to login. However the Callback method was not called by Auth0. I want to see what values I get in the Callback. Why have you not implemented a sample Callback method? It will be a world of help. We are just spinning on it.
I created another MVC Application type on Auth0 and it had me download another sample. This time it asked me to set http://localhost:56572/signin-auth0 as allowed callback. Where is signin-auth0 method located in the sample app?
I figured how the callback works and how to receive notifications (AuthorizationCodeReceived) in Asp.Net.
I want to find out how the client receives the token. I think it is in cookies but I am not a UI expert, any idea how the response is received after call to Login method on server side (which initiates the challenge)?
Also when a user logs out and logs back in, we want to make sure the password is asked again. I think this is also stored as cookies (as part of Auth0 session rather than Application session), how do I clear the cookies when Logout button is clicked on client side?
An ASP .NET MVC application will be using the authorization code flow or an hybrid flow so the tokens will either be returned as part of the invocation of the redirect URL (as query string parameters) or on a subsequent response from the token endpoint (which would be called by the application to exchange the received code for tokens). The exact flow depends on configuration on the application side.
In relation to logout you need to consider that when using Auth0 there will a session at the application and also at the Auth0 service so your logout should clear the local application session and then perform a redirect request to the Auth0 service logout endpoint (Logout).
Thanks jmanglo. We want to be able to find the last time the password was reset, if it has been more than 90 days we want to force a password reset. How do we go about doing it?
Also we want to enable MFA and at the same time prevent MFA if the same user is logging in from the same device. Are there any Auth0 built in solutions?
When you enable MFA the default option will allow you to set a boolean property that will then dictate if users can choose to remember the current browser from an MFA perspective. This would mean that an immediate second attempt to login from the same machine/browser would not trigger MFA if the end-user decided to remember it. Have in mind this is specific to the browser and not exactly at the device level.
For for password change I believe that we don’t have any built-in feature currently available that would meet those requirements.