Updated to newest Auth0 nuget pacakge

roblin · June 20, 2024, 1:56pm

Im trying to bring an old piece of software into current life cycle… below is the current method followed by my unsuccessful attempt at refactoring it… any help in getting this working would be greatly appreciated. I am fairly new to C# and .Net and to this project.

Additionally, are there any security considerations if we keep our Nuget packages at 3.7.0 for Auth0.AuthenticationApi, Auth0.Core, and Auth0.ManagmentApi using HS256?
It looks like if we update to use the latest 7.26.2 we would need to do a lot of refactoring and updating the Auth0 tenant to be OIDC compliant as well as using RS256.

    public static async Task<string> GetAuthUserForCallback(HttpContext Context)
    {
        AuthenticationApiClient client = new AuthenticationApiClient(
            new Uri($"https://{SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_DOMAIN_KEY)}"));

        //Exchange the authorization code for a token
        AccessToken token = await client.ExchangeCodeForAccessTokenAsync(new ExchangeCodeRequest
        {
            ClientId = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_CLIENTID_KEY),
            ClientSecret = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_CLIENTSECRET_KEY),
            AuthorizationCode = Context.Request.QueryString["code"],
            RedirectUri = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_REDIRECT_URL_KEY)
        });

        // Cache token information
        //NOTE: For impersonation requests we will have an Access token but no ID token
        Context.Session[SessionKeyConstants.Auth0_IdToken] = token.IdToken;
        Context.Session[SessionKeyConstants.Auth0_AccessToken] = token.AccessToken;

        // Get user information
        var profile = await client.GetUserInfoAsync(token.AccessToken);

        //Cache some of the profile info in session
        Context.Session[SessionKeyConstants.Login_Email] = profile.Email;
        Context.Session[SessionKeyConstants.Auth0_Email] = profile.Email;
        Context.Session[SessionKeyConstants.Auth0_EmailVerified] = profile.EmailVerified;
        Context.Session[SessionKeyConstants.Auth0_UserId] = new Auth0Token(token.IdToken).GetTokenSubject();      
        Context.Session[SessionKeyConstants.Auth0_LastPasswordReset] = new Auth0Token(token.IdToken).GetLastPasswordReset();

        return (profile.UserName).ToUpper(); // Return the username in all caps
    }

non-working refactored method

public static async Task<string> GetAuthUserForCallback(HttpContext Context)
{
    AuthenticationApiClient client = new AuthenticationApiClient(
        new Uri($"https://{SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_DOMAIN_KEY)}"));


    var symmetricKey = Encoding.UTF8.GetBytes("Where does this key come from?"); // Replace with your actual secret key
    var securityKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(symmetricKey);

    //Exchange the authorization code for a token
    //AccessTokenResponse token = await client.ExchangeCodeForAccessTokenAsync(new ExchangeCodeRequest
    //AuthorizationCodePkceTokenRequest newAuthorizationCodeTokenRequest = new AuthorizationCodePkceTokenRequest
    AuthorizationCodeTokenRequest newAuthorizationCodeTokenRequest = new AuthorizationCodeTokenRequest
    {
        ClientId = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_CLIENTID_KEY),
        ClientSecret = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_CLIENTSECRET_KEY),
        Code = Context.Request.QueryString["code"],
        RedirectUri = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_REDIRECT_URL_KEY),
        SigningAlgorithm = JwtSignatureAlgorithm.HS256,
        ClientAssertionSecurityKeyAlgorithm = SecurityAlgorithms.HmacSha256,
        ClientAssertionSecurityKey = securityKey,
        Organization = "atsinc.auth0.com",
    };
            
    AccessTokenResponse token = await client.GetTokenAsync(newAuthorizationCodeTokenRequest);
 
    // Cache token information
    //NOTE: For impersonation requests we will have an Access token but no ID token
    Context.Session[SessionKeyConstants.Auth0_IdToken] = token.IdToken;
    Context.Session[SessionKeyConstants.Auth0_AccessToken] = token.AccessToken;

    // Get user information
    UserInfo profile = await client.GetUserInfoAsync(token.AccessToken);

    //Cache some of the profile info in session
    Context.Session[SessionKeyConstants.Login_Email] = profile.Email;
    Context.Session[SessionKeyConstants.Auth0_Email] = profile.Email;
    Context.Session[SessionKeyConstants.Auth0_EmailVerified] = profile.EmailVerified;
    Context.Session[SessionKeyConstants.Auth0_UserId] = new Auth0Token(token.IdToken).GetTokenSubject();      
    Context.Session[SessionKeyConstants.Auth0_LastPasswordReset] = new Auth0Token(token.IdToken).GetLastPasswordReset();

    //return (profile.UserName).ToUpper(); // Return the username in all caps
    return (profile.UserId).ToUpper(); // Return the username in all caps
}

Topic		Replies	Views
Need some help with the ResourceOwnerPassword flow Help apis , application	2	16	October 14, 2024
.NET Blazor App and Auth0 Help identifier-first , login-experience	2	99	July 9, 2024
Integrating Auth0 with a .Net8 C# Azure Isolated Function app Help configuration , application	3	485	September 9, 2024
How to finish securing this existing API? (using Auth0, .NET 8, Angular) Help user-profile , user-management	0	12	October 25, 2024
Configure ASP .NET Web API middleware to accept HS256 and RS256 Help aspnet-core , aspnet , middleware	5	4312	March 2, 2018

Updated to newest Auth0 nuget pacakge

Related Topics