Im trying to bring an old piece of software into current life cycle… below is the current method followed by my unsuccessful attempt at refactoring it… any help in getting this working would be greatly appreciated. I am fairly new to C# and .Net and to this project.
Additionally, are there any security considerations if we keep our Nuget packages at 3.7.0 for Auth0.AuthenticationApi, Auth0.Core, and Auth0.ManagmentApi using HS256?
It looks like if we update to use the latest 7.26.2 we would need to do a lot of refactoring and updating the Auth0 tenant to be OIDC compliant as well as using RS256.
public static async Task<string> GetAuthUserForCallback(HttpContext Context)
{
AuthenticationApiClient client = new AuthenticationApiClient(
new Uri($"https://{SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_DOMAIN_KEY)}"));
//Exchange the authorization code for a token
AccessToken token = await client.ExchangeCodeForAccessTokenAsync(new ExchangeCodeRequest
{
ClientId = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_CLIENTID_KEY),
ClientSecret = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_CLIENTSECRET_KEY),
AuthorizationCode = Context.Request.QueryString["code"],
RedirectUri = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_REDIRECT_URL_KEY)
});
// Cache token information
//NOTE: For impersonation requests we will have an Access token but no ID token
Context.Session[SessionKeyConstants.Auth0_IdToken] = token.IdToken;
Context.Session[SessionKeyConstants.Auth0_AccessToken] = token.AccessToken;
// Get user information
var profile = await client.GetUserInfoAsync(token.AccessToken);
//Cache some of the profile info in session
Context.Session[SessionKeyConstants.Login_Email] = profile.Email;
Context.Session[SessionKeyConstants.Auth0_Email] = profile.Email;
Context.Session[SessionKeyConstants.Auth0_EmailVerified] = profile.EmailVerified;
Context.Session[SessionKeyConstants.Auth0_UserId] = new Auth0Token(token.IdToken).GetTokenSubject();
Context.Session[SessionKeyConstants.Auth0_LastPasswordReset] = new Auth0Token(token.IdToken).GetLastPasswordReset();
return (profile.UserName).ToUpper(); // Return the username in all caps
}
non-working refactored method
public static async Task<string> GetAuthUserForCallback(HttpContext Context)
{
AuthenticationApiClient client = new AuthenticationApiClient(
new Uri($"https://{SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_DOMAIN_KEY)}"));
var symmetricKey = Encoding.UTF8.GetBytes("Where does this key come from?"); // Replace with your actual secret key
var securityKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(symmetricKey);
//Exchange the authorization code for a token
//AccessTokenResponse token = await client.ExchangeCodeForAccessTokenAsync(new ExchangeCodeRequest
//AuthorizationCodePkceTokenRequest newAuthorizationCodeTokenRequest = new AuthorizationCodePkceTokenRequest
AuthorizationCodeTokenRequest newAuthorizationCodeTokenRequest = new AuthorizationCodeTokenRequest
{
ClientId = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_CLIENTID_KEY),
ClientSecret = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_CLIENTSECRET_KEY),
Code = Context.Request.QueryString["code"],
RedirectUri = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_REDIRECT_URL_KEY),
SigningAlgorithm = JwtSignatureAlgorithm.HS256,
ClientAssertionSecurityKeyAlgorithm = SecurityAlgorithms.HmacSha256,
ClientAssertionSecurityKey = securityKey,
Organization = "atsinc.auth0.com",
};
AccessTokenResponse token = await client.GetTokenAsync(newAuthorizationCodeTokenRequest);
// Cache token information
//NOTE: For impersonation requests we will have an Access token but no ID token
Context.Session[SessionKeyConstants.Auth0_IdToken] = token.IdToken;
Context.Session[SessionKeyConstants.Auth0_AccessToken] = token.AccessToken;
// Get user information
UserInfo profile = await client.GetUserInfoAsync(token.AccessToken);
//Cache some of the profile info in session
Context.Session[SessionKeyConstants.Login_Email] = profile.Email;
Context.Session[SessionKeyConstants.Auth0_Email] = profile.Email;
Context.Session[SessionKeyConstants.Auth0_EmailVerified] = profile.EmailVerified;
Context.Session[SessionKeyConstants.Auth0_UserId] = new Auth0Token(token.IdToken).GetTokenSubject();
Context.Session[SessionKeyConstants.Auth0_LastPasswordReset] = new Auth0Token(token.IdToken).GetLastPasswordReset();
//return (profile.UserName).ToUpper(); // Return the username in all caps
return (profile.UserId).ToUpper(); // Return the username in all caps
}