Updated to newest Auth0 nuget pacakge

roblin · June 20, 2024, 1:56pm

Im trying to bring an old piece of software into current life cycle… below is the current method followed by my unsuccessful attempt at refactoring it… any help in getting this working would be greatly appreciated. I am fairly new to C# and .Net and to this project.

Additionally, are there any security considerations if we keep our Nuget packages at 3.7.0 for Auth0.AuthenticationApi, Auth0.Core, and Auth0.ManagmentApi using HS256?
It looks like if we update to use the latest 7.26.2 we would need to do a lot of refactoring and updating the Auth0 tenant to be OIDC compliant as well as using RS256.

    public static async Task<string> GetAuthUserForCallback(HttpContext Context)
    {
        AuthenticationApiClient client = new AuthenticationApiClient(
            new Uri($"https://{SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_DOMAIN_KEY)}"));

        //Exchange the authorization code for a token
        AccessToken token = await client.ExchangeCodeForAccessTokenAsync(new ExchangeCodeRequest
        {
            ClientId = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_CLIENTID_KEY),
            ClientSecret = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_CLIENTSECRET_KEY),
            AuthorizationCode = Context.Request.QueryString["code"],
            RedirectUri = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_REDIRECT_URL_KEY)
        });

        // Cache token information
        //NOTE: For impersonation requests we will have an Access token but no ID token
        Context.Session[SessionKeyConstants.Auth0_IdToken] = token.IdToken;
        Context.Session[SessionKeyConstants.Auth0_AccessToken] = token.AccessToken;

        // Get user information
        var profile = await client.GetUserInfoAsync(token.AccessToken);

        //Cache some of the profile info in session
        Context.Session[SessionKeyConstants.Login_Email] = profile.Email;
        Context.Session[SessionKeyConstants.Auth0_Email] = profile.Email;
        Context.Session[SessionKeyConstants.Auth0_EmailVerified] = profile.EmailVerified;
        Context.Session[SessionKeyConstants.Auth0_UserId] = new Auth0Token(token.IdToken).GetTokenSubject();      
        Context.Session[SessionKeyConstants.Auth0_LastPasswordReset] = new Auth0Token(token.IdToken).GetLastPasswordReset();

        return (profile.UserName).ToUpper(); // Return the username in all caps
    }

non-working refactored method

public static async Task<string> GetAuthUserForCallback(HttpContext Context)
{
    AuthenticationApiClient client = new AuthenticationApiClient(
        new Uri($"https://{SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_DOMAIN_KEY)}"));


    var symmetricKey = Encoding.UTF8.GetBytes("Where does this key come from?"); // Replace with your actual secret key
    var securityKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(symmetricKey);

    //Exchange the authorization code for a token
    //AccessTokenResponse token = await client.ExchangeCodeForAccessTokenAsync(new ExchangeCodeRequest
    //AuthorizationCodePkceTokenRequest newAuthorizationCodeTokenRequest = new AuthorizationCodePkceTokenRequest
    AuthorizationCodeTokenRequest newAuthorizationCodeTokenRequest = new AuthorizationCodeTokenRequest
    {
        ClientId = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_CLIENTID_KEY),
        ClientSecret = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_CLIENTSECRET_KEY),
        Code = Context.Request.QueryString["code"],
        RedirectUri = SecureSettings.GetSecureSettingValue(SecureSettings.AUTH0_REDIRECT_URL_KEY),
        SigningAlgorithm = JwtSignatureAlgorithm.HS256,
        ClientAssertionSecurityKeyAlgorithm = SecurityAlgorithms.HmacSha256,
        ClientAssertionSecurityKey = securityKey,
        Organization = "atsinc.auth0.com",
    };
            
    AccessTokenResponse token = await client.GetTokenAsync(newAuthorizationCodeTokenRequest);
 
    // Cache token information
    //NOTE: For impersonation requests we will have an Access token but no ID token
    Context.Session[SessionKeyConstants.Auth0_IdToken] = token.IdToken;
    Context.Session[SessionKeyConstants.Auth0_AccessToken] = token.AccessToken;

    // Get user information
    UserInfo profile = await client.GetUserInfoAsync(token.AccessToken);

    //Cache some of the profile info in session
    Context.Session[SessionKeyConstants.Login_Email] = profile.Email;
    Context.Session[SessionKeyConstants.Auth0_Email] = profile.Email;
    Context.Session[SessionKeyConstants.Auth0_EmailVerified] = profile.EmailVerified;
    Context.Session[SessionKeyConstants.Auth0_UserId] = new Auth0Token(token.IdToken).GetTokenSubject();      
    Context.Session[SessionKeyConstants.Auth0_LastPasswordReset] = new Auth0Token(token.IdToken).GetLastPasswordReset();

    //return (profile.UserName).ToUpper(); // Return the username in all caps
    return (profile.UserId).ToUpper(); // Return the username in all caps
}

Topic		Replies	Views
Need help upgrading to newer Auth0 .NET SDK version Help sdk , .net , oidc , webapi	3	4456	March 2, 2018
Auth0.OidCClient Nuget needed for Target Framework 4.5 Help	7	4477	September 3, 2019
Help with OIDC upgrade, .Net Help impersonation , oidc-conformant , app_metadata , user-metadata	4	5199	March 2, 2018
Auth0.AuthenticationApi .NET - Using AuthenticationApiClient to refresh token Help .net , refresh-tokens , authenticationapi	5	6709	March 2, 2018
API Setup documentation for C#, UseJwtBearerAuthentication is obselete Help documentation , c , api-authorization	7	5712	March 2, 2018

Updated to newest Auth0 nuget pacakge

Related Topics