Auth0 Home Blog Docs

What to do since Auth0.OpenIdConnectSigningKeyResolve is now unlisted?

Hi,

I am trying to update an .net framework API layer to using access token (previously was utilized ID token and /ro endpoint and want to use /oauth/token endpoint).

I am trying to follow the listed here https://auth0.com/docs/quickstart/backend/webapi-owin#install-dependencies and am now having issues. I think i must’ve had the dll local at one time because it was able to build locally, but then via CI/CD it started erroring with missing dlls.

After investigation I found that nuget has “Auth0.OpenIdConnectSigningKeyResolver” is unlisted now, which i assume is the issue. The github project https://github.com/auth0/auth0-aspnet-owin mentions using https://auth0.com/docs/quickstart/webapp/aspnet-owin but this appears to be for MVC projects utilizing openid, which i don’t think is my case.

Any recommendations on how to use .net framework with just access token authentication? Thanks!

Edit: Another idea would be to pull down the code locally to the project from github. Is this too risky until I can migrate to .net core?

2 Likes

I was hoping to see an answer to this since I am running into the same problem. My plan, for now, is to create a local version of just this: https://github.com/auth0/auth0-aspnet-owin/tree/master/src/Auth0.Owin.OpenIdConnectSigningKeyResolver and reference that in my projects.
My limited understanding of the security concerns around the project makes me believe that they apply to the other portion of the package as the security notice involves interaction with the client and the OpenIdConnectSigningKeyResolver portion does not interact with the client.

Also looking for direction here. Looking to secure a .net web api project still on .net 4.6

I was wondering why the Auth0.OpenIdConnectSigningKeyResolver package was unlisted if it does not cause any security issue.

The quick start guide for securing an API with ASP.NET WebAPI (OWIN) still recommends to use this package.

The security notice recommends to follow the ASP.NET (OWIN) guide but it does seem to be relating to ASP.NET MVC and not ASP.NET WebAPI and does not seem appropriate for an API.

Should we still use this package even though it is unlisted?

1 Like

Hey everyone!

Let me research that for you! It seems that there’s some misunderstanding around that in our docs

4 Likes

Anyone found a workaround? @Auth0 any best practices to suggest?

1 Like

Hey there I sent the message to tool maintainers. As soon as I have any info from them I will share it here!

1 Like

Any news so far? I need this to be able to build my proof of concept using Auth0. Thanks!

1 Like

Hey there! The internal ticket I opened is now in hands of our security team. I asked them how you should proceed now having all thee context you provided in mind.