What to do since Auth0.OpenIdConnectSigningKeyResolve is now unlisted?


I am trying to update an .net framework API layer to using access token (previously was utilized ID token and /ro endpoint and want to use /oauth/token endpoint).

I am trying to follow the listed here Auth0 ASP.NET Web API (OWIN) SDK Quickstarts: Authorization and am now having issues. I think i must’ve had the dll local at one time because it was able to build locally, but then via CI/CD it started erroring with missing dlls.

After investigation I found that nuget has “Auth0.OpenIdConnectSigningKeyResolver” is unlisted now, which i assume is the issue. The github project GitHub - auth0/auth0-aspnet-owin: Auth0 ASP.NET 4.5 Owin/Katana Authentication Handler mentions using Auth0 ASP.NET (OWIN) SDK Quickstarts: Login but this appears to be for MVC projects utilizing openid, which i don’t think is my case.

Any recommendations on how to use .net framework with just access token authentication? Thanks!

Edit: Another idea would be to pull down the code locally to the project from github. Is this too risky until I can migrate to .net core?


I was hoping to see an answer to this since I am running into the same problem. My plan, for now, is to create a local version of just this: auth0-aspnet-owin/src/Auth0.Owin.OpenIdConnectSigningKeyResolver at master · auth0/auth0-aspnet-owin · GitHub and reference that in my projects.
My limited understanding of the security concerns around the project makes me believe that they apply to the other portion of the package as the security notice involves interaction with the client and the OpenIdConnectSigningKeyResolver portion does not interact with the client.

Also looking for direction here. Looking to secure a .net web api project still on .net 4.6

I was wondering why the Auth0.OpenIdConnectSigningKeyResolver package was unlisted if it does not cause any security issue.

The quick start guide for securing an API with ASP.NET WebAPI (OWIN) still recommends to use this package.

The security notice recommends to follow the ASP.NET (OWIN) guide but it does seem to be relating to ASP.NET MVC and not ASP.NET WebAPI and does not seem appropriate for an API.

Should we still use this package even though it is unlisted?

1 Like

Hey everyone!

Let me research that for you! It seems that there’s some misunderstanding around that in our docs


Anyone found a workaround? @Auth0 any best practices to suggest?

1 Like

Hey there I sent the message to tool maintainers. As soon as I have any info from them I will share it here!

1 Like

Any news so far? I need this to be able to build my proof of concept using Auth0. Thanks!

1 Like

Hey there! The internal ticket I opened is now in hands of our security team. I asked them how you should proceed now having all thee context you provided in mind.

Got the info back from our Security Team.

The SigningKeyResolver class itself is not vulnerable, however, it’s simply a (utility) wrapper class.
It was never intended to be the core reason of using this package. The best approach is to simply customize:

to individual needs if you’d really like using a key resolver.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.