What's New in .NET 7 for Authentication and Authorization

robertino.calcaterra · November 3, 2022, 3:13pm

Let’s explore the new .NET 7 features for improving and simplifying authentication and authorization support in .NET applications.
Read more…

Brought to you by @andrea.chiarelli

neskemiquel · November 10, 2022, 7:46am

I appreciate the information and advice you have shared.

andrea.chiarelli · November 10, 2022, 8:28am

Thank you very much for your kind feedback, @neskemiquel!

HWouters · November 13, 2022, 10:33am

I don’t see the top level Authentication object on the WebApplicationBuilder in .Net 7. Are you sure this made it in the final .net 7 release?

andrea.chiarelli · November 14, 2022, 9:31am

Hey @HWouters,
You are right. The code snippet used the Authentication object that was present in one of the previews but was removed in the final release of .NET.
I updated the code with the correct statement.

Sorry for the inconvenience and thank you for reporting it!

davidhenley · January 6, 2023, 4:04pm

Notice that now you don’t need anymore to call UseAuthentication() and UseAuthorization() .

You definitely still need UseAuthorization() if you still want problem details.

andrea.chiarelli · January 9, 2023, 9:18am

Hi @davidhenley,
Thank you for pointing out this. Actually, you need UseAuthorization() when you need to customize the default behavior of the authorization middleware. I should have specified this more clearly

SCB · May 14, 2023, 5:54pm

This post is 404 or am I missing something?

konrad.sopala · May 15, 2023, 7:06am

I just tested it and it works. Here’s the link: What's New in .NET 7 for Authentication and Authorization

mcshaz · July 18, 2023, 1:04am

Firstly, thank you for an informative and well written article @andrea.chiarelli.

Can I please ask, in regard to the getting started docs:

the code includes:

.AddJwtBearer(options =>
{
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ...
        NameClaimType = ClaimTypes.NameIdentifier
    };
});

whereas your .NET 7 code does not - does this mean the TokenValidationParameters.NameClaimType does not need to be explicitly set in this manner when using .Net 7?

Thanks again

andrea.chiarelli · July 24, 2023, 11:06am

Hello @mcshaz,
Welcome to the Auth0 Community!

As far as I know, the configuration simplification introduced by .NET 7 is just syntactic sugar. You still need to provide the configuration data either in the appsettings.json file or through the code. This includes the NameClaimType mapping.

capcom923 · September 28, 2023, 8:24am

Thank you for this share. And I have a question for the
app.UseAuthentication();
I just created a new project using .net core 7 WebAPI with default controller.
And when I add app.UseAuthentication();
It will always return 401. If I remove this, everything works fine. Token right, get 200, Token wrong, get 401.

So, we must not add it, right?

capcom923 · September 28, 2023, 8:33am

Oh, I got the root cause. The
app.UseAuthentication();
must execute before app.MapControllers();
If you put after app.MapControllers(), it will always 401

andrea.chiarelli · September 28, 2023, 12:51pm

Hey @capcom923,
Welcome to the Auth0 Community!
Glad to hear you found the reason for your problem. Yeah, if you don’t use app.UseAuthentication(), .NET will do it for you. But if you do it yourself, be aware that middleware order matters