What's New in .NET 7 for Authentication and Authorization

Let’s explore the new .NET 7 features for improving and simplifying authentication and authorization support in .NET applications.
Read more…

:writing_hand:t2: Brought to you by @andrea.chiarelli

1 Like

I appreciate the information and advice you have shared.

Thank you very much for your kind feedback, @neskemiquel! :pray:

I don’t see the top level Authentication object on the WebApplicationBuilder in .Net 7. Are you sure this made it in the final .net 7 release?

Hey @HWouters,
You are right. The code snippet used the Authentication object that was present in one of the previews but was removed in the final release of .NET.
I updated the code with the correct statement.

Sorry for the inconvenience and thank you for reporting it! :pray:

Notice that now you don’t need anymore to call UseAuthentication() and UseAuthorization() .

You definitely still need UseAuthorization() if you still want problem details.

1 Like

Hi @davidhenley,
Thank you for pointing out this. Actually, you need UseAuthorization() when you need to customize the default behavior of the authorization middleware. I should have specified this more clearly

1 Like

This post is 404 or am I missing something?

I just tested it and it works. Here’s the link: What's New in .NET 7 for Authentication and Authorization

1 Like

Firstly, thank you for an informative and well written article @andrea.chiarelli.

Can I please ask, in regard to the getting started docs:

the code includes:

.AddJwtBearer(options =>
{
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ...
        NameClaimType = ClaimTypes.NameIdentifier
    };
});

whereas your .NET 7 code does not - does this mean the TokenValidationParameters.NameClaimType does not need to be explicitly set in this manner when using .Net 7?

Thanks again

Hello @mcshaz,
Welcome to the Auth0 Community!

As far as I know, the configuration simplification introduced by .NET 7 is just syntactic sugar. You still need to provide the configuration data either in the appsettings.json file or through the code. This includes the NameClaimType mapping.

Thank you for this share. And I have a question for the
app.UseAuthentication();
I just created a new project using .net core 7 WebAPI with default controller.
And when I add app.UseAuthentication();
It will always return 401. If I remove this, everything works fine. Token right, get 200, Token wrong, get 401.

So, we must not add it, right?

Oh, I got the root cause. The
app.UseAuthentication();
must execute before app.MapControllers();
If you put after app.MapControllers(), it will always 401

Hey @capcom923,
Welcome to the Auth0 Community!
Glad to hear you found the reason for your problem. Yeah, if you don’t use app.UseAuthentication(), .NET will do it for you. But if you do it yourself, be aware that middleware order matters :slightly_smiling_face: