Posts

Showing posts from 2021

ASP.NET .NET 6 OIDC Retrieve JWT AccessToken after SaveTokens

I was not able to find the docs for retrieving the JWT AccessToken in ASP.NET .NET 6 after they are saved so I decided to document it here. You may be familiar with the HttpContext.GetTokenAsync() method . This appears to have worked in previous version of .NET, but I could not get it to work in .NET 6. First, make sure you are saving the access tokens in the  AddOpenIdConnect configuration. builder     .Services     .AddAuthentication(options =>     {         options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;         options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;     })     .AddCookie()     .AddOpenIdConnect(options =>     {         options.SaveTokens = true;     }); Then, instead of HttpContext.GetTokenAsync(), call HttpContext.AuthenticateAsync(), and get the token out of the AuthenticateResult. var accessToken = authenticateResult?.Properties?.GetString(".Token.access_token"); Hope this helps, Aaron

Auth0: Restrict SPA Application Access to API Audience/Permissions/Scopes

Image
In Auth0  you can restrict the APIs/Permissions a Machine-to-Machine type Application has access to using the "APIs" section in the Application Configuration: However, SPA type Applications do not have an equivalent configuration option: There is no way to restrict the APIs a SPA type Application has access to directly . Instead, you must restrict the APIs/Permissions/Scopes a User has access to . (Most likely you'll want to do this using Roles.) You must also ensure the " Enable RBAC " setting is turned on for all of your APIs (this setting is off by default). If the "Enable RBAC" setting is NOT turned on, a SPA Application will be able to request a token for any API/Permission/Scope combination and Auth0 will return a valid token! And even with this setting turned on, a SPA Application will be able to request and receive a token for an API the user does NOT have access to!  The Audience value in the access token will be valid for the API, however the