auth0-samples / auth0-aspnet-owin-mvc-samples Goto Github PK

As explained in https://github.com/auth0/auth0-aspnet-owin#katana-issue-with-cookies, the OWIN middleware sometimes fails to set the session cookie (or rather, it losses it). The aforementioned package fixes the problem, we should put it in the samples and seeds.

The quickstart doc should be updated as well to include a mention to it.

I have downloaded the quick start projects and ran Quickstart/03-Authorization.

I have updated the config to contain the following properties from my dashboard on my Auth0 account:
auth0:Domain
auth0:ClientId
auth0:ClientSecret

There is an override root URL setting that is pointing to the wrong port which I have disabled so that it points to port 3000, as per the config settings

I have updated the return URL etc in my Auth0 dashboard.

I can log in and out of the project fine but if I try and hit the admin page I get caught in a constant redirect as it's looking for a role property that isn't returned in the claims. I have added roles to the user ID and access tokens, as per https://auth0.com/docs/customize/actions/flows-and-triggers/login-flow#add-user-roles-to-id-and-access-tokens
but these don't come back in the claims.
I can get the roles if I use the bearer token mechanism like this:

// Get user info from token
var user = await client.GetUserInfoAsync(result.AccessToken);

// Create claims principal
var claimsIdentity = new ClaimsIdentity(new[]
{
  new Claim(ClaimTypes.NameIdentifier, user.UserId, "http://www.w3.org/2001/XMLSchema#string", $"https://{auth0Domain}/"),
  new Claim(ClaimTypes.Name, user.FullName ?? user.Email, "http://www.w3.org/2001/XMLSchema#string", 
  $"https://{auth0Domain}/")
}, CookieAuthenticationDefaults.AuthenticationType);

foreach (var userAdditionalClaim in user.AdditionalClaims.Values.First().Children())
{
  claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, userAdditionalClaim.ToString()));
}

// Sign user into cookie middleware
AuthenticationManager.SignIn(new AuthenticationProperties { IsPersistent = false }, claimsIdentity);

Should the roles come back in this project example?

There seems to be duplicated lines in /Quickstart/01-Login/MvcApplication/MvcApplication/Startup.cs.

Lines 40 and 66 seem redundant and/or misplaced.

Samples have standard asp.net readme instead of auth0 readme wuth instructions on how-to run and configure sample. (AUTH-3753)

Samples using outdated dependencies from package.json (for example Auth0-ASPNET-Owin). Also auth0 lock version is outdated. (AUTH-3752)

Microsoft's OWIN implementation (Katana) does some funny business where sometimes the cookies set by an OWIN middleware are lost, not sent in the response (details are https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues). One of the symptoms is that immediately after a successful callback processing there's no session create, and the user still looks unauthenticated.

One of the suggested workarounds is to use the SytemWebCookieManager, which is already used for the OIDC middleware (together with the SameSiteCookieManager), but it's not configured for the Cookie Authentication middleware.

We'll need to add it here:

  app.UseCookieAuthentication(new CookieAuthenticationOptions
  {
      AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
      LoginPath = new PathString("/Account/Login"),
      CookieSameSite = SameSiteMode.Lax,
      // specify the cookie manager
      CookieManager = new SameSiteCookieManager(new SystemWebCookieManager()),
  });

(AUTH-3987)
Samples using outdated version of Auth0-ASPNET-Owin, Newtonsoft.Json and other dependencies.

(AUTH-3988)
Readme.md of samples that implements logout should inform user that he should register http://localhost:56572/ as a Allowed Logout URLs.

I’m currently using the quickstart RedirectToIdentityProvider procedure for a OWIN regular web application.
I’ve also added to Allowed Logout URL’S the appropriate URL that comes after ReturnTo in my test application, the problem is that this URL (generated by: notification.ProtocolMessage.PostLogoutRedirectUri) has a stack of two protocols (“https://https/://”) so when i logout, i get a DNS_PROBE_FINISHED_NXDOMAIN where it claims that the typing of the protocol is probably wrong (because of the stack) i’ve tried to brute force the same adress with only one protocol (and change it in allowed logout urls) but it also results in an error, i’d really apreciate any help to get my logout redirecting back to identity correctly!

(AUTH-4206)
Samples doesn't provide audince parameter in authentication call

Enviroment Information

• Visual Studio 2017 v15.7.6
• Google Chrome v68

Issue
In the ASP.NET (OWIN) Quickstart, when the user tries to log in with a valid account or sign up with a new one, a signature validation error shows up and the user is not able to finish the login process.

Screenshot

I am trying to run the application. I have created a new client on auth0 dashboard and added the callback URl http://localhost:56572/signin-auth0 to the client.
When I try to login with my username password for auth0 i get error saying something went wrong?
What credentials do i need to enter to login?

This section of the "Getting Started" (https://auth0.com/docs/quickstart/webapp/aspnet-owin/01-login?download=true#obtain-an-access-token-for-calling-an-api) does not have a full example I could find in this repo.

In my own project, everything works great until I add the

ResponseType = OpenIdConnectResponseType.Code,
RedeemCode = true

options. Then the Account/Login route works great but I get into an infinite loop on the /Account/Claims route as it tries to log in over and over.

I have verified I have the audience, domain, client id and secret populating correctly and I can see that the login event is completing successfully.

The SecurityTokenValidated event executes as expected and contains both an accessToken and idToken, which I am setting to claims as in the code snippet.

Please include a full example of obtaining the access token so I can compare to see what is going wrong in my local application.

Hello,
I created a new application and followed the required steps as per "I want to explore a sample app". But when I run it getting following error:
"OpenIdConnectMessage.Error was not null, indicating an error. Error: 'access_denied'. Error_Description (may be empty): 'Service not found: YOUR_API_IDENTIFIER'. Error_Uri (may be empty): 'error_uri is null'."

Also, tried hosting in Local IIS with HTTPS. But still no luck.

Hi,

I am trying to see how MvcApplication sample works so I did following steps

• Created a "regular web application" on my Auth0 account
• Downloaded the MvcApplication sample.
• Update 3 fields domain, clientId and clientSecret as suggested.
• I am using VS 2019 16.0.3
• Run it and tried to click on "Login"
  Then I encountered an error as on the attachment

Could you please help me to figure it out?

Thank you very much,
Phuong

In project 01-login, file README.md missing instructions that indicate how to run the project.

1- The description of the example is missing and what it allows.
2- Missing the Requirements section
3- Missing the steps to run this project

This should contain the following sections:

Login
This example shows how to add *** Login / SignUp *** to your application using the hosted version of the Lock widget.

You can read a quickstart for this sample here (https://auth0.com/docs/quickstart/webapp/aspnet-core/01-login).

Requirements
*. NET Core 2.0 SDK (https://www.microsoft.com/net/download/core)

To run this project

1. Ensure that you have replaced the appsettings.json (SampleMvcApp / appsettings.json) file with the values for your Auth0 account.

2. Run the application from the command line:

   `bash dotnet run `

3. Go to http: // localhost: 5000 in your web browser to view the website.

See ticket here:
https://support.auth0.com/tickets/48726

See pull request here:
#16

Hi there,

We've got a development team using the .NET OWIN quick start sample code from the auth0 samples github repository. out of the box, they were having a problem with the sample code due what looks like a TLS 1.2 secured endpoint that didn't allow downgrade. This was showing as the yellow screen of death.

Problem resolved with:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Would it be possible to update the sample code in the auth0 repo?

Kind Regards,
Darrell

The code highlighted(from the first snippet of the "Storing Tokens" section of the quickstart) for requesting the refresh token is missing from the sample's code

I'm following this sample and receiving an error in the AccountController when executing client.GetTokenAsync(). An error of "Cannot read property 'type' of undefined" which appears to be thrown by the Auth0.Core dll.

The StackTrace is:

at Auth0.Core.Http.ApiConnection.d__15.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Auth0.Core.Http.ApiConnection.d__191.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Auth0.Core.Http.ApiConnection.<PostAsync>d__171.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at Auth0Owin.Controllers.AccountController.d__3.MoveNext() in C:\Source\Auth0Owin\Auth0Owin\Controllers\AccountController.cs:line 46

Any assistance would be appreciated.

The example project is based on having a ASP.NET 5 or ASP.NET CORE application. Do you have support for ASP.NET 4 application or a specific process that should be followed?

Community issue ref:
https://community.auth0.com/t/asp-net-4-6-2-configuration-setup/36716/3

I'm a bit confused...

Where in the code is the Callback URL?

I don't see any code that answers the POST to http://localhost:3000/callback