SSO for Regular Web Apps: ASP.NET Core Implementation
Full source code for the ASP.NET Core implementation can be found in this GitHub repository.
For the purposes this guide we will be using a simple hosted login. You can use the standard cookie and OIDC middleware which is available with ASP.NET Core, so ensure that you install the NuGet packages.
Then configure the cookie and OIDC middleware inside your application's middleware pipeline.
As you can see in the code above, we have configured two different types of authentication middleware.
The first is the cookie middleware which was registered with the call to
The second is the OIDC middleware which is done with the call to
Once the user has signed in to Auth0 using the OIDC middleware, their information will automatically be stored inside a session cookie. All you need to do is to configure the middleware as above and it will take care of managing the user session.
The OpenID Connect (OIDC) middleware will also extract all the claims from the ID Token, which is sent from Auth0 once the user has authenticated, and add them as claims on the
Implement the Logout
You can control both the application session and the Auth0 session using the
SignOutAsync method of the
AuthenticationManager class, and passing along the authentication scheme from which you want to sign out.
As an example to sign out of the cookie middleware, and thereby clearing the authentication cookie for your application, you can make the following call:
Similarly you can log the user out from Auth0 by making a call to the
SignOutAsync method and passing along
Auth0 as the authentication scheme to sign out of.
For the above to work you will however also need to add extra configuration when registering the OIDC middleware by handling the
OnRedirectToIdentityProviderForSignOut event. Inside the event you will need to redirect to the Auth0 logout endpoint which will clear the Auth0 cookie.
You will also need to ensure that you add your application's URL to the Allowed Logout URLs for your application inside the Auth0 dashboard. For more information refer to Logout.
Implement Admin permissions
The easiest way to integrate the groups into an ASP.NET Core application is to use the built-in Role-based Authorization available in ASP.NET Core. In order to achieve this we will need to add a Claim of type
for each of the groups a user is assigned to.
Once the claims has been added we can easily ensure that a specific action is available only to
Admin users by decorating the claim with the
[Authorize(Roles = "Admin")] attribute. You can also check whether a user is in a specific role from code by making a call to
User.IsInRole("Admin") from inside your controller.
The ASP.NET OIDC middleware will automatically add all claims returned in the JWT as claims to the
ClaimsIdentity. We would therefore need to extract the information from the
authorization claim, deserialize the JSON body of the claim, and for each of the groups add a
http://schemas.microsoft.com/ws/2008/06/identity/claims/role claim to the
And subsequently we can add an action which allows Administrators to approve timesheets: