https://github.com/liteobject/demo.auth0

A .NET Web API demo showcasing Auth0 authentication and authorization.
https://github.com/liteobject/demo.auth0

api auth0 authentication authorization csharp oauth2

Last synced: about 1 month ago
JSON representation

A .NET Web API demo showcasing Auth0 authentication and authorization.

• Host: GitHub
• URL: https://github.com/liteobject/demo.auth0
• Owner: LiteObject
• Created: 2025-03-21T13:40:25.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2025-03-24T15:57:21.000Z (about 1 year ago)
• Last Synced: 2025-04-08T16:19:15.495Z (about 1 year ago)
• Topics: api, auth0, authentication, authorization, csharp, oauth2
• Language: C#
• Homepage:
• Size: 18.6 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# .NET Web API demo showcasing Auth0 authentication and authorization

### Auth0: Applications vs. APIs

| Feature                  | **Applications (Clients)**         | **APIs**                       |

|--------------------------|-------------------------------------|----------------------------------|

| **Purpose**               | Authenticate users                  | Protect and expose backend resources |

| **Entity**                | Front-end/back-end client           | Backend service/API              |

| **Token Handling**         | Requests access/ID tokens           | Validates access tokens          |

| **Authentication**         | Manages user login and identity     | Does not authenticate users      |

| **Authorization**         | Requests tokens with specific scopes | Validates token and checks scopes |

| **Token Type**             | Access/ID tokens                   | Access tokens                    |

| **Examples**               | Web app, mobile app, M2M client    | REST API, GraphQL API            |

| **Common Flows/Grants**     | Authorization Code, PKCE, Implicit, Client Credentials | Validates client and user permissions |

| **Scopes Assignment**      | Requests specific scopes            | Defines allowed scopes           |

| **Audience (audience)**    | Does not define audience            | Defines audience for token requests |

| **Token Usage**            | Uses token to access APIs           | Validates token to allow/deny requests |

| **Allowed Grant Types**     | Configured in Application Settings  | Checked while validating token   |

| **Communication Flow**     | Sends token to API                  | Validates token and responds     |

| **Client Credentials**     | Used for machine-to-machine (M2M)  | Verifies scopes and permissions  |

| **Domain/Endpoint**         | Typically `https://your-app.com`   | Typically `https://your-api.com` |

| **When to Use**            | For web, mobile, or backend apps    | To protect and expose APIs       |

### Scope vs Permission

There is a subtle but important difference between **scopes** and 

**permissions** in Auth0, although they are closely related and often 

used together. Here's a breakdown:

| Feature       | Permissions                              | Scopes                                      |

|---------------|------------------------------------------|---------------------------------------------|

| Definition    | Defined by the API (Resource Server)     | Defined by the Authorization Server (Auth0) |

| Representation| Specific actions (e.g., read:profile)    | Collections of permissions or access levels |

| Requestor     | Granted to users/applications            | Requested by the client application         |

| Purpose       | Authorization (what the user/app can do) | Requesting access (what the app wants)      |

| Token Claim   | permissions                              | scope                                       |

Scopes are what the client asks for, and permissions are what the client is ultimately granted (and what the 

API uses for authorization). The mapping between scopes and permissions is configured in Auth0. Using permissions 

directly in your application is generally considered best practice. Scopes are often used as a more abstract 

way to request access, with the actual permissions being determined by the authorization server.

### Since I can create policies in the `Program.cs` file, why would I need to implement IAuthorizationService?

Creating policies in the `Program.cs` file is a straightforward way to define and apply authorization rules based 

on claims, roles, or custom requirements. However, there are scenarios where using the `IAuthorizationService` 

interface can provide additional flexibility and control over the authorization process.

#### When to Use IAuthorizationService

- Complex Authorization Logic

- Dynamic Authorization

- Custom Authorization Handlers

- Granular Control