Resolving auth in back-end (.NET) with token retrieved from front-end (React)
Hello, i have finished a setup in react, but i need to use the token to authenticate and authorize the user in the back-end. AFAIK there are no documents on Kinde elaborating on this issue, would anyone be able to support?
In .NET authentication is added:
but the
access_token
is always null
40 Replies
Hi @LIFE,
Do you need the actual access token in your controller action, or do you just need the details of the authenticated user?
Here's how I validate and use the access token (provided in the
Authorization
header in the request from my React app) -
In startup.cs
:
Now in your controller action you should be able to see HttpContext.User
populated with properties for the authenticated user - their userId (the sub
claim), their Kinde organization (the org_code
claim) etcAha, Thanks! No I do not need the actual token, but I do need the identity. I tried to retrieve the token as a way to test whether it was passed or not. Regardless, my setup always gives an httpcontext with null identities. I will test your setup tomorrow at work. But decoding the jwt gives "null" audiences. What should authority be?
Hi @LIFE,
token to authenticate and authorize the user in the back-endCan I confirm that you when you refer to "back-end" here, your backend is .NET?
Yes, that is correct
Hey @LIFE,
It seems like you're trying to authenticate and authorize a user in a .NET backend using a token from a React frontend.
In your .NET backend, you're using JWT Bearer authentication which is correct. However, it seems like the access token is not being sent correctly from the frontend or not being retrieved correctly in the backend.
In your React frontend, you should be sending the access token in the Authorization header of your HTTP requests. Here's an example of how you can do this:
In your .NET backend, you should be able to retrieve the access token from the Authorization header of the incoming HTTP request. Here's an example of how you can do this:
Please ensure that the access token is being sent correctly from the frontend and that you're retrieving it correctly in the backend. If you're still having issues, please let me know! I'm here to help.
Thanks! using the
HttpContext.Request.Headers["Authorization"].ToString().Split(' ')[1];
i was able to retrieve the access token.
However, the HttpContext.user is still defaulting to null:The token should be sent correctly as seen here
Hey @LIFE,
It seems like the user is not being authenticated correctly. The
HttpContext.User
property will be populated after the user has been authenticated.
Similar to @jacquesy above, in your Startup.cs
file, make sure you have the following lines in the ConfigureServices
method:
And in the Configure
method, make sure you have:
These lines of code will ensure that the user is authenticated before any controller actions are executed. If HttpContext.User
is still null after this, it means that the token is not valid or the user does not exist.
If you're still having issues, please let me know! I'm here to help.Thank's this is all very helpful! I am still uncertain what values to put for
Jwt:Issuer
and Jwt:Key
The settings above still gives HttpContext.User = null
Hi @LIFE,
I think I need to ask my .NET expert team mate on this issue.
Ill get back to you soon.
Thank you, looking forward to the response. Appreciate the effort!
In the meantime, we did just update the Kinde .NET SDK.
I would suggest updating to the latest .NET SDK version.
I don't use the Kinde .NET SDK as i am using the React SDK for authentication
the .NET back-end is just an extension of the front-end authentication scheme
Oh I understand.
Thanks for explaining this.
I will pass this information onto my teammates to look into.
Ah makes more sense, thanks for the diagram.
Hi @LIFE , the issuer for the JWT will be just your Kinde sub-domain, so something like
https://yourbusiness.kinde.com
, the public keys can be found from the JWKS endpoint on your sub-domain, something like https://yourbusiness.kinde.com/.well-known/jwks
Note, Kinde supports OpenID Connect Discovery, a minimal configuration can be done with:
Using this .NET will look up the configuration (e.g. https://yourbusiness.kinde.com/.well-known/openid-configuration
) and retrieve the keys from the JWKS endpoint to verify the token.Great, thanks!
I tested 2 program.cs configs:
appsettings:
Regardless, HttpContext.User is always null
https://alkolas.kinde.com/.well-known/jwks
gives:
@LIFE for your requests can you have a look at the response headers? There should be a header that tells you why authentication failed when developing locally. If not you can enable this by adding
options.IncludeErrorDetails = true;
I sent it in an earlier message aswell, but here it is:
@leo_kinde
Seems like audience is empty in the token
yeah, audience is empty:
Thought that was handled by kinde?
By default we don't set an audience, just .NET seems to require one. You can configure one in the Kinde admin UI. If you go to
Settings
then APIs
under Environment
.
Then enable that API on the Application under Applications
.
When you initiate auth you'll need specify the audience too. In the React SDK I think this is configured as a prop on the provider.Now it works. Thank you, really appreciate the good help!
No worries @LIFE , glad it is working. If you happen to want the
Name
property to map to the Kinde user id, you can add:
That's great! Really appreciate the extra tip there! Now i get both name & email (in claims)
Btw: Do you have any documentation for this specific setup?
Unfortunately we don't have a document public yet @LIFE , but it is something we're working on. Including initiating .NET with Kinde auth on backend without using the SDK as that can also be done with built-in .NET auth and configuration.
Unknown User•13mo ago
Message Not Public
Sign In & Join Server To View
would i have to make changes to my authorization setup in program.cs to allow for the
[Authroize(Roles = "admin")]
attribute to work?
Would i have to go about it this way:
https://stackoverflow.com/a/72472743/3712531was able to "solve" it with this, but i'm uncertain if there are better solutions to the problem:
GitHub Copilot: To authorize based on the "name" value in the "roles" claim, you would need to parse the claim value as JSON and check the "name" field. However, the built-in
RequireClaim
method doesn't support this kind of complex claim value checking.
You will need to create a custom IAuthorizationRequirement
and AuthorizationHandler
to handle this. Here's an example of how you can do it:
Then, you can add the requirement and handler to your services and use them in your policy:
This will create a policy named "admin" that requires the "roles" claim to have a "name" field with the value "admin".Thanks for sharing this @LIFE. I'm not super familiar with this part of handling in .NET, but it sounds reasonable.
@LIFE - This is pretty much exactly what I've done in my solution. You can now protect the whole controller or a specific action method using the
[Authorize(Policy = "admin")]
attribute.Hey @leo_kinde I've activated both APIs (backend - nuxt and backend - .net) but I am still getting an empty array value for my
aud
property on my token. What is needed to be done on the frontend to enable see the audience value come through on the token?
https://discord.com/channels/1070212618549219328/1246729027386085376 I put a more complete question/support request here@skywalker-kiwi#02131 Here is the code which works for me.
Backend code:
To send audience in token add the following in your React app:
In the .env file:
@leo_kinde With the above setup in my test application, I still can get user details such as Id, Name, Email, etc..,
property is true but Name is null.
https://discord.com/channels/1070212618549219328/1251154108845527153
Here is what I have tried.... after following everything in this post: no luck, sadly
Okay, I just put in the above settings and my request context is still show unauthorized
Not that it should matter, but I am using
.NET8
. Does that make a difference?
The issue has been resolved in this thread: https://discord.com/channels/1070212618549219328/1251154108845527153