Resolving auth in back-end (.NET) with token retrieved from front-end (React)
Hello, i have finished a setup in react, but i need to use the token to authenticate and authorize the user in the back-end. AFAIK there are no documents on Kinde elaborating on this issue, would anyone be able to support?
In .NET authentication is added:
but the
access_token is always null
40 Replies
Hi @LIFE,
Do you need the actual access token in your controller action, or do you just need the details of the authenticated user?
Here's how I validate and use the access token (provided in the
Authorization header in the request from my React app) -
In startup.cs:
Now in your controller action you should be able to see HttpContext.User populated with properties for the authenticated user - their userId (the sub claim), their Kinde organization (the org_code claim) etcAha, Thanks! No I do not need the actual token, but I do need the identity. I tried to retrieve the token as a way to test whether it was passed or not. Regardless, my setup always gives an httpcontext with null identities. I will test your setup tomorrow at work. But decoding the jwt gives "null" audiences. What should authority be?
Hi @LIFE,
token to authenticate and authorize the user in the back-endCan I confirm that you when you refer to "back-end" here, your backend is .NET?
Yes, that is correct
Hey @LIFE,
It seems like you're trying to authenticate and authorize a user in a .NET backend using a token from a React frontend.
In your .NET backend, you're using JWT Bearer authentication which is correct. However, it seems like the access token is not being sent correctly from the frontend or not being retrieved correctly in the backend.
In your React frontend, you should be sending the access token in the Authorization header of your HTTP requests. Here's an example of how you can do this:
In your .NET backend, you should be able to retrieve the access token from the Authorization header of the incoming HTTP request. Here's an example of how you can do this:
Please ensure that the access token is being sent correctly from the frontend and that you're retrieving it correctly in the backend. If you're still having issues, please let me know! I'm here to help.
Thanks! using the
HttpContext.Request.Headers["Authorization"].ToString().Split(' ')[1]; i was able to retrieve the access token.
However, the HttpContext.user is still defaulting to null:
The token should be sent correctly as seen here
Hey @LIFE,
It seems like the user is not being authenticated correctly. The
HttpContext.User property will be populated after the user has been authenticated.
Similar to @jacquesy above, in your Startup.cs file, make sure you have the following lines in the ConfigureServices method:
And in the Configure method, make sure you have:
These lines of code will ensure that the user is authenticated before any controller actions are executed. If HttpContext.User is still null after this, it means that the token is not valid or the user does not exist.
If you're still having issues, please let me know! I'm here to help.Thank's this is all very helpful! I am still uncertain what values to put for
Jwt:Issuer and Jwt:Key
The settings above still gives HttpContext.User = nullHi @LIFE,
I think I need to ask my .NET expert team mate on this issue.
Ill get back to you soon.
Thank you, looking forward to the response. Appreciate the effort!
In the meantime, we did just update the Kinde .NET SDK.
I would suggest updating to the latest .NET SDK version.
I don't use the Kinde .NET SDK as i am using the React SDK for authentication
the .NET back-end is just an extension of the front-end authentication scheme
Oh I understand.
Thanks for explaining this.
I will pass this information onto my teammates to look into.
Ah makes more sense, thanks for the diagram.
Hi @LIFE , the issuer for the JWT will be just your Kinde sub-domain, so something like
https://yourbusiness.kinde.com, the public keys can be found from the JWKS endpoint on your sub-domain, something like https://yourbusiness.kinde.com/.well-known/jwks
Note, Kinde supports OpenID Connect Discovery, a minimal configuration can be done with:
Using this .NET will look up the configuration (e.g. https://yourbusiness.kinde.com/.well-known/openid-configuration) and retrieve the keys from the JWKS endpoint to verify the token.Great, thanks!
I tested 2 program.cs configs:
appsettings:
Regardless, HttpContext.User is always null
https://alkolas.kinde.com/.well-known/jwks
gives:
@LIFE for your requests can you have a look at the response headers? There should be a header that tells you why authentication failed when developing locally. If not you can enable this by adding
options.IncludeErrorDetails = true;I sent it in an earlier message aswell, but here it is:
@leo_kinde
Seems like audience is empty in the token
yeah, audience is empty:
Thought that was handled by kinde?
By default we don't set an audience, just .NET seems to require one. You can configure one in the Kinde admin UI. If you go to
Settings then APIs under Environment.
Then enable that API on the Application under Applications.
When you initiate auth you'll need specify the audience too. In the React SDK I think this is configured as a prop on the provider.Now it works. Thank you, really appreciate the good help!
No worries @LIFE , glad it is working. If you happen to want the
Name property to map to the Kinde user id, you can add:
That's great! Really appreciate the extra tip there! Now i get both name & email (in claims)
Btw: Do you have any documentation for this specific setup?
Unfortunately we don't have a document public yet @LIFE , but it is something we're working on. Including initiating .NET with Kinde auth on backend without using the SDK as that can also be done with built-in .NET auth and configuration.
Unknown User•12mo ago
Message Not Public
Sign In & Join Server To View
would i have to make changes to my authorization setup in program.cs to allow for the
[Authroize(Roles = "admin")] attribute to work?
Would i have to go about it this way:
https://stackoverflow.com/a/72472743/3712531
was able to "solve" it with this, but i'm uncertain if there are better solutions to the problem:
GitHub Copilot: To authorize based on the "name" value in the "roles" claim, you would need to parse the claim value as JSON and check the "name" field. However, the built-in
RequireClaim method doesn't support this kind of complex claim value checking.
You will need to create a custom IAuthorizationRequirement and AuthorizationHandler to handle this. Here's an example of how you can do it:
Then, you can add the requirement and handler to your services and use them in your policy:
This will create a policy named "admin" that requires the "roles" claim to have a "name" field with the value "admin".Thanks for sharing this @LIFE. I'm not super familiar with this part of handling in .NET, but it sounds reasonable.
@LIFE - This is pretty much exactly what I've done in my solution. You can now protect the whole controller or a specific action method using the
[Authorize(Policy = "admin")] attribute.Hey @leo_kinde I've activated both APIs (backend - nuxt and backend - .net) but I am still getting an empty array value for my
aud property on my token. What is needed to be done on the frontend to enable see the audience value come through on the token?
https://discord.com/channels/1070212618549219328/1246729027386085376 I put a more complete question/support request here@skywalker-kiwi#02131 Here is the code which works for me.
Backend code:
To send audience in token add the following in your React app:
In the .env file:
@leo_kinde With the above setup in my test application, I still can get user details such as Id, Name, Email, etc..,
property is true but Name is null.
https://discord.com/channels/1070212618549219328/1251154108845527153
Here is what I have tried.... after following everything in this post: no luck, sadly
Okay, I just put in the above settings and my request context is still show unauthorized
Not that it should matter, but I am using
.NET8. Does that make a difference?
The issue has been resolved in this thread: https://discord.com/channels/1070212618549219328/1251154108845527153