Creating a compatible pair that illustrates the Auth0 support full stack example

[adriatic]

As I offered my help with this topic (and did not find a strong resistance to this idea), I would like to start with making sure that ASP.NET Core Web API Authentication can be used in conjunction with a few SPA samples (Aurelia and Javascript would be my first two choices).

Let me begin by presenting a few issues that I would like to resolve before embarking on this "mini" project, so I can focus on a more serious example, that I offered to do in our last conversation yesterday

Issue 1: Completeness of the ASP.NET Core Web API Authentication Quick Start document:

This quick start doc starts from the "middle of the story" - it does not cover any information on how to create the initial application. Instead it starts with the section Configure JSON Web Token Signature Algorithm

I am not trying to be a stickler here; instead I am giving you the benefit of the perception of the "first time reader". I should be very easy to add a beginning paragraph with the explanation where to really start in order (this would be my guess) to get this quick start going. Without that - it is too quick :-) (this holds true regardless of the fact that one could download this complete example)

---

Issue 2: remarks on Aurelia SPA

This sample is written without proper care to the standards of writing good aurelia applications - and there is no reason to to do that. Your dotnet core samples, on the other end are completely "faithful" to the Microsoft's standards, because of using the standard templates. As an example look at the neat isolation of the Auth0 specific code in the "standard location" (Startup.cs) and compare this with the Aurelia sample, which stuffed nearly everything in app.js file.

As you may know, there is an official set of Aurelia templates skeleton-navigation which are almost "sacred" to Aurelia developers.

[jerriep]

This quick start doc starts from the "middle of the story"

This is true. There are more complete quickstarts which are not published at the moment, because they are part of the OIDC-conformant work we are releasing. These will be published sometime in the coming weeks hopefully.

remarks on Aurelia SPA

The Aurelia SPA sample is "community maintained". Meaning it is up to the community to update these. I believe there is no commitment from Auth0 to keep these up to date. If you want to make enhancements to these, it would certainly be welcomed

[adriatic]

The Aurelia SPA sample is "community maintained". Meaning it is up to the community to update these. I believe there is no commitment from Auth0 to keep these up to date. If you want to make enhancements to these, it would certainly be welcomed.

I am aware of this and know the guy who created this sample (Ryan). My point though is more of a policy one than a practical one - as I want to maintain the Auth0 "image" meaning that Auth0 management ought to set some standards for community contribution. This I know really well, as I am working without pay for last 26 months on Aurelia community contributions, more than full time, never using this "excuse" to push in anything less than my best.

This is really not your concern I guess - I will talk to Eugenio Pace about this specific problem

[adriatic]

@chenkie @jerriep - three months ago you wrote:

This is true. There are more complete quickstarts which are not published at the moment, because they are part of the OIDC-conformant work we are releasing. These will be published sometime in the coming weeks hopefully.

I looked around a lot and while I am finding a lot of new OIDC-conformant samples rewrite, I did not find that complete quick start that would describe the complete interaction between this SPA written by Ryan and the aspnet core API backend that the SPA wants to access.

Assuming that such aspnet core backend quick start does not exist, can you point me to something "close enough" that is already recreated as being OIDC conformant?

A bit of progress from my end - as you likely remember, my first project is to introduce Auth0 to Aurelia Community, so I am using the "Auth0 enhanced" Aurelia Navigation Skeletons as samples. Here are the first two, deployed at github pages:

1. SPA using Lock: https://aurelia-tools.github.io/esnext-auth0
2. SPA using Hosted Login Page: https://aurelia-tools.github.io/esnext-auth0-hlp

You could see the SPA being restarted as a consequence of "receiving" the authentication response from Aauth0 - a behavior that I would really like to avoid of possible (I would like that the "callback" be recognized as a supported route, so the app behaves as if someone clicked on the menu item that corresponds to the protected page.

[jerriep]

@adriatic The newly published SPA + API Architecture document demonstrates how to build an end-to-end application using an Angular frontend with a Nodejs backend.

I shows how to configure the secure using JWTs, as well as how to authenticate the user in Angular, store the tokens, and then pass the access_token when making calls to the API

This may not be the exact stack you are looking for, but the document discusses the principles, so you can apply that to any technology.

If you feel there are things in that document which is not clear, let me know so we can update. Keep in mind though that the document is meant to be platform/technology stack agnostic. So even though we provided practical implementations in Angular+Node, those are meant as a practical implementation of the theory being discussed in the document.

Over time we can hopefully create implementation samples in other technologies.

[jerriep]

As a side note, I am busy creating a little sample app using Angular+ASP.NET Core as well: https://github.com/jerriep/remote-map

This is however in my personal capacity, as I am - same as you - trying to understand how to put all the pieces together.

Hopefully once the app is done, I will provide some basic implementation docs around this sample. This is however a personal endeavour, so it will likely end up on my own blog and not the Auth0 website.

[adriatic]

@jerriep Thanks for both notes - this is going to be very helpful, very soon. I will stay in touch, of course.

[jerriep]

@adriatic I am closing this, as the purpose of the quickstarts are not to provide end-to-end samples. For that, one has to look at the Architecture Scenarios.

Also, AFAIK there is work which will be done at some point which will allow any front-end quickstart sample (Mobile or SPA) to work out of the box with any backend sample.