Using OAuth2 and Open ID Connect in an ASP.NET Core Application

ASP.NET Core Mar 7, 2019


In this article you will learn to us OAuth2 and Open ID Connect in an ASP.NET Core Application to authenticate your users. OAuth2 is the gold-standard protocol for authorization and used by most of the organization nowadays. Open Id Connect sits on top of the OAuth2 protocol and provides an extra identity layer. You can learn more about those two standards on their official homepage - linked above.

In this tutorial we will use Auth0 as our authentication server, but you can use any other authentication service of your choice. If you have any extra needs or want to host the authentication server by yourself you may want to consider using Identity Server. Identity Server is made  for .NET applications and it is open source - so you can dive deep in the actual implementation.

The source code and a working prototype is available on my Github page. You only have to adapt the appSettings file with your keys. I would also recommend to use OData when providing an API. You can find a guide to achieve this here.

Deciding the Authorization Grant Type

OAuth2 actually has many different ways of granting access. You can find all below.

I would strongly suggest to use the Authorization Code Grant Type whenever it is possible. It is by far the most secure way - since everything is handled in the backend. In this tutorial we'll use exactly this type to get authenticated.

Should you consider to use the Implicit flow read the official statemant from the OAuth2 standard:

"It is generally not recommended to use the implicit flow (and some servers prohibit this flow entirely)." (source)

Adding Authorization to an ASP.NET Core Application

At first we are going to add the Open Id Connect and Cookie handler to our Application. For this purpose we are adding code to the ConfigureServices method within the Startup.cs file.

The next step is to add the Authentication Middleware within the Configure Method in our Startup.cs file.

The ChallengeAsync method has two parameters - the Authentication Provider we have before configured and a AuthenticationProperties object. The first parameter should match the value in .AddOpenIdConnect("Auth0"... and the second is used to pass a return Url to redirect the user after a login when a specfic resource is requested. This resource could be any protected resource or path in your application (e.g.

The Logout should only be accessible to users who are authenticated. For this purpose we are decorating the Logout method with an Authorize attribute. In our case we are redirecting to a specific url when the user got logged out.

The same Authorize attribute should be used when you want to protect your API calls, but don't forget that Authorization says nothing about Authorization.


Using Authorization in any ASP.NET Core Application is simple and should no one hold back to use it. It's also fairly easy to add this functionality later on.

If you have any further questions or additions please use the comment box below.

Happy authenticating :)


Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.