Skip to content
Visit Kinde’s marketing website Kinde Docs
  • SDKs and APIs
  • Special guides

Integrate Kinde with ASP.NET using Open ID Connect

Kinde supports the OpenID Connect (OIDC) protocol, which allows integration with the authentication services built into ASP.NET, without the need for a separate SDK.

This guide walks through the steps of integrating Kinde auth into an ASP.NET web application using OpenID Connect.

A complete sample project can be found in the .NET starter kit.

Configure your project

Link to this section

  1. Install the OpenID connect package:

    Terminal window
    dotnet add package Microsoft.AspNetCore.Authentication.OpenIdConnect

  2. Add authentication services (typically in program.cs):

    Terminal window
    builder.Services.AddAuthentication(options =>
        {
            options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
        })
        .AddCookie()
        .AddOpenIdConnect();

  3. Add the authentication and authorization middleware:

    Terminal window
    app.UseAuthentication();
    app.UseAuthorization();

  4. Configure authentication in appsettings.json, replacing the placeholders <your_kinde_domain>, <your_client_id> and <your_client_secret>, with your application keys found in Kinde.

    Terminal window
      "Authentication": {
        "Schemes": {
          "OpenIdConnect": {
            "Authority": "<your_kinde_domain>",
            "ClientId": "<your_client_id>",
            "ClientSecret": "<your_client_secret>",
            "MapInboundClaims": false,
            "ResponseType": "code"
          }
        }
      }

  5. In Kinde, add an allowed callback to your application. For local development this callback will look like the following, where <local_port> should be replaced with the port generated for your project:

    Terminal window
    https://localhost:<local_port>/signin-oidc

    Similarly, add an allowed logout:

    Terminal window
    https://localhost:<local_port>/signout-callback-oidc

    The OpenID Connect middleware will automatically handle requests to these routes.

Manage authorization with policies

Link to this section

Access tokens contain information (claims) about what a user is authorized to do when they sign in. In Kinde, you can create policies to manage authorization.

Link to this section

Create a policy that allows only users with certain permission claims, e.g. read:weather .

builder.Services
    .AddAuthorization(options =>
    {
      options.AddPolicy("ReadWeatherPermission",
        policy => policy.RequireAssertion(
          context => context.User.Claims.Any(c => c.Type == "permissions" && c.Value == "read:weather")
        ));
    });

Set up permissions in Kinde.

Via role claims

Link to this section
  1. Set up Roles in Kinde.
  2. Add roles to the access token via custom claims, see the token customization procedure.
  3. Create a policy for a particular role, for example:
builder.Services
    .AddAuthorization(options =>
    {
      options.AddPolicy("AdminRole",
        policy => policy.RequireAssertion(
          context => context.User.Claims.Any(c => c.Type == "roles" && c.Value == "admin")
        ));
    });

Note roles defined in Kinde do not map to roles as defined in ASP.NET, so the related functionality, such as RequireRole(), cannot be used.

Secure MVC pages

Link to this section

To protect routes, add the [Authorize] attribute (from the Microsoft.AspNetCore.Authorization package) to any controllers or actions required.

For example, allow access only to users that satisfy the policy defined in the previous section:

[Authorize(Policy = "ReadWeatherPermission")]
public ActionResult Weather()

See the ASP.NET Core documentation for more details on authorization.

Secure Razor pages

Link to this section

Razor pages can be secured by specifying the routes in service configuration, for example:

builder.Services.AddRazorPages(options =>
{
    options.Conventions.AuthorizePage("/Protected");
    options.Conventions.AuthorizePage("/Weather", "ReadWeatherPermission");
});

See Microsoft documentation for more details about authorizing Razor pages.

Log out

Link to this section

You’ll want to log a user out of your application as well as Kinde, for example:

public async Task Logout()
{
    await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
    await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
}

Additional options

Link to this section

Kinde has some additional options such as specifying the organization to log into. These parameters can be specified in the OnRedirectToIdentityProvider event in the OpenID connect options. For example:

.AddOpenIdConnect(options =>
{
    options.Events.OnRedirectToIdentityProvider = context =>
    {
        context.ProtocolMessage.SetParameter("org_code", "<your_org_code>");
        return Task.CompletedTask;
    };
});

Related articles

Useful links

  • Join the community

    Get support from the Kinde team and expert users in the Kinde community

    Join via Slack or Discord

  • Contact support

    Chat to support through the Kinde help widget, or send a question via email

    Send an email