Using Kinde without an SDK
SDKs and APIs
This article walks through configuring an ASP.NET application to accept and validate an access token from Kinde.
Where users are logged into a front end or mobile application, the access token can be passed in a bearer authorization header to secure requests to back end APIs.
A complete sample project can be found in the .NET starter kit.
Install the packages that handle tokens.
Configure application services (typically Program.cs
) to use the package.
Configure appsettings.json
for your Kinde application. Replace <your-domain>
with your Kinde domain and <your-audience>
with the audience associated with your API in Kinde.
.NET authentication requires an audience. If you don’t already have an audience defined, you will need to do this by registering your API.
Access tokens contain information (claims) about what a user is authorized to do when they sign in. You can create policies to manage authorization.
Create a policy that allows only users with certain permission claims, e.g. read:weather
:
Set up permissions in Kinde.
Note roles defined in Kinde do not map to roles as defined in ASP.NET, so the related functionality, such as RequireRole()
, cannot be used.
To protect routes, add the [Authorize]
attribute (from the Microsoft.AspNetCore.Authorization
package) to any controllers or actions required.
For example, allow access only to users that satisfy the policy defined in the previous section:
See the ASP.NET Core documentation for more details on authorization.
To protect routes for minimal APIs, the RequireAuthorization()
method can be called, and optionally pass in a policy, for example:
See the ASP.NET Core documentation for more details about securing minimal APIs.
Swagger UI provides an easy way to test APIs while in development.
For secured APIs, an access token is sent from your front end application with each request. Swagger UI can be configured to initiate auth and populate the token for you.
Configure Swagger with the details of Kinde’s OpenID Connect configuration:
Configure Swagger UI to pre-populate the relevant parameters:
Swap <frontend-app-client-id>
with your front end application’s client ID shown in Kinde.
Add the callback URL to your front end application’s allowed callbacks so that the Swagger UI initiates auth and returns to Swagger UI after auth.
For local development, the callback will look like the following, though the port may differ:
Once this is set up, use the Authorize
button to initiate auth. On return, API requests should be automatically populated with the access token. Note for front end applications, implicit flow is not supported, only PKCE is supported.
When mismatched versions of dependent libraries are resolved, requests to the API may fail with HTTP 401 and a token validation error. It will look something like this:
For example, if version 7.4.0 or later of System.IdentityModel.Tokens.Jwt
is installed with a version of Microsoft.AspNetCore.Authentication.JwtBearer
that is dependent on an earlier version of Microsoft.IdentityModel.Protocols.OpenIdConnect
.
To fix, you would update the version of Microsoft.IdentityModel.Protocols.OpenIdConnect
to match your version of System.IdentityModel.Tokens.Jwt
. E.g. ensure they are both 7.4.0.