A big part of a lot of new development projects is of course, user authentication and user authorization. Which sounds simple enough, create a table in a database store a username and/or email address and a hashed password. And you’re already halfway there.
However with the rise of Single Sign-On, SSO for short, should you want to still manage the authentication yourself?
Everything is in the cloud, so why do the hardest part yourself?
I ran into these questions when I started work on an application for a volunteer organization local to me. The answer I got to? No, I shouldn’t do it myself anymore.
In the last few years services that do authentication for you either through OAuth, or an extra layer on top, OpenID Connect have began appearing more and more. Where even the big parties have their own service.
Microsoft has Microsoft Identity Platform and Azure Active Directory, Amazon’s AWS has Amazon Cognito and Google has Google Identity. If you rely on any of their services already or are experienced with one of them, it’s probably best to go for the one of your preference.
Since I rely on none of them I decided to go for a different service, called Auth0. Which, when I started looking for a service, had the easiest to understand documentation and guides helping me get set up.
Lots of guides for different platforms.
Currently, I’ve been using Auth0 in combination with .net MAUI and a .NET API, for both of which are easy to follow and guides available: .NET MAUI and .NET MAUI API calls. Which have helped me easily get set up and understand the basics of both, using Auth0, and OpenID Connect based services.
No more manual registration and login.
And no need to think about how you’re safely going to store your user’s information. As long as you have no need to store the user’s information on your server, you don’t have to. The available information can always be accessed using a simple API call to Auth0’s API.
1
2
3
4
5
6
7
8
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", "Your auth0 access token");
var response = await client.GetAsync($"{yourauth0Domain}/userinfo");
var userInfo = await response.Content.ReadAsStringAsync();
}
The above snippet shows an example of how to easily grab the user’s info (claims) with an access token gotten during login through Auth0.
Not having to deal with the authentication part yourself allows you to focus on the important things, your application!
So in my opinion, unless you have a good reason to do it all yourself, you probably shouldn’t anymore.