auth0-maui
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chineseauth0-maui Integration
auth0-maui 集成
Add Auth0 authentication to .NET MAUI applications targeting iOS, Android, macOS, and Windows. This skill integrates the NuGet package which uses the system browser via MAUI's for secure OIDC-based login and logout flows with PKCE.
Auth0.OidcClient.MAUIWebAuthenticatorAgent instruction: Before providing SDK setup instructions, fetch the latest MAUI release version by running:bashgh api repos/auth0/auth0-oidc-client-net/releases --jq '[.[] | select(.tag_name | startswith("maui-")) | .tag_name | ltrimstr("maui-")] | .[0]'Use the returned version in all dependency lines instead of any hardcoded version below.
为面向iOS、Android、macOS和Windows的.NET MAUI应用添加Auth0身份认证功能。本技能集成了 NuGet包,该包通过MAUI的调用系统浏览器,实现基于OIDC的安全登录和登出流程,并支持PKCE。
Auth0.OidcClient.MAUIWebAuthenticatorAgent 指令: 在提供SDK设置说明前,运行以下命令获取最新MAUI版本:bashgh api repos/auth0/auth0-oidc-client-net/releases --jq '[.[] | select(.tag_name | startswith("maui-")) | .tag_name | ltrimstr("maui-")] | .[0]'将返回的版本号用于所有依赖项配置,替代下方所有硬编码版本。
Prerequisites
前提条件
- .NET 8.0 SDK or later
- Visual Studio 2022 (17.8+) with MAUI workload, or JetBrains Rider with MAUI support
- For iOS: macOS with Xcode 15+
- For Android: Android SDK API 33+ (net8.0) or API 34+ (net9.0)
- For Windows: Windows 10 (10.0.19041.0)+
- Auth0 account with a Native application configured
- Node.js 20+ (for Auth0 CLI automated setup)
- .NET 8.0 SDK或更高版本
- 安装了MAUI工作负载的Visual Studio 2022(17.8+),或支持MAUI的JetBrains Rider
- iOS开发:安装Xcode 15+的macOS系统
- Android开发:Android SDK API 33+(net8.0)或API 34+(net9.0)
- Windows开发:Windows 10(10.0.19041.0)及以上版本
- 已配置Native应用的Auth0账户
- Node.js 20+(用于Auth0 CLI自动化设置)
When NOT to Use
不适用于以下场景
| Use Case | Recommended Skill |
|---|---|
| ASP.NET Core server-side web app | |
| ASP.NET Core Web API (JWT validation) | |
| React Native mobile app | |
| iOS-only Swift app | |
| Android-only Kotlin app | |
| Expo React Native app | |
| 使用场景 | 推荐技能 |
|---|---|
| ASP.NET Core服务器端Web应用 | |
| ASP.NET Core Web API(JWT验证) | |
| React Native移动应用 | |
| 仅iOS的Swift应用 | |
| 仅Android的Kotlin应用 | |
| Expo React Native应用 | |
Quick Start Workflow
快速开始流程
Agent instruction: Before starting, examine the user's project:
- Identify the .NET version from the
file (.csproj)TargetFrameworks- Check for existing authentication implementations — search for existing login/logout handlers and hook into them if found
- Note the project's namespace and directory conventions
- Look for existing
orAuth0Clientusage to avoid duplicate configurationAuth0ClientOptions
- Install SDK:
dotnet add package Auth0.OidcClient.MAUI - Configure Auth0: See Setup Guide for automatic or manual configuration.
- Integrate authentication: Add instantiation and wire login/logout to UI actions.
Auth0Client- IMPORTANT: Always set — the
Scope = "openid profile email offline_access"scope is required to receive a refresh token for silent token renewal.offline_access
- IMPORTANT: Always set
- Persist tokens with SecureStorage: After login, store the refresh token using . On app startup, restore the session with
await SecureStorage.Default.SetAsync("refresh_token", loginResult.RefreshToken). Clear on logout withRefreshTokenAsync.SecureStorage.Default.Remove("refresh_token") - Register URL scheme: Configure platform-specific callback handling:
- Android: Create with IntentFilter for your custom scheme (e.g.,
WebAuthenticatorActivity)myapp - Windows (two steps required): (1) Add to
<uap:Extension Category="windows.protocol"><uap:Protocol Name="myapp"/></uap:Extension>, AND (2) callPlatforms/Windows/Package.appxmanifestinActivator.Default.CheckRedirectionActivation()Platforms/Windows/App.xaml.cs - iOS/macOS: No extra configuration needed
- Android: Create
- Build and verify:
dotnet build
Agent instruction: When writing the Auth0Client configuration:
- ALWAYS include
in the Scope string — without it, no refresh token is returned and the user must re-authenticate every time the access token expires.offline_access- ALWAYS implement token persistence using
after login andSecureStorage.Default.SetAsync("refresh_token", ...)on app startup to restore sessions silently.SecureStorage.Default.GetAsync("refresh_token")- Clear stored tokens on logout with
.SecureStorage.Default.Remove("refresh_token")- ALWAYS create/update
to register the custom URL scheme protocol. Without this, Windows will not intercept the callback URL after authentication. Add aPlatforms/Windows/Package.appxmanifestinside the<uap:Extension Category="windows.protocol"><uap:Protocol Name="myapp"/></uap:Extension>element of the<Extensions>node.<Application>- ALWAYS add
inCheckRedirectionActivation()as the first line in the constructor, beforePlatforms/Windows/App.xaml.cs.InitializeComponent()After writing configuration and code, verify the build succeeds:bashdotnet buildIf the build fails, attempt to fix the issue. After 5-6 failed attempts, ask the user for help.
Agent 指令: 开始前先检查用户项目:
- 从
文件的.csproj字段识别.NET版本TargetFrameworks- 检查是否已有身份认证实现——搜索现有的登录/登出处理程序,若存在则对接现有逻辑
- 记录项目的命名空间和目录规范
- 查找是否已有
或Auth0Client的使用,避免重复配置Auth0ClientOptions
- 安装SDK:
dotnet add package Auth0.OidcClient.MAUI - 配置Auth0:参考设置指南进行自动或手动配置。
- 集成身份认证:实例化并将登录/登出功能关联到UI操作。
Auth0Client- 重要提示: 务必设置——
Scope = "openid profile email offline_access"权限是获取刷新令牌以实现静默令牌续期的必要条件。offline_access
- 重要提示: 务必设置
- 使用SecureStorage持久化令牌:登录成功后,通过存储刷新令牌。应用启动时,调用
await SecureStorage.Default.SetAsync("refresh_token", loginResult.RefreshToken)恢复会话。登出时通过RefreshTokenAsync清除令牌。SecureStorage.Default.Remove("refresh_token") - 注册URL协议:配置平台特定的回调处理:
- Android:创建带有IntentFilter的,匹配自定义协议(如
WebAuthenticatorActivity)myapp - Windows(需两步):(1) 在中添加
Platforms/Windows/Package.appxmanifest;(2) 在<uap:Extension Category="windows.protocol"><uap:Protocol Name="myapp"/></uap:Extension>中调用Platforms/Windows/App.xaml.csActivator.Default.CheckRedirectionActivation() - iOS/macOS:无需额外配置
- Android:创建带有IntentFilter的
- 构建并验证:
dotnet build
Agent 指令: 编写Auth0Client配置时:
- 务必在Scope字符串中包含
——缺少该权限将无法获取刷新令牌,用户需在访问令牌过期后重新认证。offline_access- 务必在登录后使用
持久化令牌,并在应用启动时通过SecureStorage.Default.SetAsync("refresh_token", ...)+SecureStorage.Default.GetAsync("refresh_token")实现会话静默恢复。RefreshTokenAsync- 登出时通过
清除存储的令牌。SecureStorage.Default.Remove("refresh_token")- 务必创建/更新
以注册自定义URL协议。否则Windows将无法拦截认证后的回调URL。在Platforms/Windows/Package.appxmanifest节点的<Application>元素内添加<Extensions>。<uap:Extension Category="windows.protocol"><uap:Protocol Name="myapp"/></uap:Extension>- 务必在Windows的
构造函数的第一行(App.xaml.cs之前)添加InitializeComponent()。CheckRedirectionActivation()完成配置和代码编写后,验证构建是否成功:bashdotnet build若构建失败,尝试修复问题。经过5-6次失败尝试后,向用户求助。
Callback URL Configuration
回调URL配置
The MAUI SDK uses a custom URL scheme for callbacks. The default pattern is:
text
myapp://callbackUnlike other Auth0 native SDKs that use or
patterns, MAUI uses a simpler custom scheme
approach. You can customize the scheme (e.g., ). Whatever scheme you choose must be:
https://{domain}/{platform}/{bundleId}/callback{bundleId}.auth0://{domain}/ios/{bundleId}/callbackcom.mycompany.myapp://callback- Registered in Auth0 Dashboard under Allowed Callback URLs and Allowed Logout URLs
- Configured in the platform-specific callback handler (Android , Windows
IntentFilter)Package.appxmanifest - Set in and
Auth0ClientOptions.RedirectUriAuth0ClientOptions.PostLogoutRedirectUri
Note: For production apps, use a reverse-domain scheme (e.g.,) to reduce the risk of URL scheme hijacking.com.yourcompany.yourapp://callback
MAUI SDK使用自定义URL协议处理回调。默认格式为:
text
myapp://callback与其他Auth0原生SDK使用或格式不同,MAUI采用更简洁的自定义协议方式。你可以自定义协议(如)。无论选择哪种协议,都必须满足:
https://{domain}/{platform}/{bundleId}/callback{bundleId}.auth0://{domain}/ios/{bundleId}/callbackcom.mycompany.myapp://callback- 在Auth0控制台的允许回调URL和允许登出URL中注册
- 在平台特定的回调处理程序中配置(Android的、Windows的
IntentFilter)Package.appxmanifest - 在和
Auth0ClientOptions.RedirectUri中设置Auth0ClientOptions.PostLogoutRedirectUri
注意: 生产应用建议使用反向域名格式的协议(如),以降低URL协议劫持风险。com.yourcompany.yourapp://callback
Done When
完成标准
- package installed
Auth0.OidcClient.MAUI - configured with Domain, ClientId, and
Auth0ClientincludingScopeoffline_access - URL scheme registered on Android (WebAuthenticatorCallbackActivity) and Windows (Package.appxmanifest)
- Callback URL () added to Auth0 Dashboard Allowed Callback URLs and Allowed Logout URLs
myapp://callback - Login/logout flow working
- Refresh token persisted via after login
SecureStorage.Default.SetAsync - Session restoration implemented via +
SecureStorage.Default.GetAsyncon app startupRefreshTokenAsync - Build succeeds with no errors
- Tested on physical device or emulator/simulator
- 已安装包
Auth0.OidcClient.MAUI - 已配置Domain、ClientId,且
Auth0Client包含Scopeoffline_access - 已在Android(WebAuthenticatorCallbackActivity)和Windows(Package.appxmanifest)中注册URL协议
- 回调URL()已添加到Auth0控制台的允许回调URL和允许登出URL
myapp://callback - 登录/登出流程正常工作
- 登录后已通过持久化刷新令牌
SecureStorage.Default.SetAsync - 应用启动时已通过+
SecureStorage.Default.GetAsync实现会话恢复RefreshTokenAsync - 构建无错误
- 已在物理设备或模拟器/仿真器上测试
Detailed Documentation
详细文档
- Setup Guide — Auth0 tenant configuration, SDK installation, platform-specific callback setup
- Integration Patterns — Login/logout flows, token refresh, user profile, error handling, MVVM patterns
- API Reference & Testing — Full reference, claims, testing checklist, troubleshooting
Auth0ClientOptions
- 设置指南 — Auth0租户配置、SDK安装、平台特定回调设置
- 集成模式 — 登录/登出流程、令牌刷新、用户信息、错误处理、MVVM模式
- API参考与测试 — 完整参考、声明、测试清单、故障排除
Auth0ClientOptions
Common Mistakes
常见错误
| Mistake | Fix |
|---|---|
| App type not set to Native in Auth0 Dashboard | Change application type to "Native" in Dashboard settings |
| Missing callback URL in Auth0 Dashboard | Add |
Android: Missing | Create activity class with |
Windows: Not calling | Add |
Using | Domain should be hostname only (e.g., |
Not requesting | Add |
| RedirectUri/PostLogoutRedirectUri not matching Dashboard | Ensure the exact URI (scheme + path) matches what's configured in Auth0 Dashboard |
| Not registering URL scheme on Android/Windows | Register the custom URL scheme in platform-specific config (see Platform setup step) |
| Storing tokens in plain text | Use |
| 错误 | 修复方案 |
|---|---|
| Auth0控制台中应用类型未设置为Native | 在控制台设置中将应用类型改为“Native” |
| Auth0控制台中缺少回调URL | 将 |
Android:缺少 | 创建带有 |
Windows:未调用 | 在Windows的 |
Domain使用 | Domain应仅为主机名(如 |
未请求 | 在 |
| RedirectUri/PostLogoutRedirectUri与控制台配置不匹配 | 确保URI(协议+路径)与Auth0控制台中的配置完全一致 |
| Android/Windows未注册URL协议 | 在平台特定配置中注册自定义URL协议(见平台设置步骤) |
| 明文存储令牌 | 使用MAUI Essentials的 |
Testing Notes
测试注意事项
Agent instruction: Remind the user to test on a physical device in addition to emulators/simulators. Some WebAuthenticator behaviors (system browser integration, URL scheme interception) may differ on physical devices vs. emulators. Test the full login → callback → token flow on real hardware before shipping.
Testing Checklist:
- Login flow: System browser opens → authenticate → returns to app
- Logout flow: Browser opens → session cleared → returns to app
- Token refresh: with stored refresh token works
RefreshTokenAsync - Cancel: User cancels login → app handles gracefully
UserCancel - Physical device: Test on real iOS/Android device (not just simulator)
- Offline: Verify token refresh works when the app is restarted
- Multi-platform: Test on at least one mobile platform (iOS or Android) and Windows
Agent 指令: 提醒用户除了模拟器/仿真器外,还要在物理设备上测试。部分WebAuthenticator行为(系统浏览器集成、URL协议拦截)在物理设备和模拟器上可能存在差异。发布前务必在真实硬件上测试完整的登录→回调→令牌流程。
测试清单:
- 登录流程:系统浏览器打开→完成认证→返回应用
- 登出流程:浏览器打开→会话清除→返回应用
- 令牌刷新:使用存储的刷新令牌调用成功
RefreshTokenAsync - 取消操作:用户取消登录→应用优雅处理错误
UserCancel - 物理设备:在真实iOS/Android设备上测试(而非仅模拟器)
- 离线测试:验证应用重启后令牌刷新功能正常
- 多平台测试:至少在一个移动平台(iOS或Android)和Windows上测试
Related Skills
相关技能
- auth0-aspnetcore-authentication — ASP.NET Core server-side web apps
- auth0-aspnetcore-api — ASP.NET Core Web API with JWT validation
- auth0-android — Android-native Kotlin apps
- auth0-swift — iOS/macOS Swift apps
- auth0-react-native — React Native mobile apps
- auth0-net-android-ios — .NET Android/iOS (non-MAUI)
- auth0-aspnetcore-authentication — ASP.NET Core服务器端Web应用
- auth0-aspnetcore-api — 带JWT验证的ASP.NET Core Web API
- auth0-android — Android原生Kotlin应用
- auth0-swift — iOS/macOS Swift应用
- auth0-react-native — React Native移动应用
- auth0-net-android-ios — .NET Android/iOS(非MAUI)
Quick Reference
快速参考
csharp
using Auth0.OidcClient;
// Initialize client
var client = new Auth0Client(new Auth0ClientOptions
{
Domain = "YOUR_AUTH0_DOMAIN",
ClientId = "YOUR_AUTH0_CLIENT_ID",
RedirectUri = "myapp://callback",
PostLogoutRedirectUri = "myapp://callback",
Scope = "openid profile email offline_access"
});
// Login — opens system browser
var loginResult = await client.LoginAsync();
if (!loginResult.IsError)
{
var user = loginResult.User;
var accessToken = loginResult.AccessToken;
var idToken = loginResult.IdentityToken;
var refreshToken = loginResult.RefreshToken;
// Access user claims
var name = user.FindFirst("name")?.Value;
var email = user.FindFirst("email")?.Value;
// Persist refresh token securely for session restoration
if (!string.IsNullOrEmpty(refreshToken))
await SecureStorage.Default.SetAsync("refresh_token", refreshToken);
}
// Logout — clears Auth0 session and stored tokens
await client.LogoutAsync();
SecureStorage.Default.Remove("refresh_token");
// Restore session on app startup (no user interaction needed)
var savedToken = await SecureStorage.Default.GetAsync("refresh_token");
if (!string.IsNullOrEmpty(savedToken))
{
var refreshResult = await client.RefreshTokenAsync(savedToken);
if (!refreshResult.IsError)
{
var newAccessToken = refreshResult.AccessToken;
// Update stored token if rotated
if (!string.IsNullOrEmpty(refreshResult.RefreshToken))
await SecureStorage.Default.SetAsync("refresh_token", refreshResult.RefreshToken);
}
else
{
// Refresh failed — clear and require re-login
SecureStorage.Default.Remove("refresh_token");
}
}
// Get user info from /userinfo endpoint
var userInfo = await client.GetUserInfoAsync(accessToken);
// Login with extra parameters (organization, audience, connection)
var orgLogin = await client.LoginAsync(new { organization = "org_abc123" });
var apiLogin = await client.LoginAsync(new { audience = "https://my-api.example.com" });csharp
using Auth0.OidcClient;
// 初始化客户端
var client = new Auth0Client(new Auth0ClientOptions
{
Domain = "YOUR_AUTH0_DOMAIN",
ClientId = "YOUR_AUTH0_CLIENT_ID",
RedirectUri = "myapp://callback",
PostLogoutRedirectUri = "myapp://callback",
Scope = "openid profile email offline_access"
});
// 登录 — 打开系统浏览器
var loginResult = await client.LoginAsync();
if (!loginResult.IsError)
{
var user = loginResult.User;
var accessToken = loginResult.AccessToken;
var idToken = loginResult.IdentityToken;
var refreshToken = loginResult.RefreshToken;
// 访问用户声明
var name = user.FindFirst("name")?.Value;
var email = user.FindFirst("email")?.Value;
// 安全持久化刷新令牌用于会话恢复
if (!string.IsNullOrEmpty(refreshToken))
await SecureStorage.Default.SetAsync("refresh_token", refreshToken);
}
// 登出 — 清除Auth0会话和存储的令牌
await client.LogoutAsync();
SecureStorage.Default.Remove("refresh_token");
// 应用启动时恢复会话(无需用户交互)
var savedToken = await SecureStorage.Default.GetAsync("refresh_token");
if (!string.IsNullOrEmpty(savedToken))
{
var refreshResult = await client.RefreshTokenAsync(savedToken);
if (!refreshResult.IsError)
{
var newAccessToken = refreshResult.AccessToken;
// 若令牌轮转则更新存储的令牌
if (!string.IsNullOrEmpty(refreshResult.RefreshToken))
await SecureStorage.Default.SetAsync("refresh_token", refreshResult.RefreshToken);
}
else
{
// 刷新失败 — 清除令牌并要求重新登录
SecureStorage.Default.Remove("refresh_token");
}
}
// 从/userinfo端点获取用户信息
var userInfo = await client.GetUserInfoAsync(accessToken);
// 带额外参数登录(组织、受众、连接)
var orgLogin = await client.LoginAsync(new { organization = "org_abc123" });
var apiLogin = await client.LoginAsync(new { audience = "https://my-api.example.com" });Android Callback Activity (Required)
Android回调活动(必填)
csharp
[Activity(NoHistory = true, LaunchMode = LaunchMode.SingleTop, Exported = true)]
[IntentFilter(new[] { Intent.ActionView },
Categories = new[] { Intent.CategoryDefault, Intent.CategoryBrowsable },
DataScheme = CALLBACK_SCHEME)]
public class WebAuthenticatorActivity : Microsoft.Maui.Authentication.WebAuthenticatorCallbackActivity
{
const string CALLBACK_SCHEME = "myapp";
}csharp
[Activity(NoHistory = true, LaunchMode = LaunchMode.SingleTop, Exported = true)]
[IntentFilter(new[] { Intent.ActionView },
Categories = new[] { Intent.CategoryDefault, Intent.CategoryBrowsable },
DataScheme = CALLBACK_SCHEME)]
public class WebAuthenticatorActivity : Microsoft.Maui.Authentication.WebAuthenticatorCallbackActivity
{
const string CALLBACK_SCHEME = "myapp";
}Windows Platform Setup (Required — Both Steps)
Windows平台设置(必填——两步都要完成)
Step 1: Register protocol in :
Platforms/Windows/Package.appxmanifestxml
<Extensions>
<uap:Extension Category="windows.protocol">
<uap:Protocol Name="myapp"/>
</uap:Extension>
</Extensions>Step 2: Handle redirection in :
Platforms/Windows/App.xaml.cscsharp
// In Platforms/Windows/App.xaml.cs
public App()
{
if (Auth0.OidcClient.Platforms.Windows.Activator.Default.CheckRedirectionActivation())
return;
this.InitializeComponent();
}步骤1:在中注册协议:
Platforms/Windows/Package.appxmanifestxml
<Extensions>
<uap:Extension Category="windows.protocol">
<uap:Protocol Name="myapp"/>
</uap:Extension>
</Extensions>步骤2:在中处理重定向:
Platforms/Windows/App.xaml.cscsharp
// 在Platforms/Windows/App.xaml.cs中
public App()
{
if (Auth0.OidcClient.Platforms.Windows.Activator.Default.CheckRedirectionActivation())
return;
this.InitializeComponent();
}