auth0-net-ios

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

auth0-net-ios Integration

auth0-net-ios 集成

Add Auth0 authentication to .NET iOS applications. This skill integrates the
Auth0.OidcClient.iOS
NuGet package which uses
ASWebAuthenticationSession
for secure OIDC-based login and logout flows with PKCE.
Agent instruction: Before providing SDK setup instructions, fetch the latest release version by running:
bash
gh api repos/auth0/auth0-oidc-client-net/releases --jq '[.[] | select(.tag_name | startswith("ios-")) | .tag_name | ltrimstr("ios-")] | .[0]'
Use the returned version in all dependency lines instead of any hardcoded version below.
为.NET iOS应用添加Auth0身份验证功能。此技能集成了
Auth0.OidcClient.iOS
NuGet包,该包使用
ASWebAuthenticationSession
实现基于OIDC的安全登录和登出流程,并支持PKCE。
Agent 指令:在提供SDK设置说明之前,请运行以下命令获取最新版本:
bash
gh api repos/auth0/auth0-oidc-client-net/releases --jq '[.[] | select(.tag_name | startswith("ios-")) | .tag_name | ltrimstr("ios-")] | .[0]'
在所有依赖项配置行中使用返回的版本,而非下方的硬编码版本。

Prerequisites

前置条件

  • .NET 8.0 SDK or later (.NET 9 also supported — use
    net9.0-ios
    target framework)
  • JetBrains Rider or VS Code with C# Dev Kit (with iOS workload)
  • macOS with Xcode 15+
  • iOS 14.0+ deployment target
  • Auth0 account with a Native application configured
  • Node.js 20+ (for Auth0 CLI automated setup)
  • .NET 8.0 SDK或更高版本(支持.NET 9——使用
    net9.0-ios
    目标框架)
  • JetBrains Rider或安装了C# Dev Kit的VS Code(需包含iOS工作负载)
  • 装有Xcode 15+的macOS系统
  • iOS 14.0+部署目标
  • 已配置Native应用的Auth0账户
  • Node.js 20+(用于Auth0 CLI自动化设置)

When NOT to Use

不适用场景

Use CaseRecommended Skill
.NET MAUI cross-platform app (iOS + Android + Windows)
auth0-maui
.NET Android-only app
auth0-net-android
iOS-only Swift app
auth0-swift
ASP.NET Core server-side web app
auth0-aspnetcore-authentication
ASP.NET Core Web API (JWT validation)
auth0-aspnetcore-api
React Native mobile app
auth0-react-native
使用场景推荐技能
.NET MAUI跨平台应用(iOS + Android + Windows)
auth0-maui
仅.NET Android应用
auth0-net-android
仅iOS Swift应用
auth0-swift
ASP.NET Core服务器端Web应用
auth0-aspnetcore-authentication
ASP.NET Core Web API(JWT验证)
auth0-aspnetcore-api
React Native移动应用
auth0-react-native

Quick Start Workflow

快速开始流程

Agent instruction: Before starting, examine the user's project:
  1. Identify the .NET version from the
    .csproj
    file (
    TargetFramework
    )
  2. Check for existing authentication implementations — search for existing login/logout handlers and hook into them if found (reuse existing UI elements like login buttons rather than creating duplicates)
  3. Note the project's Bundle Identifier from
    Info.plist
    or
    .csproj
  4. Look for existing
    Auth0Client
    or
    Auth0ClientOptions
    usage to avoid duplicate configuration
  1. Install SDK:
    dotnet add package Auth0.OidcClient.iOS
  2. Configure Auth0: See Setup Guide for automatic or manual configuration.
  3. Integrate authentication: Add
    Auth0Client
    instantiation, register the URL scheme in
    Info.plist
    , and wire login/logout to UI actions.
  4. Handle callback: Implement
    OpenUrl
    in
    AppDelegate
    and call
    ActivityMediator.Instance.Send(url.AbsoluteString)
    .
  5. Build and verify:
    dotnet build
Agent instruction: When writing the Auth0Client configuration:
  • The iOS SDK does NOT require passing an Activity context — just
    new Auth0Client(options)
    .
  • Always set
    Scope = "openid profile email offline_access"
    — the
    offline_access
    scope is required to receive refresh tokens, enabling silent token renewal without re-prompting the user.
  • The callback URL is automatically derived from the Bundle Identifier:
    {BundleId}://{domain}/ios/{BundleId}/callback
    .
  • The Bundle Identifier must be registered as a URL scheme in
    Info.plist
    .
  • The
    AppDelegate
    must handle
    OpenUrl
    and call
    ActivityMediator.Instance.Send(url.AbsoluteString)
    .
  • Store tokens securely: After successful login, persist
    AccessToken
    and
    RefreshToken
    using iOS Keychain (via
    Security
    framework or a wrapper like
    KeychainAccess
    ). Never store tokens in
    UserDefaults
    or in-memory variables only.
After writing configuration and code, verify the build succeeds:
bash
dotnet build
If the build fails, attempt to fix the issue. After 5-6 failed attempts, ask the user for help.
Agent 指令:开始之前,请检查用户的项目:
  1. .csproj
    文件的
    TargetFramework
    字段识别.NET版本
  2. 检查是否已有身份验证实现——搜索现有的登录/登出处理程序,若存在则接入其中(重用现有UI元素如登录按钮,避免重复创建)
  3. 记录
    Info.plist
    .csproj
    中的项目Bundle Identifier
  4. 查找是否已有
    Auth0Client
    Auth0ClientOptions
    的使用,避免重复配置
  1. 安装SDK
    dotnet add package Auth0.OidcClient.iOS
  2. 配置Auth0:查看设置指南进行自动或手动配置。
  3. 集成身份验证:实例化
    Auth0Client
    ,在
    Info.plist
    中注册URL scheme,并将登录/登出操作与UI事件关联。
  4. 处理回调:在
    AppDelegate
    中实现
    OpenUrl
    方法,并调用
    ActivityMediator.Instance.Send(url.AbsoluteString)
  5. 构建并验证
    dotnet build
Agent 指令:编写Auth0Client配置时:
  • iOS SDK不需要传递Activity上下文——只需使用
    new Auth0Client(options)
  • 务必设置
    Scope = "openid profile email offline_access"
    ——
    offline_access
    作用域是获取刷新令牌的必要条件,无需重新提示用户即可实现静默令牌续期。
  • 回调URL会自动从Bundle Identifier生成:
    {BundleId}://{domain}/ios/{BundleId}/callback
  • Bundle Identifier必须在
    Info.plist
    中注册为URL scheme。
  • AppDelegate
    必须处理
    OpenUrl
    并调用
    ActivityMediator.Instance.Send(url.AbsoluteString)
  • 安全存储令牌:登录成功后,使用iOS Keychain(通过
    Security
    框架或
    KeychainAccess
    等封装库)持久化存储
    AccessToken
    RefreshToken
    。切勿将令牌存储在
    UserDefaults
    或仅存于内存变量中。
完成配置和代码编写后,验证构建是否成功:
bash
dotnet build
若构建失败,尝试修复问题。经过5-6次失败尝试后,请向用户寻求帮助。

WebAuth — How Authentication Works

WebAuth——身份验证工作原理

The SDK uses ASWebAuthenticationSession (the secure system browser). When
LoginAsync()
is called:
  1. SDK constructs the
    /authorize
    URL with PKCE parameters (code verifier + challenge)
  2. ASWebAuthenticationSession opens showing the Auth0 login page
  3. User authenticates (login form, social connections, MFA, etc.)
  4. Auth0 redirects to the native callback URL:
    {BundleId}://{domain}/ios/{BundleId}/callback
  5. iOS intercepts the URL scheme and delivers it to
    AppDelegate.OpenUrl
  6. ActivityMediator.Instance.Send(url.AbsoluteString)
    completes the token exchange
  7. SDK returns
    LoginResult
    with access token, ID token, refresh token, and user claims
This is the standard OAuth 2.0 Authorization Code flow with PKCE, recommended for native mobile applications.
SDK使用ASWebAuthenticationSession(安全系统浏览器)。调用
LoginAsync()
时:
  1. SDK构建包含PKCE参数(代码验证器+挑战值)的
    /authorize
    URL
  2. ASWebAuthenticationSession打开并显示Auth0登录页面
  3. 用户完成身份验证(登录表单、社交账号、多因素认证等)
  4. Auth0重定向到原生回调URL:
    {BundleId}://{domain}/ios/{BundleId}/callback
  5. iOS拦截URL scheme并将其传递给
    AppDelegate.OpenUrl
  6. ActivityMediator.Instance.Send(url.AbsoluteString)
    完成令牌交换
  7. SDK返回包含访问令牌、ID令牌、刷新令牌和用户声明的
    LoginResult
这是OAuth 2.0授权码流程结合PKCE的标准实现,是原生移动应用的推荐方案。

Callback URL Configuration

回调URL配置

The native callback URL for .NET iOS uses the Bundle Identifier as the scheme. The format is:
text
YOUR_BUNDLE_IDENTIFIER://YOUR_AUTH0_DOMAIN/ios/YOUR_BUNDLE_IDENTIFIER/callback
Where
YOUR_BUNDLE_IDENTIFIER
is the Bundle Identifier for your application, such as
com.mycompany.myapplication
. For example:
com.mycompany.myapp://tenant.us.auth0.com/ios/com.mycompany.myapp/callback
.
Note: Some Auth0 native SDKs use
https://{domain}/ios/{bundleId}/callback
or
{bundleId}.auth0://{domain}/ios/{bundleId}/callback
as the callback URL format. The .NET iOS SDK uses the Bundle Identifier directly as the URL scheme.
Ensure that the Callback URL is in lowercase.
This URL must be:
  1. Registered in Auth0 Dashboard under Allowed Callback URLs and Allowed Logout URLs
  2. Registered as a URL scheme in
    Info.plist
    under
    CFBundleURLSchemes
.NET iOS的原生回调URL使用Bundle Identifier作为scheme,格式如下:
text
YOUR_BUNDLE_IDENTIFIER://YOUR_AUTH0_DOMAIN/ios/YOUR_BUNDLE_IDENTIFIER/callback
其中
YOUR_BUNDLE_IDENTIFIER
是应用的Bundle Identifier,例如
com.mycompany.myapplication
。示例:
com.mycompany.myapp://tenant.us.auth0.com/ios/com.mycompany.myapp/callback
注意:部分Auth0原生SDK使用
https://{domain}/ios/{bundleId}/callback
{bundleId}.auth0://{domain}/ios/{bundleId}/callback
作为回调URL格式。而.NET iOS SDK直接使用Bundle Identifier作为URL scheme。
确保回调URL为小写。
此URL必须满足:
  1. 在Auth0控制台的Allowed Callback URLsAllowed Logout URLs中注册
  2. Info.plist
    CFBundleURLSchemes
    下注册为URL scheme

Done When

完成标准

  • Auth0.OidcClient.iOS
    package installed (latest stable version)
  • Auth0Client
    configured with Domain, ClientId, and
    Scope = "openid profile email offline_access"
  • URL scheme registered in
    Info.plist
    matching the Bundle Identifier
  • AppDelegate.OpenUrl
    implemented with
    ActivityMediator.Instance.Send(url.AbsoluteString)
  • Callback URL added to Auth0 Dashboard Allowed Callback URLs and Allowed Logout URLs
  • Tokens stored securely using iOS Keychain (
    Security
    framework with
    SecKeyChain.Add
    )
  • Login/logout flow working
  • Build succeeds with no errors
  • 已安装
    Auth0.OidcClient.iOS
    包(最新稳定版本)
  • Auth0Client
    已配置Domain、ClientId,且
    Scope = "openid profile email offline_access"
  • Info.plist
    中已注册与Bundle Identifier匹配的URL scheme
  • AppDelegate.OpenUrl
    已实现并调用
    ActivityMediator.Instance.Send(url.AbsoluteString)
  • 回调URL已添加到Auth0控制台的Allowed Callback URLs和Allowed Logout URLs
  • 已使用iOS Keychain(
    Security
    框架的
    SecKeyChain.Add
    )安全存储令牌
  • 登录/登出流程正常工作
  • 构建无错误,成功完成

Detailed Documentation

详细文档

  • Setup Guide — Auth0 tenant configuration, SDK installation, Info.plist URL scheme setup
  • Integration Patterns — Login/logout flows, token access, user profile, error handling
  • API Reference & Testing — Full
    Auth0ClientOptions
    reference, claims, testing checklist, troubleshooting
  • 设置指南 —— Auth0租户配置、SDK安装、Info.plist URL scheme设置
  • 集成模式 —— 登录/登出流程、令牌访问、用户信息、错误处理
  • API参考与测试 ——
    Auth0ClientOptions
    完整参考、声明、测试清单、故障排除

Common Mistakes

常见错误

MistakeFix
App type not set to Native in Auth0 DashboardChange application type to "Native" in Dashboard settings
Missing callback URL in Auth0 DashboardAdd
yourbundleid://{domain}/ios/yourbundleid/callback
to Allowed Callback URLs AND Allowed Logout URLs
Missing URL scheme in Info.plistAdd
CFBundleURLSchemes
entry matching your Bundle Identifier
Not handling
OpenUrl
in AppDelegate
Override
OpenUrl
and call
ActivityMediator.Instance.Send(url.AbsoluteString)
Using
https://
prefix in Domain
Domain should be hostname only (e.g.,
tenant.auth0.com
, not
https://tenant.auth0.com
)
Passing Activity context to Auth0Client (Android pattern)iOS does not need context — just
new Auth0Client(options)
URL scheme not matching Bundle IdentifierThe CFBundleURLSchemes value must exactly match the Bundle Identifier
Storing tokens in
UserDefaults
or only in memory
Use iOS Keychain via the
Security
framework (
SecKeyChain.Add
) for token persistence
错误修复方案
Auth0控制台中应用类型未设置为Native在控制台设置中将应用类型改为“Native”
Auth0控制台中缺少回调URL
yourbundleid://{domain}/ios/yourbundleid/callback
添加到Allowed Callback URLs和Allowed Logout URLs
Info.plist中缺少URL scheme添加与Bundle Identifier匹配的
CFBundleURLSchemes
条目
AppDelegate中未处理
OpenUrl
重写
OpenUrl
方法并调用
ActivityMediator.Instance.Send(url.AbsoluteString)
Domain使用
https://
前缀
Domain应仅为主机名(例如
tenant.auth0.com
,而非
https://tenant.auth0.com
向Auth0Client传递Activity上下文(Android模式)iOS不需要上下文——只需使用
new Auth0Client(options)
URL scheme与Bundle Identifier不匹配CFBundleURLSchemes的值必须与Bundle Identifier完全一致
将令牌存储在
UserDefaults
或仅存于内存
使用
Security
框架的iOS Keychain(
SecKeyChain.Add
)持久化存储令牌

Testing Notes

测试说明

Agent instruction: Remind the user to test on a physical device in addition to simulators. Some WebAuth/ASWebAuthenticationSession behaviors may differ on physical devices vs. simulators. Test the full login → callback → token flow on real hardware before shipping.
Physical Device Testing:
  • Login flow: ASWebAuthenticationSession opens → authenticate → returns to app
  • Callback:
    OpenUrl
    fires in AppDelegate with correct URL
  • Logout flow: Browser opens → session cleared → returns to app
  • Cancel: User dismisses sheet → app handles
    UserCancel
    gracefully
Agent 指令:提醒用户除了模拟器外,还要在物理设备上进行测试。部分WebAuth/ASWebAuthenticationSession的行为在物理设备和模拟器上可能有所不同。发布前请在真实硬件上测试完整的登录→回调→令牌流程。
物理设备测试:
  • 登录流程:ASWebAuthenticationSession打开→完成身份验证→返回应用
  • 回调:
    OpenUrl
    在AppDelegate中触发并携带正确URL
  • 登出流程:浏览器打开→会话清除→返回应用
  • 取消操作:用户关闭弹窗→应用优雅处理
    UserCancel

Related Skills

相关技能

  • auth0-maui — .NET MAUI cross-platform apps (iOS + Android + Windows)
  • auth0-net-android — .NET Android-only apps
  • auth0-swift — iOS-only Swift apps
  • auth0-aspnetcore-authentication — ASP.NET Core server-side web apps
  • auth0-aspnetcore-api — ASP.NET Core Web API with JWT validation
  • auth0-maui —— .NET MAUI跨平台应用(iOS + Android + Windows)
  • auth0-net-android —— 仅.NET Android应用
  • auth0-swift —— 仅iOS Swift应用
  • auth0-aspnetcore-authentication —— ASP.NET Core服务器端Web应用
  • auth0-aspnetcore-api —— 带JWT验证的ASP.NET Core Web API

Quick Reference

快速参考

csharp
using Auth0.OidcClient;

var client = new Auth0Client(new Auth0ClientOptions
{
    Domain = "YOUR_AUTH0_DOMAIN",
    ClientId = "YOUR_AUTH0_CLIENT_ID",
    Scope = "openid profile email offline_access"
});

var loginResult = await client.LoginAsync();
BrowserResultType browserResult = await client.LogoutAsync();
Agent instruction: Always include
offline_access
in the scope to enable refresh tokens. This allows the app to silently refresh access tokens without forcing the user to re-authenticate.
Agent instruction: After login, always persist tokens to the iOS Keychain using the
Security
framework (
SecKeyChain.Add
with
SecAccessible.WhenUnlockedThisDeviceOnly
). Never store tokens in
UserDefaults
or leave them only in memory. Clear tokens on logout. See Integration Patterns for the full
SecureTokenStorage
helper class.
csharp
using Auth0.OidcClient;

var client = new Auth0Client(new Auth0ClientOptions
{
    Domain = "YOUR_AUTH0_DOMAIN",
    ClientId = "YOUR_AUTH0_CLIENT_ID",
    Scope = "openid profile email offline_access"
});

var loginResult = await client.LoginAsync();
BrowserResultType browserResult = await client.LogoutAsync();
Agent 指令:务必在作用域中包含
offline_access
以启用刷新令牌。这允许应用静默刷新访问令牌,无需强制用户重新身份验证。
Agent 指令:登录后,务必使用
Security
框架(
SecKeyChain.Add
并设置
SecAccessible.WhenUnlockedThisDeviceOnly
)将令牌持久化到iOS Keychain。切勿将令牌存储在
UserDefaults
或仅存于内存中。登出时清除令牌。完整的
SecureTokenStorage
辅助类请查看集成模式

Required Platform Configuration

必需的平台配置

These two pieces are required for the callback to work — see Setup Guide for full code:
  1. Info.plist: Add
    CFBundleURLSchemes
    entry matching the Bundle Identifier
  2. AppDelegate: Override
    OpenUrl
    and call
    ActivityMediator.Instance.Send(url.AbsoluteString)
For login with extra parameters, error handling, token refresh, user claims access, and complete ViewController examples, see Integration Patterns.
回调功能正常工作需要以下两项配置——完整代码请查看设置指南
  1. Info.plist:添加与Bundle Identifier匹配的
    CFBundleURLSchemes
    条目
  2. AppDelegate:重写
    OpenUrl
    方法并调用
    ActivityMediator.Instance.Send(url.AbsoluteString)
如需了解带额外参数的登录、错误处理、令牌刷新、用户声明访问以及完整的ViewController示例,请查看集成模式

References

参考链接