auth0-net-ios
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chineseauth0-net-ios Integration
auth0-net-ios 集成
Add Auth0 authentication to .NET iOS applications. This skill integrates the NuGet package which uses for secure OIDC-based login and logout flows with PKCE.
Auth0.OidcClient.iOSASWebAuthenticationSessionAgent instruction: Before providing SDK setup instructions, fetch the latest release version by running:bashgh api repos/auth0/auth0-oidc-client-net/releases --jq '[.[] | select(.tag_name | startswith("ios-")) | .tag_name | ltrimstr("ios-")] | .[0]'Use the returned version in all dependency lines instead of any hardcoded version below.
为.NET iOS应用添加Auth0身份验证功能。此技能集成了 NuGet包,该包使用实现基于OIDC的安全登录和登出流程,并支持PKCE。
Auth0.OidcClient.iOSASWebAuthenticationSessionAgent 指令:在提供SDK设置说明之前,请运行以下命令获取最新版本:bashgh api repos/auth0/auth0-oidc-client-net/releases --jq '[.[] | select(.tag_name | startswith("ios-")) | .tag_name | ltrimstr("ios-")] | .[0]'在所有依赖项配置行中使用返回的版本,而非下方的硬编码版本。
Prerequisites
前置条件
- .NET 8.0 SDK or later (.NET 9 also supported — use target framework)
net9.0-ios - JetBrains Rider or VS Code with C# Dev Kit (with iOS workload)
- macOS with Xcode 15+
- iOS 14.0+ deployment target
- Auth0 account with a Native application configured
- Node.js 20+ (for Auth0 CLI automated setup)
- .NET 8.0 SDK或更高版本(支持.NET 9——使用目标框架)
net9.0-ios - JetBrains Rider或安装了C# Dev Kit的VS Code(需包含iOS工作负载)
- 装有Xcode 15+的macOS系统
- iOS 14.0+部署目标
- 已配置Native应用的Auth0账户
- Node.js 20+(用于Auth0 CLI自动化设置)
When NOT to Use
不适用场景
| Use Case | Recommended Skill |
|---|---|
| .NET MAUI cross-platform app (iOS + Android + Windows) | |
| .NET Android-only app | |
| iOS-only Swift app | |
| ASP.NET Core server-side web app | |
| ASP.NET Core Web API (JWT validation) | |
| React Native mobile app | |
| 使用场景 | 推荐技能 |
|---|---|
| .NET MAUI跨平台应用(iOS + Android + Windows) | |
| 仅.NET Android应用 | |
| 仅iOS Swift应用 | |
| ASP.NET Core服务器端Web应用 | |
| ASP.NET Core Web API(JWT验证) | |
| React Native移动应用 | |
Quick Start Workflow
快速开始流程
Agent instruction: Before starting, examine the user's project:
- Identify the .NET version from the
file (.csproj)TargetFramework- Check for existing authentication implementations — search for existing login/logout handlers and hook into them if found (reuse existing UI elements like login buttons rather than creating duplicates)
- Note the project's Bundle Identifier from
orInfo.plist.csproj- Look for existing
orAuth0Clientusage to avoid duplicate configurationAuth0ClientOptions
- Install SDK:
dotnet add package Auth0.OidcClient.iOS - Configure Auth0: See Setup Guide for automatic or manual configuration.
- Integrate authentication: Add instantiation, register the URL scheme in
Auth0Client, and wire login/logout to UI actions.Info.plist - Handle callback: Implement in
OpenUrland callAppDelegate.ActivityMediator.Instance.Send(url.AbsoluteString) - Build and verify:
dotnet build
Agent instruction: When writing the Auth0Client configuration:
- The iOS SDK does NOT require passing an Activity context — just
.new Auth0Client(options)- Always set
— theScope = "openid profile email offline_access"scope is required to receive refresh tokens, enabling silent token renewal without re-prompting the user.offline_access- The callback URL is automatically derived from the Bundle Identifier:
.{BundleId}://{domain}/ios/{BundleId}/callback- The Bundle Identifier must be registered as a URL scheme in
.Info.plist- The
must handleAppDelegateand callOpenUrl.ActivityMediator.Instance.Send(url.AbsoluteString)- Store tokens securely: After successful login, persist
andAccessTokenusing iOS Keychain (viaRefreshTokenframework or a wrapper likeSecurity). Never store tokens inKeychainAccessor in-memory variables only.UserDefaultsAfter writing configuration and code, verify the build succeeds:bashdotnet buildIf the build fails, attempt to fix the issue. After 5-6 failed attempts, ask the user for help.
Agent 指令:开始之前,请检查用户的项目:
- 从
文件的.csproj字段识别.NET版本TargetFramework- 检查是否已有身份验证实现——搜索现有的登录/登出处理程序,若存在则接入其中(重用现有UI元素如登录按钮,避免重复创建)
- 记录
或Info.plist中的项目Bundle Identifier.csproj- 查找是否已有
或Auth0Client的使用,避免重复配置Auth0ClientOptions
- 安装SDK:
dotnet add package Auth0.OidcClient.iOS - 配置Auth0:查看设置指南进行自动或手动配置。
- 集成身份验证:实例化,在
Auth0Client中注册URL scheme,并将登录/登出操作与UI事件关联。Info.plist - 处理回调:在中实现
AppDelegate方法,并调用OpenUrl。ActivityMediator.Instance.Send(url.AbsoluteString) - 构建并验证:
dotnet build
Agent 指令:编写Auth0Client配置时:
- iOS SDK不需要传递Activity上下文——只需使用
。new Auth0Client(options)- 务必设置
——Scope = "openid profile email offline_access"作用域是获取刷新令牌的必要条件,无需重新提示用户即可实现静默令牌续期。offline_access- 回调URL会自动从Bundle Identifier生成:
。{BundleId}://{domain}/ios/{BundleId}/callback- Bundle Identifier必须在
中注册为URL scheme。Info.plist 必须处理AppDelegate并调用OpenUrl。ActivityMediator.Instance.Send(url.AbsoluteString)- 安全存储令牌:登录成功后,使用iOS Keychain(通过
框架或Security等封装库)持久化存储KeychainAccess和AccessToken。切勿将令牌存储在RefreshToken或仅存于内存变量中。UserDefaults完成配置和代码编写后,验证构建是否成功:bashdotnet build若构建失败,尝试修复问题。经过5-6次失败尝试后,请向用户寻求帮助。
WebAuth — How Authentication Works
WebAuth——身份验证工作原理
The SDK uses ASWebAuthenticationSession (the secure system browser). When is called:
LoginAsync()- SDK constructs the URL with PKCE parameters (code verifier + challenge)
/authorize - ASWebAuthenticationSession opens showing the Auth0 login page
- User authenticates (login form, social connections, MFA, etc.)
- Auth0 redirects to the native callback URL:
{BundleId}://{domain}/ios/{BundleId}/callback - iOS intercepts the URL scheme and delivers it to
AppDelegate.OpenUrl - completes the token exchange
ActivityMediator.Instance.Send(url.AbsoluteString) - SDK returns with access token, ID token, refresh token, and user claims
LoginResult
This is the standard OAuth 2.0 Authorization Code flow with PKCE, recommended for native mobile applications.
SDK使用ASWebAuthenticationSession(安全系统浏览器)。调用时:
LoginAsync()- SDK构建包含PKCE参数(代码验证器+挑战值)的URL
/authorize - ASWebAuthenticationSession打开并显示Auth0登录页面
- 用户完成身份验证(登录表单、社交账号、多因素认证等)
- Auth0重定向到原生回调URL:
{BundleId}://{domain}/ios/{BundleId}/callback - iOS拦截URL scheme并将其传递给
AppDelegate.OpenUrl - 完成令牌交换
ActivityMediator.Instance.Send(url.AbsoluteString) - SDK返回包含访问令牌、ID令牌、刷新令牌和用户声明的
LoginResult
这是OAuth 2.0授权码流程结合PKCE的标准实现,是原生移动应用的推荐方案。
Callback URL Configuration
回调URL配置
The native callback URL for .NET iOS uses the Bundle Identifier as the scheme. The format is:
text
YOUR_BUNDLE_IDENTIFIER://YOUR_AUTH0_DOMAIN/ios/YOUR_BUNDLE_IDENTIFIER/callbackWhere is the Bundle Identifier for your application, such as . For example: .
YOUR_BUNDLE_IDENTIFIERcom.mycompany.myapplicationcom.mycompany.myapp://tenant.us.auth0.com/ios/com.mycompany.myapp/callbackNote: Some Auth0 native SDKs useorhttps://{domain}/ios/{bundleId}/callbackas the callback URL format. The .NET iOS SDK uses the Bundle Identifier directly as the URL scheme.{bundleId}.auth0://{domain}/ios/{bundleId}/callback
Ensure that the Callback URL is in lowercase.
This URL must be:
- Registered in Auth0 Dashboard under Allowed Callback URLs and Allowed Logout URLs
- Registered as a URL scheme in under
Info.plistCFBundleURLSchemes
.NET iOS的原生回调URL使用Bundle Identifier作为scheme,格式如下:
text
YOUR_BUNDLE_IDENTIFIER://YOUR_AUTH0_DOMAIN/ios/YOUR_BUNDLE_IDENTIFIER/callback其中是应用的Bundle Identifier,例如。示例:。
YOUR_BUNDLE_IDENTIFIERcom.mycompany.myapplicationcom.mycompany.myapp://tenant.us.auth0.com/ios/com.mycompany.myapp/callback注意:部分Auth0原生SDK使用或https://{domain}/ios/{bundleId}/callback作为回调URL格式。而.NET iOS SDK直接使用Bundle Identifier作为URL scheme。{bundleId}.auth0://{domain}/ios/{bundleId}/callback
确保回调URL为小写。
此URL必须满足:
- 在Auth0控制台的Allowed Callback URLs和Allowed Logout URLs中注册
- 在的
Info.plist下注册为URL schemeCFBundleURLSchemes
Done When
完成标准
- package installed (latest stable version)
Auth0.OidcClient.iOS - configured with Domain, ClientId, and
Auth0ClientScope = "openid profile email offline_access" - URL scheme registered in matching the Bundle Identifier
Info.plist - implemented with
AppDelegate.OpenUrlActivityMediator.Instance.Send(url.AbsoluteString) - Callback URL added to Auth0 Dashboard Allowed Callback URLs and Allowed Logout URLs
- Tokens stored securely using iOS Keychain (framework with
Security)SecKeyChain.Add - Login/logout flow working
- Build succeeds with no errors
- 已安装包(最新稳定版本)
Auth0.OidcClient.iOS - 已配置Domain、ClientId,且
Auth0ClientScope = "openid profile email offline_access" - 中已注册与Bundle Identifier匹配的URL scheme
Info.plist - 已实现并调用
AppDelegate.OpenUrlActivityMediator.Instance.Send(url.AbsoluteString) - 回调URL已添加到Auth0控制台的Allowed Callback URLs和Allowed Logout URLs
- 已使用iOS Keychain(框架的
Security)安全存储令牌SecKeyChain.Add - 登录/登出流程正常工作
- 构建无错误,成功完成
Detailed Documentation
详细文档
- Setup Guide — Auth0 tenant configuration, SDK installation, Info.plist URL scheme setup
- Integration Patterns — Login/logout flows, token access, user profile, error handling
- API Reference & Testing — Full reference, claims, testing checklist, troubleshooting
Auth0ClientOptions
- 设置指南 —— Auth0租户配置、SDK安装、Info.plist URL scheme设置
- 集成模式 —— 登录/登出流程、令牌访问、用户信息、错误处理
- API参考与测试 —— 完整参考、声明、测试清单、故障排除
Auth0ClientOptions
Common Mistakes
常见错误
| Mistake | Fix |
|---|---|
| App type not set to Native in Auth0 Dashboard | Change application type to "Native" in Dashboard settings |
| Missing callback URL in Auth0 Dashboard | Add |
| Missing URL scheme in Info.plist | Add |
Not handling | Override |
Using | Domain should be hostname only (e.g., |
| Passing Activity context to Auth0Client (Android pattern) | iOS does not need context — just |
| URL scheme not matching Bundle Identifier | The CFBundleURLSchemes value must exactly match the Bundle Identifier |
Storing tokens in | Use iOS Keychain via the |
| 错误 | 修复方案 |
|---|---|
| Auth0控制台中应用类型未设置为Native | 在控制台设置中将应用类型改为“Native” |
| Auth0控制台中缺少回调URL | 将 |
| Info.plist中缺少URL scheme | 添加与Bundle Identifier匹配的 |
AppDelegate中未处理 | 重写 |
Domain使用 | Domain应仅为主机名(例如 |
| 向Auth0Client传递Activity上下文(Android模式) | iOS不需要上下文——只需使用 |
| URL scheme与Bundle Identifier不匹配 | CFBundleURLSchemes的值必须与Bundle Identifier完全一致 |
将令牌存储在 | 使用 |
Testing Notes
测试说明
Agent instruction: Remind the user to test on a physical device in addition to simulators. Some WebAuth/ASWebAuthenticationSession behaviors may differ on physical devices vs. simulators. Test the full login → callback → token flow on real hardware before shipping.
Physical Device Testing:
- Login flow: ASWebAuthenticationSession opens → authenticate → returns to app
- Callback: fires in AppDelegate with correct URL
OpenUrl - Logout flow: Browser opens → session cleared → returns to app
- Cancel: User dismisses sheet → app handles gracefully
UserCancel
Agent 指令:提醒用户除了模拟器外,还要在物理设备上进行测试。部分WebAuth/ASWebAuthenticationSession的行为在物理设备和模拟器上可能有所不同。发布前请在真实硬件上测试完整的登录→回调→令牌流程。
物理设备测试:
- 登录流程:ASWebAuthenticationSession打开→完成身份验证→返回应用
- 回调:在AppDelegate中触发并携带正确URL
OpenUrl - 登出流程:浏览器打开→会话清除→返回应用
- 取消操作:用户关闭弹窗→应用优雅处理
UserCancel
Related Skills
相关技能
- auth0-maui — .NET MAUI cross-platform apps (iOS + Android + Windows)
- auth0-net-android — .NET Android-only apps
- auth0-swift — iOS-only Swift apps
- auth0-aspnetcore-authentication — ASP.NET Core server-side web apps
- auth0-aspnetcore-api — ASP.NET Core Web API with JWT validation
- auth0-maui —— .NET MAUI跨平台应用(iOS + Android + Windows)
- auth0-net-android —— 仅.NET Android应用
- auth0-swift —— 仅iOS Swift应用
- auth0-aspnetcore-authentication —— ASP.NET Core服务器端Web应用
- auth0-aspnetcore-api —— 带JWT验证的ASP.NET Core Web API
Quick Reference
快速参考
csharp
using Auth0.OidcClient;
var client = new Auth0Client(new Auth0ClientOptions
{
Domain = "YOUR_AUTH0_DOMAIN",
ClientId = "YOUR_AUTH0_CLIENT_ID",
Scope = "openid profile email offline_access"
});
var loginResult = await client.LoginAsync();
BrowserResultType browserResult = await client.LogoutAsync();Agent instruction: Always includein the scope to enable refresh tokens. This allows the app to silently refresh access tokens without forcing the user to re-authenticate.offline_accessAgent instruction: After login, always persist tokens to the iOS Keychain using theframework (SecuritywithSecKeyChain.Add). Never store tokens inSecAccessible.WhenUnlockedThisDeviceOnlyor leave them only in memory. Clear tokens on logout. See Integration Patterns for the fullUserDefaultshelper class.SecureTokenStorage
csharp
using Auth0.OidcClient;
var client = new Auth0Client(new Auth0ClientOptions
{
Domain = "YOUR_AUTH0_DOMAIN",
ClientId = "YOUR_AUTH0_CLIENT_ID",
Scope = "openid profile email offline_access"
});
var loginResult = await client.LoginAsync();
BrowserResultType browserResult = await client.LogoutAsync();Agent 指令:务必在作用域中包含以启用刷新令牌。这允许应用静默刷新访问令牌,无需强制用户重新身份验证。offline_accessAgent 指令:登录后,务必使用框架(Security并设置SecKeyChain.Add)将令牌持久化到iOS Keychain。切勿将令牌存储在SecAccessible.WhenUnlockedThisDeviceOnly或仅存于内存中。登出时清除令牌。完整的UserDefaults辅助类请查看集成模式。SecureTokenStorage
Required Platform Configuration
必需的平台配置
These two pieces are required for the callback to work — see Setup Guide for full code:
- Info.plist: Add entry matching the Bundle Identifier
CFBundleURLSchemes - AppDelegate: Override and call
OpenUrlActivityMediator.Instance.Send(url.AbsoluteString)
For login with extra parameters, error handling, token refresh, user claims access, and complete ViewController examples, see Integration Patterns.
回调功能正常工作需要以下两项配置——完整代码请查看设置指南:
- Info.plist:添加与Bundle Identifier匹配的条目
CFBundleURLSchemes - AppDelegate:重写方法并调用
OpenUrlActivityMediator.Instance.Send(url.AbsoluteString)
如需了解带额外参数的登录、错误处理、令牌刷新、用户声明访问以及完整的ViewController示例,请查看集成模式。