Labsco
auth0 logo

auth0-net-ios

37

by auth0 · part of auth0/agent-skills

Use when adding Auth0 login or token management to a .NET iOS application. Integrates Auth0.OidcClient.iOS — use even if the user says "add login to my .NET iOS app" or references Xamarin iOS.

🧩 One of 7 skills in the auth0/agent-skills package — works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates — you don't need to read it to use the skill, but it's here to audit before installing.

auth0-net-ios Integration

Add Auth0 authentication to .NET iOS applications. This skill integrates the Auth0.OidcClient.iOS NuGet package which uses ASWebAuthenticationSession for secure OIDC-based login and logout flows with PKCE.

Agent instruction: Before providing SDK setup instructions, fetch the latest release version by running:

gh api repos/auth0/auth0-oidc-client-net/releases --jq '[.[] | select(.tag_name | startswith("ios-")) | .tag_name | ltrimstr("ios-")] | .[0]'

Use the returned version in all dependency lines instead of any hardcoded version below.

When NOT to Use

Use CaseRecommended Skill
.NET MAUI cross-platform app (iOS + Android + Windows)auth0-maui
.NET Android-only appauth0-net-android
iOS-only Swift appauth0-swift
ASP.NET Core server-side web appauth0-aspnetcore-authentication
ASP.NET Core Web API (JWT validation)auth0-aspnetcore-api
React Native mobile appauth0-react-native

WebAuth — How Authentication Works

The SDK uses ASWebAuthenticationSession (the secure system browser). When LoginAsync() is called:

  1. SDK constructs the /authorize URL with PKCE parameters (code verifier + challenge)
  2. ASWebAuthenticationSession opens showing the Auth0 login page
  3. User authenticates (login form, social connections, MFA, etc.)
  4. Auth0 redirects to the native callback URL: {BundleId}://{domain}/ios/{BundleId}/callback
  5. iOS intercepts the URL scheme and delivers it to AppDelegate.OpenUrl
  6. ActivityMediator.Instance.Send(url.AbsoluteString) completes the token exchange
  7. SDK returns LoginResult with access token, ID token, refresh token, and user claims

This is the standard OAuth 2.0 Authorization Code flow with PKCE, recommended for native mobile applications.

Done When

  • Auth0.OidcClient.iOS package installed (latest stable version)
  • Auth0Client configured with Domain, ClientId, and Scope = "openid profile email offline_access"
  • URL scheme registered in Info.plist matching the Bundle Identifier
  • AppDelegate.OpenUrl implemented with ActivityMediator.Instance.Send(url.AbsoluteString)
  • Callback URL added to Auth0 Dashboard Allowed Callback URLs and Allowed Logout URLs
  • Tokens stored securely using iOS Keychain (Security framework with SecKeyChain.Add)
  • Login/logout flow working
  • Build succeeds with no errors

Detailed Documentation

  • Setup Guide — Auth0 tenant configuration, SDK installation, Info.plist URL scheme setup
  • Integration Patterns — Login/logout flows, token access, user profile, error handling
  • API Reference & Testing — Full Auth0ClientOptions reference, claims, testing checklist, troubleshooting

Testing Notes

Agent instruction: Remind the user to test on a physical device in addition to simulators. Some WebAuth/ASWebAuthenticationSession behaviors may differ on physical devices vs. simulators. Test the full login → callback → token flow on real hardware before shipping.

Physical Device Testing:

  • Login flow: ASWebAuthenticationSession opens → authenticate → returns to app
  • Callback: OpenUrl fires in AppDelegate with correct URL
  • Logout flow: Browser opens → session cleared → returns to app
  • Cancel: User dismisses sheet → app handles UserCancel gracefully
  • auth0-maui — .NET MAUI cross-platform apps (iOS + Android + Windows)
  • auth0-net-android — .NET Android-only apps
  • auth0-swift — iOS-only Swift apps
  • auth0-aspnetcore-authentication — ASP.NET Core server-side web apps
  • auth0-aspnetcore-api — ASP.NET Core Web API with JWT validation

Quick Reference

using Auth0.OidcClient;

var client = new Auth0Client(new Auth0ClientOptions
{
    Domain = "YOUR_AUTH0_DOMAIN",
    ClientId = "YOUR_AUTH0_CLIENT_ID",
    Scope = "openid profile email offline_access"
});

var loginResult = await client.LoginAsync();
BrowserResultType browserResult = await client.LogoutAsync();

Agent instruction: Always include offline_access in the scope to enable refresh tokens. This allows the app to silently refresh access tokens without forcing the user to re-authenticate.

Agent instruction: After login, always persist tokens to the iOS Keychain using the Security framework (SecKeyChain.Add with SecAccessible.WhenUnlockedThisDeviceOnly). Never store tokens in UserDefaults or leave them only in memory. Clear tokens on logout. See Integration Patterns for the full SecureTokenStorage helper class.

Required Platform Configuration

These two pieces are required for the callback to work — see Setup Guide for full code:

  1. Info.plist: Add CFBundleURLSchemes entry matching the Bundle Identifier
  2. AppDelegate: Override OpenUrl and call ActivityMediator.Instance.Send(url.AbsoluteString)

For login with extra parameters, error handling, token refresh, user claims access, and complete ViewController examples, see Integration Patterns.

References