Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From auth0
Adds Auth0 login, logout, and token management to .NET MAUI cross-platform apps for iOS, Android, macOS, and Windows.
How this skill is triggered — by the user, by Claude, or both
Slash command
/auth0:auth0-mauiThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Add Auth0 authentication to .NET MAUI applications targeting iOS, Android, macOS, and Windows. This skill integrates the `Auth0.OidcClient.MAUI` NuGet package which uses the system browser via MAUI's `WebAuthenticator` for secure OIDC-based login and logout flows with PKCE.
Add Auth0 authentication to .NET MAUI applications targeting iOS, Android, macOS, and Windows. This skill integrates the Auth0.OidcClient.MAUI NuGet package which uses the system browser via MAUI's WebAuthenticator for secure OIDC-based login and logout flows with PKCE.
Agent instruction: Before providing SDK setup instructions, fetch the latest MAUI release version by running:
gh api repos/auth0/auth0-oidc-client-net/releases --jq '[.[] | select(.tag_name | startswith("maui-")) | .tag_name | ltrimstr("maui-")] | .[0]'Use the returned version in all dependency lines instead of any hardcoded version below.
| Use Case | Recommended Skill |
|---|---|
| ASP.NET Core server-side web app | auth0-aspnetcore-authentication |
| ASP.NET Core Web API (JWT validation) | auth0-aspnetcore-api |
| React Native mobile app | auth0-react-native |
| iOS-only Swift app | auth0-swift |
| Android-only Kotlin app | auth0-android |
| Expo React Native app | auth0-expo |
Agent instruction: Before starting, examine the user's project:
- Identify the .NET version from the
.csprojfile (TargetFrameworks)- Check for existing authentication implementations — search for existing login/logout handlers and hook into them if found
- Note the project's namespace and directory conventions
- Look for existing
Auth0ClientorAuth0ClientOptionsusage to avoid duplicate configuration
dotnet add package Auth0.OidcClient.MAUIAuth0Client instantiation and wire login/logout to UI actions.
Scope = "openid profile email offline_access" — the offline_access scope is required to receive a refresh token for silent token renewal.await SecureStorage.Default.SetAsync("refresh_token", loginResult.RefreshToken). On app startup, restore the session with RefreshTokenAsync. Clear on logout with SecureStorage.Default.Remove("refresh_token").WebAuthenticatorActivity with IntentFilter for your custom scheme (e.g., myapp)<uap:Extension Category="windows.protocol"><uap:Protocol Name="myapp"/></uap:Extension> to Platforms/Windows/Package.appxmanifest, AND (2) call Activator.Default.CheckRedirectionActivation() in Platforms/Windows/App.xaml.csdotnet buildAgent instruction: When writing the Auth0Client configuration:
- ALWAYS include
offline_accessin the Scope string — without it, no refresh token is returned and the user must re-authenticate every time the access token expires.- ALWAYS implement token persistence using
SecureStorage.Default.SetAsync("refresh_token", ...)after login andSecureStorage.Default.GetAsync("refresh_token")on app startup to restore sessions silently.- Clear stored tokens on logout with
SecureStorage.Default.Remove("refresh_token").- ALWAYS create/update
Platforms/Windows/Package.appxmanifestto register the custom URL scheme protocol. Without this, Windows will not intercept the callback URL after authentication. Add a<uap:Extension Category="windows.protocol"><uap:Protocol Name="myapp"/></uap:Extension>inside the<Extensions>element of the<Application>node.- ALWAYS add
CheckRedirectionActivation()inPlatforms/Windows/App.xaml.csas the first line in the constructor, beforeInitializeComponent().After writing configuration and code, verify the build succeeds:
dotnet buildIf the build fails, attempt to fix the issue. After 5-6 failed attempts, ask the user for help.
The MAUI SDK uses a custom URL scheme for callbacks. The default pattern is:
myapp://callback
Unlike other Auth0 native SDKs that use https://{domain}/{platform}/{bundleId}/callback or
{bundleId}.auth0://{domain}/ios/{bundleId}/callback patterns, MAUI uses a simpler custom scheme
approach. You can customize the scheme (e.g., com.mycompany.myapp://callback). Whatever scheme you choose must be:
IntentFilter, Windows Package.appxmanifest)Auth0ClientOptions.RedirectUri and Auth0ClientOptions.PostLogoutRedirectUriNote: For production apps, use a reverse-domain scheme (e.g.,
com.yourcompany.yourapp://callback) to reduce the risk of URL scheme hijacking.
Auth0.OidcClient.MAUI package installedAuth0Client configured with Domain, ClientId, and Scope including offline_accessmyapp://callback) added to Auth0 Dashboard Allowed Callback URLs and Allowed Logout URLsSecureStorage.Default.SetAsync after loginSecureStorage.Default.GetAsync + RefreshTokenAsync on app startupAuth0ClientOptions reference, claims, testing checklist, troubleshooting| Mistake | Fix |
|---|---|
| App type not set to Native in Auth0 Dashboard | Change application type to "Native" in Dashboard settings |
| Missing callback URL in Auth0 Dashboard | Add myapp://callback (or your scheme) to Allowed Callback URLs AND Allowed Logout URLs |
Android: Missing WebAuthenticatorCallbackActivity | Create activity class with [IntentFilter] matching your callback scheme |
Windows: Not calling CheckRedirectionActivation() | Add Activator.Default.CheckRedirectionActivation() at start of Windows App.xaml.cs, before InitializeComponent() |
Using https:// prefix in Domain | Domain should be hostname only (e.g., tenant.auth0.com, not https://tenant.auth0.com) |
Not requesting offline_access scope for token refresh | Add offline_access to Scope in Auth0ClientOptions to get a refresh token |
| RedirectUri/PostLogoutRedirectUri not matching Dashboard | Ensure the exact URI (scheme + path) matches what's configured in Auth0 Dashboard |
| Not registering URL scheme on Android/Windows | Register the custom URL scheme in platform-specific config (see Platform setup step) |
| Storing tokens in plain text | Use SecureStorage from MAUI Essentials for persisting refresh tokens |
Agent instruction: Remind the user to test on a physical device in addition to emulators/simulators. Some WebAuthenticator behaviors (system browser integration, URL scheme interception) may differ on physical devices vs. emulators. Test the full login → callback → token flow on real hardware before shipping.
Testing Checklist:
RefreshTokenAsync with stored refresh token worksUserCancel gracefullyusing Auth0.OidcClient;
// Initialize client
var client = new Auth0Client(new Auth0ClientOptions
{
Domain = "YOUR_AUTH0_DOMAIN",
ClientId = "YOUR_AUTH0_CLIENT_ID",
RedirectUri = "myapp://callback",
PostLogoutRedirectUri = "myapp://callback",
Scope = "openid profile email offline_access"
});
// Login — opens system browser
var loginResult = await client.LoginAsync();
if (!loginResult.IsError)
{
var user = loginResult.User;
var accessToken = loginResult.AccessToken;
var idToken = loginResult.IdentityToken;
var refreshToken = loginResult.RefreshToken;
// Access user claims
var name = user.FindFirst("name")?.Value;
var email = user.FindFirst("email")?.Value;
// Persist refresh token securely for session restoration
if (!string.IsNullOrEmpty(refreshToken))
await SecureStorage.Default.SetAsync("refresh_token", refreshToken);
}
// Logout — clears Auth0 session and stored tokens
await client.LogoutAsync();
SecureStorage.Default.Remove("refresh_token");
// Restore session on app startup (no user interaction needed)
var savedToken = await SecureStorage.Default.GetAsync("refresh_token");
if (!string.IsNullOrEmpty(savedToken))
{
var refreshResult = await client.RefreshTokenAsync(savedToken);
if (!refreshResult.IsError)
{
var newAccessToken = refreshResult.AccessToken;
// Update stored token if rotated
if (!string.IsNullOrEmpty(refreshResult.RefreshToken))
await SecureStorage.Default.SetAsync("refresh_token", refreshResult.RefreshToken);
}
else
{
// Refresh failed — clear and require re-login
SecureStorage.Default.Remove("refresh_token");
}
}
// Get user info from /userinfo endpoint
var userInfo = await client.GetUserInfoAsync(accessToken);
// Login with extra parameters (organization, audience, connection)
var orgLogin = await client.LoginAsync(new { organization = "org_abc123" });
var apiLogin = await client.LoginAsync(new { audience = "https://my-api.example.com" });
[Activity(NoHistory = true, LaunchMode = LaunchMode.SingleTop, Exported = true)]
[IntentFilter(new[] { Intent.ActionView },
Categories = new[] { Intent.CategoryDefault, Intent.CategoryBrowsable },
DataScheme = CALLBACK_SCHEME)]
public class WebAuthenticatorActivity : Microsoft.Maui.Authentication.WebAuthenticatorCallbackActivity
{
const string CALLBACK_SCHEME = "myapp";
}
Step 1: Register protocol in Platforms/Windows/Package.appxmanifest:
<Extensions>
<uap:Extension Category="windows.protocol">
<uap:Protocol Name="myapp"/>
</uap:Extension>
</Extensions>
Step 2: Handle redirection in Platforms/Windows/App.xaml.cs:
// In Platforms/Windows/App.xaml.cs
public App()
{
if (Auth0.OidcClient.Platforms.Windows.Activator.Default.CheckRedirectionActivation())
return;
this.InitializeComponent();
}
npx claudepluginhub auth0/agent-skills --plugin auth0Adds authentication to .NET MAUI apps using WebAuthenticator for OAuth 2.0/social logins and MSAL.NET for Microsoft Entra ID/Azure AD, with broker support, token caching, platform setups for Android/iOS/Windows, and bearer token API calls.
Adds Auth0 login and token management to .NET iOS apps using Auth0.OidcClient.iOS. Activates automatically on Add authentication to .NET iOS app or Xamarin.iOS queries.
Building .NET MAUI apps. Project structure, XAML/MVVM, platform services, current caveats.