Open-source OAuth 2.0 / OIDC toolkit for .NET 10+
CoreIdent 1.0 is a complete OAuth 2.0 / OIDC foundation for .NET 10+ with passwordless authentication, secure defaults, and developer-friendly tooling. Start with the Developer Guide.
| Feature | Description | Phase |
|---|---|---|
| Phase 0A: Foundation (Crypto + Token Lifecycle) | ||
| .NET 10 Migration | Target net10.0 only, leverage C# 14 features | Complete |
| Asymmetric Keys (RS256/ES256) | Production-ready token signing with key management | Complete |
| Token Revocation (RFC 7009) | Endpoint to revoke tokens on logout or compromise | Complete |
| Token Introspection (RFC 7662) | Endpoint for resource servers to validate tokens | Complete |
| Phase 0B: Quality & DevEx (Testing + Observability + Tooling) | ||
| Test Infrastructure | CoreIdent.Testing package with fixtures, builders, assertions | Complete |
| OpenTelemetry Metrics | System.Diagnostics.Metrics integration for token issuance, auth durations | Complete |
| CLI Tool | dotnet coreident - init, keys generate, client add, migrations |
Complete |
| Dev Container | One-click development environment for contributors | Complete |
| Phase 1: Passwordless & Developer Experience | ||
| Email Magic Links | Passwordless login via secure email tokens with pluggable provider | Complete |
| Passkeys (WebAuthn) | FIDO2/WebAuthn authentication with biometrics and hardware keys | Complete |
| SMS OTP | One-time passwords via SMS with pluggable provider interface | Complete |
| dotnet new Templates | coreident-api, coreident-server, coreident-api-fsharp templates | Complete |
| Aspire Integration | Health checks, distributed tracing, service defaults | Complete |
| Authorization Code + PKCE | Full OAuth flow with consent UI | Complete |
| Resource Owner Endpoints | /auth/register, /auth/login, /auth/profile convenience endpoints | Complete |
| OIDC UserInfo | Standard /auth/userinfo endpoint | Complete |
| Phase 1.5: Client Libraries | ||
| CoreIdent.Client | Core OAuth client for any .NET app | Phase 1.5 |
| CoreIdent.Client.Maui | MAUI with SecureStorage and WebAuthenticator | Phase 1.5 |
| CoreIdent.Client.Wpf | WPF/WinForms with DPAPI and WebView2 | Phase 1.5 |
| CoreIdent.Client.Blazor | Blazor WASM with AuthenticationStateProvider | Phase 1.5 |
| Phase 2: External Providers | ||
| Google Provider | Google OAuth integration | Phase 2 |
| Microsoft Provider | Microsoft/Entra ID integration | Phase 2 |
| GitHub Provider | GitHub OAuth integration | Phase 2 |
| Phase 3: OAuth/OIDC Hardening | ||
| Key Rotation | Automated rotation with grace period | Phase 3 |
| DPoP (RFC 9449) | Demonstrating Proof of Possession | Phase 3 |
| RAR (RFC 9396) | Rich Authorization Requests | Phase 3 |
| Device Flow (RFC 8628) | For IoT/TV apps with limited input | Phase 3 |
| PAR (RFC 9126) | Pushed Authorization Requests | Phase 3 |
| Dynamic Client Registration | RFC 7591 client registration | Phase 3 |
| Token Exchange | RFC 8693 - Impersonation, delegation | Phase 3 |
| Webhook System | Events for user, token, consent operations | Phase 3 |
| Phase 4: UI & Admin | ||
| UI Package | Razor/Blazor components for auth flows | Phase 4 |
| Self-Service Portal | Account settings, sessions, linked accounts | Phase 4 |
| Admin API | User and client management endpoints | Phase 4 |
| Multi-tenancy | Per-tenant keys, config, branding | Phase 4 |
| Phase 5: Advanced | ||
| MFA Framework | TOTP, backup codes | Phase 5 |
| Risk-Based Auth | Device fingerprint, geo-location, step-up | Phase 5 |
| Breach Detection | HaveIBeenPwned integration | Phase 5 |
| SCIM (RFC 7643/7644) | Enterprise user provisioning | Phase 5 |
| Blazor Server | Circuit-aware token management | Phase 5 |
| API Gateway Patterns | YARP integration, token exchange | Phase 5 |
| SPIFFE/SPIRE | Workload identity for service mesh | Phase 5 |
For implementation details, see these documents: