SimpleAuthenticationTools 2.0.8

.NET 6.0
dotnet add package SimpleAuthenticationTools --version 2.0.8
NuGet\Install-Package SimpleAuthenticationTools -Version 2.0.8
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="SimpleAuthenticationTools" Version="2.0.8" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add SimpleAuthenticationTools --version 2.0.8
#r "nuget: SimpleAuthenticationTools, 2.0.8"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install SimpleAuthenticationTools as a Cake Addin
#addin nuget:?package=SimpleAuthenticationTools&version=2.0.8

// Install SimpleAuthenticationTools as a Cake Tool
#tool nuget:?package=SimpleAuthenticationTools&version=2.0.8

Simple Authentication for ASP.NET Core

Lint Code Base CodeQL Nuget Nuget License: MIT

A library to easily integrate Authentication in ASP.NET Core projects. Currently it supports JWT Bearer, API Key and Basic Authentication in both Controller-based and Minimal API projects.


The library is available on NuGet. Just search for SimpleAuthenticationTools in the Package Manager GUI or run the following command in the .NET CLI:

dotnet add package SimpleAuthenticationTools

Usage Video

Take a look to a quick demo showing how to integrate the library:

Simple Authentication for ASP.NET Core


Authentication can be totally configured adding an Authentication section in the appsettings.json file:

"Authentication": {
  "DefaultScheme": "Bearer", // Optional
  "JwtBearer": {
      "SchemeName": "Bearer" // Default: Bearer
      "SecurityKey": "supersecretsecuritykey42!", // Required
      "Algorithm": "HS256", // Default: HS256
      "Issuers": [ "issuer" ], // Optional
      "Audiences": [ "audience" ], // Optional
      "ExpirationTime": "01:00:00", // Default: No expiration
      "ClockSkew": "00:02:00", // Default: 5 minutes
      "EnableJwtBearerService": true // Default: true
  "ApiKey": {
      "SchemeName": "MyApiKeyScheme", // Default: ApiKey
      // You can specify either HeaderName, QueryStringKey or both
      "HeaderName": "x-api-key",
      "QueryStringKey": "code",
      // Uncomment this line if you want to validate the API Key against a fixed value.
      // Otherwise, you need to register an IApiKeyValidator implementation that will be used
      // to validate the API Key.
      //"ApiKeyValue": "f1I7S5GXa4wQDgLQWgz0",
      "UserName": "ApiUser" // Required if ApiKeyValue is used
  "Basic": {
      "SchemeName": "Basic", // Default: Basic
      // Uncomment the following lines if you want to validate user name and password
      // against fixed values.
      // Otherwise, you need to register an IBasicAuthenticationValidator implementation
      // that will be used to validate the credentials.
      //"UserName": "marco",
      //"Password": "P@$$w0rd"

You can configure only the kind of authentication you want to use, or you can include all of them.

The DefaultScheme attribute is used to specify what kind of authentication must be configured as default. Allowed values are the values of the SchemeName attributes.

Registering authentication at Startup

using SimpleAuthentication;

var builder = WebApplication.CreateBuilder(args);

// ...
// Registers authentication schemes and services using IConfiguration information (see above).

builder.Services.AddSwaggerGen(options =>
    // ...
    // Add this line to integrate authentication with Swagger.

// ...

var app = builder.Build();

// The following middlewares aren't strictly necessary in .NET 7.0, because they are automatically
// added when detecting that the corresponding services have been registered. However, you may
// need to call them explicitly if the default middlewares configuration is not correct for your
// app, for example when you need to use CORS.
// Check
// for more information.



Creating a JWT Bearer

When using JWT Bearer authentication, you can set the EnableJwtBearerService setting to true to automatically register an implementation of the IJwtBearerService interface to create a valid JWT Bearer, according to the setting you have specified in the appsettings.json file:

app.MapPost("api/auth/login", (LoginRequest loginRequest, IJwtBearerService jwtBearerService) =>
    // Check for login rights...

    // Add custom claims (optional).
    var claims = new List<Claim>
        new(ClaimTypes.GivenName, "Marco"),
        new(ClaimTypes.Surname, "Minerva")

    var token = jwtBearerService.CreateToken(loginRequest.UserName, claims);
    return TypedResults.Ok(new LoginResponse(token));

public record class LoginRequest(string UserName, string Password);

public record class LoginResponse(string Token);

The IJwtBearerService.CreateToken method allows to specify the issuer and the audience of the token. If you don't specify any value, the first ones defined in appsettings.json will be used.

Supporting multiple API Keys/Basic Authentication credentials

When using API Key or Basic Authentication, you can specify multiple fixed values for authentication:

"Authentication": {
    "ApiKey": {
        "ApiKeys": [
                "Value": "key-1",
                "UserName": "UserName1"
                "Value": "key-2",
                "UserName": "UserName2"
    "Basic": {
        "Credentials": [
                "UserName": "UserName1",
                "Password": "Password1"
                "UserName": "UserName2",
                "Password": "Password2"

With this configuration, authentication will succedd if any of these credentials are provided.

Custom Authentication logic for API Keys and Basic Authentication

If you need to implement custom authentication login, for example validating credentials with dynamic values and adding claims to identity, you can omit all the credentials in the appsettings.json file and then provide an implementation of IApiKeyValidator.cs or IBasicAuthenticationValidator.cs:

builder.Services.AddTransient<IApiKeyValidator, CustomApiKeyValidator>();
builder.Services.AddTransient<IBasicAuthenticationValidator, CustomBasicAuthenticationValidator>();

public class CustomApiKeyValidator : IApiKeyValidator
    public Task<ApiKeyValidationResult> ValidateAsync(string apiKey)
        var result = apiKey switch
            "ArAilHVOoL3upX78Cohq" => ApiKeyValidationResult.Success("User 1"),
            "DiUU5EqImTYkxPDAxBVS" => ApiKeyValidationResult.Success("User 2"),
            _ => ApiKeyValidationResult.Fail("Invalid User")

        return Task.FromResult(result);

public class CustomBasicAuthenticationValidator : IBasicAuthenticationValidator
    public Task<BasicAuthenticationValidationResult> ValidateAsync(string userName, string password)
        if (userName == password)
            var claims = new List<Claim>() { new(ClaimTypes.Role, "User") };
            return Task.FromResult(BasicAuthenticationValidationResult.Success(userName, claims));

        return Task.FromResult(BasicAuthenticationValidationResult.Fail("Invalid user"));

Permission-based authorization

The library provides services for adding permission-based authorization to an ASP.NET Core project. Just use the following registration at startup:

// Enable permission-based authorization.

The AddPermissions extension method requires an implementation of the IPermissionHandler interface, that is responsible to check if the user owns the required permissions:

public interface IPermissionHandler
    Task<bool> IsGrantedAsync(ClaimsPrincipal user, IEnumerable<string> permissions);

The library provides the built-in ScopeClaimPermissionHandler class, that checks for permissions reading the default scope claims of the current user (scp or To use this default handler, we can just write this:

// The line above is equivalent to builder.Services.AddPermissions<ScopeClaimPermissionHandler>();

Based on the scenario, we can provide our own implementation, for example reading different claims or using external services (database, HTTP calls, etc.) to get user permissions.

Then, just use the PermissionAttribute or the RequirePermission extension method:

// In a Controller
public ActionResult<User> Get() => new User(User.Identity!.Name);

// In a Minimal API
app.MapGet("api/me", (ClaimsPrincipal user) =>
    return TypedResults.Ok(new User(user.Identity!.Name));

With the ScopeClaimPermissionHandler mentioned above, the invocation succeeds if the user has a scp or claim that contains the profile value, for example:

"scp": "profile email calendar:read"

It is also possible to explicitly create a policy that requires the one or more permissions:

builder.Services.AddAuthorization(options =>
    // Define permissions using a policy.
    options.AddPolicy("UserProfile", builder => builder.RequirePermission("profile"));

// ...

// In a Controller
[Authorize(Policy = "UserProfile")] 
public ActionResult<User> Get() => new User(User.Identity!.Name);

// In a Minimal API
app.MapGet("api/me", (ClaimsPrincipal user) =>
    return TypedResults.Ok(new User(user.Identity!.Name));
.RequireAuthorization(policyNames: "UserProfile")



The project is constantly evolving. Contributions are welcome. Feel free to file issues and pull requests on the repo and we'll address them as we can.

Product Compatible and additional computed target framework versions.
.NET net6.0 is compatible.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 is compatible.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed. 
Compatible target framework(s)
Additional computed target framework(s)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
2.0.8 84 5/9/2023
2.0.4 224 4/4/2023
1.0.79 388 1/23/2023
1.0.77 203 1/11/2023
1.0.76 197 1/8/2023
1.0.68 360 12/5/2022
1.0.64 238 12/1/2022
1.0.60 270 11/30/2022
1.0.54 271 11/15/2022
1.0.47 264 11/9/2022
1.0.46 261 11/8/2022
1.0.43 288 11/3/2022
1.0.42 300 10/27/2022
1.0.40 356 10/19/2022
1.0.38 368 9/27/2022
1.0.36 344 9/17/2022
1.0.34 384 7/25/2022
1.0.32 385 7/6/2022
1.0.30 395 6/15/2022
1.0.29 366 6/4/2022
1.0.25 359 6/3/2022
1.0.16 372 5/20/2022
1.0.13 372 5/18/2022
1.0.10 416 5/14/2022
1.0.2 415 5/13/2022