LiveAuth 1.0.1

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher. 
dotnet add package LiveAuth --version 1.0.1
                    


                    

                
NuGet\Install-Package LiveAuth -Version 1.0.1
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="LiveAuth" Version="1.0.1" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="LiveAuth" Version="1.0.1" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="LiveAuth" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add LiveAuth --version 1.0.1
                    


                    

                
#r "nuget: LiveAuth, 1.0.1"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package LiveAuth@1.0.1
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=LiveAuth&version=1.0.1
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=LiveAuth&version=1.0.1
                    


                            Install as a Cake Tool

LiveAuth

LiveAuth is a state-aware authorization middleware for ASP.NET Core that addresses core JWT stateless limitations such as delayed revocation and stale role/permission claims.

Why LiveAuth?

Traditional JWT access tokens are self-contained. Once issued, role revocation or session invalidation usually does not apply until token expiry.

LiveAuth keeps JWTs lightweight (session id + version) and validates each request against a session state store, enabling:

  • immediate revocation,
  • role/permission freshness,
  • centralized session control.

Install

dotnet add package LiveAuth

Configure in your API

builder.Services.AddLiveAuth(options =>
{
  options.Issuer = builder.Configuration["Jwt:Issuer"] ?? string.Empty;
  options.Audience = builder.Configuration["Jwt:Audience"] ?? string.Empty;
  options.Secret = builder.Configuration["Jwt:Secret"] ?? string.Empty;
}).AddLiveAuth(options =>
    {
        options.OverrideRoleFromSession = true;
    });
builder.Services.AddSingleton<ISessionStateStore, YourSessionStore>();

appsettings.json

"Jwt": {
  "Issuer": "auth.example.com",
  "Audience": "liveauth-api",
  "Secret": "MySuperSecretKeyForHS256MustBe32Byte!"
}

Sample projects

  • Samples/WebApiSample: Uses LiveAuth middleware (stateful behavior).
  • Samples/WebApiIdleTimeoutSample: Web API sample that wires AddAuthentication(...).AddJwtBearer(...).AddLiveAuth(...)` and demonstrates idle-timeout logout by revoking inactive sessions from the session store.
  • Samples/LiveAuth.TestClient: Console client to generate test tokens and exercise revocation scenarios.

Demo idea

  1. Run WebApiSample and call /secure with a valid token.
  2. Revoke with /admin/revoke/{sid}.
  3. Call /secure again using the same token.
    • With LiveAuth middleware: request is denied (revocation enforced).
    • Without LiveAuth middleware: request may still succeed until token expiry.

Idle Timeout Demo (API + Console Client)

  1. Run Samples/WebApiIdleTimeoutSample (default http://localhost:5000).
  2. Run Samples/TestClient (or pass a base URL as the first argument).
  3. Observe the flow:
    • login succeeds
    • immediate /admin call succeeds
    • client waits beyond idle timeout
    • second /admin call returns 401 Unauthorized
    • /session/{sid} shows isRevoked = true

Production Recommendations

  • Use Redis or SQL as distributed session store
  • Keep session state immutable (record type)
  • Do not register JWT inside LiveAuth
  • Do not bypass HTTPS validation in production
  • Keep JWT lifetime reasonable even with versioning
Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
1.0.1 42 3/16/2026
1.0.0 37 3/5/2026