Trellis.Microservices.AspNetCore
0.1.0-alpha.68
dotnet add package Trellis.Microservices.AspNetCore --version 0.1.0-alpha.68
NuGet\Install-Package Trellis.Microservices.AspNetCore -Version 0.1.0-alpha.68
<PackageReference Include="Trellis.Microservices.AspNetCore" Version="0.1.0-alpha.68" />
<PackageVersion Include="Trellis.Microservices.AspNetCore" Version="0.1.0-alpha.68" />
<PackageReference Include="Trellis.Microservices.AspNetCore" />
paket add Trellis.Microservices.AspNetCore --version 0.1.0-alpha.68
#r "nuget: Trellis.Microservices.AspNetCore, 0.1.0-alpha.68"
#:package Trellis.Microservices.AspNetCore@0.1.0-alpha.68
#addin nuget:?package=Trellis.Microservices.AspNetCore&version=0.1.0-alpha.68&prerelease
#tool nuget:?package=Trellis.Microservices.AspNetCore&version=0.1.0-alpha.68&prerelease
Trellis.Microservices.AspNetCore
Consumer-side counterpart to Trellis.Yarp. Hydrates the full Trellis Actor (id + permissions + forbidden permissions + ABAC attributes) from a verified gateway-minted internal JWT, enforcing the strict sentinel + count claim contract that defends the deny-overrides-allow invariant against a proxy stripping the deny set.
Usage
One call wires the strict AddJwtBearer profile and the actor provider together so they cannot drift:
builder.Services.AddTrellisInternalJwtBearer(
issuer: "https://gateway.internal",
audience: "incidents-service",
configureActor: o =>
{
o.RequiredAttributes = ["tenant_id"]; // fail closed on a missing tenant claim
o.AttributeClaimMap["tenant_id"] = "tid";
});
It re-applies the security-critical invariants (MapInboundClaims = false, TryAllIssuerSigningKeys = false, RequireSignedTokens, validate iss/aud/lifetime, ValidAlgorithms = ["RS256"]) after any configureJwtBearer, so the loose-profile footgun cannot be reintroduced. It pulls in Microsoft.AspNetCore.Authentication.JwtBearer, so it is not trim/AOT-safe — for an AOT host (or an algorithm the helper does not pin), register your scheme yourself and pair it with AddTrellisInternalJwtActorProvider:
builder.Services.AddAuthentication("Bearer").AddJwtBearer(o =>
{
o.Authority = "https://gateway.internal";
o.Audience = "incidents-service";
o.MapInboundClaims = false; // keep raw JWT claim names
o.SaveToken = false;
o.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true, ValidIssuer = "https://gateway.internal",
ValidateAudience = true, ValidAudience = "incidents-service",
ValidateLifetime = true, RequireSignedTokens = true,
ValidAlgorithms = ["RS256"],
ClockSkew = TimeSpan.FromSeconds(30),
TryAllIssuerSigningKeys = false,
};
});
builder.Services.AddTrellisInternalJwtActorProvider(o =>
{
o.RequiredAttributes = ["tenant_id"];
o.AttributeClaimMap["tenant_id"] = "tid";
o.ExpectedIssuer = "https://gateway.internal";
o.ExpectedAudience = "incidents-service";
});
The previous
TrellisServiceBuilder.UseTrellisInternalJwtActorslot in upstreamTrellis.ServiceDefaultswas removed in v3 cleanup when this provider moved here; callAddTrellisInternalJwtActorProvider(...)directly as shown above.
Pairs with
Trellis.Yarp— the gateway-side counterpart that mints these JWTs.Trellis.Microservices.Abstractions(transitive) — sharedTrellisInternalJwtClaimNamescontract literals.
Documentation
Full reference: trellis-api-internal-jwt.md.
End-to-end recipe: trellis-api-microservices-cookbook.md.
License
MIT.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
-
net10.0
- Microsoft.AspNetCore.Authentication.JwtBearer (>= 10.0.9)
- Trellis.Asp (>= 3.0.0-alpha.432)
- Trellis.Authorization (>= 3.0.0-alpha.432)
- Trellis.Core (>= 3.0.0-alpha.432)
- Trellis.Microservices.Abstractions (>= 0.1.0-alpha.68)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
| Version | Downloads | Last Updated |
|---|---|---|
| 0.1.0-alpha.68 | 52 | 7/6/2026 |
| 0.1.0-alpha.67 | 45 | 7/6/2026 |
| 0.1.0-alpha.66 | 75 | 7/3/2026 |
| 0.1.0-alpha.62 | 55 | 6/28/2026 |
| 0.1.0-alpha.57 | 52 | 6/26/2026 |
| 0.1.0-alpha.36 | 189 | 6/19/2026 |
| 0.1.0-alpha.29 | 79 | 6/7/2026 |