MrWho.ClientAuth 1.5.0

.NET 9.0 This package targets .NET 9.0. The package is compatible with this framework or higher. 
dotnet add package MrWho.ClientAuth --version 1.5.0
                    


                    

                
NuGet\Install-Package MrWho.ClientAuth -Version 1.5.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="MrWho.ClientAuth" Version="1.5.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="MrWho.ClientAuth" Version="1.5.0" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="MrWho.ClientAuth" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add MrWho.ClientAuth --version 1.5.0
                    


                    

                
#r "nuget: MrWho.ClientAuth, 1.5.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package MrWho.ClientAuth@1.5.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=MrWho.ClientAuth&version=1.5.0
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=MrWho.ClientAuth&version=1.5.0
                    


                            Install as a Cake Tool

MrWho.ClientAuth

A lightweight client-side configuration package to connect ASP.NET Core apps to the MrWho OpenID Connect identity server.

Quick start

  1. Add the package reference.

Program.cs:

builder.Services.AddMrWhoAuthentication(options =>
{
    options.Authority = "https://localhost:7113"; // public URL of MrWho
    options.ClientId = "my_app_client";
    options.ClientSecret = "optional-secret"; // for confidential clients
    // add API scopes if needed
    options.Scopes.Add("api.read");
});

builder.Services.AddAuthorization();
  1. Map convenience login/logout endpoints (optional):
app.MapMrWhoLoginEndpoint();
app.MapMrWhoLogoutEndpoints();
app.MapMrWhoBackChannelLogoutEndpoint();
  1. Protect pages/controllers with [Authorize].

Machine-to-Machine (client_credentials) helpers

Add an HttpClient that transparently acquires and caches a client_credentials token:

builder.Services.AddMrWhoClientCredentialsApi(
    name: "DemoApiM2M",
    baseAddress: new Uri("https://localhost:7162"),
    configure: opt =>
    {
        opt.Authority = "https://localhost:7113";
        opt.ClientId = "mrwho_demo_api_client";
        opt.ClientSecret = "DemoApiClientSecret2025!";
        opt.Scopes = new[] { "api.read" }; // optional
        opt.AcceptAnyServerCertificate = builder.Environment.IsDevelopment();
    });

Usage:

var client = httpClientFactory.CreateClient("DemoApiM2M");
var resp = await client.GetAsync("WeatherForecast");

Delegated user access token forwarding

Forward the signed-in user's access token to an API:

builder.Services.AddMrWhoUserAccessTokenApi(
    name: "DemoApiUser",
    baseAddress: new Uri("https://localhost:7162"));

Usage in page/controller:

var api = httpClientFactory.CreateClient("DemoApiUser");
var resp = await api.GetAsync("WeatherForecast");

Typed client variants are also available:

builder.Services.AddMrWhoClientCredentialsApi<MyApiClient>(new Uri("https://localhost:7162"), opt => { /* ... */ });
builder.Services.AddMrWhoUserAccessTokenApi<MyUserApiClient>(new Uri("https://localhost:7162"));

Notes and defaults

  • Cookie + OIDC scheme naming isolated per ClientId.
  • Saves tokens by default (access/id/refresh) when supported.
  • Default scopes: openid, profile, email, roles, offline_access. Add api.read/api.write explicitly.
  • Discovery path always: /.well-known/openid-configuration.
  • M2M provider caches token until ~30s before expiry (configurable via RefreshSkew).
  • Optional AcceptAnyServerCertificate for dev self-signed certs.

Security considerations

  • Never enable AcceptAnyServerCertificate outside development.
  • Store client secrets securely (user-secrets, KeyVault, environment). Do not commit to source control.
  • Limit scopes to the minimum required (principle of least privilege).

Back-channel logout

Map app.MapMrWhoBackChannelLogoutEndpoint(); in apps that must honor session revocation.

License: MIT

Product Compatible and additional computed target framework versions.
.NET net9.0 is compatible.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
1.5.0 308 9/19/2025 1.5.0 is deprecated because it is no longer maintained.
1.4.0 170 9/13/2025
1.3.0 246 8/26/2025
1.2.3 122 8/23/2025
1.2.2 174 8/22/2025
1.2.1 181 8/21/2025
1.1.0 188 8/17/2025
1.0.5 191 8/17/2025
1.0.4 191 8/17/2025
1.0.2 167 8/17/2025
1.0.1 162 8/17/2025
1.0.0 225 8/17/2025 1.0.0 is deprecated because it has critical bugs.