Sprint.Shared.Authentication 1.0.0

Shared.Authentication

JWT Bearer authentication library designed for the Sprint ecosystem (.NET 10+). Handles JWT validation, distributed cache session lookup, role-based access control, and populates a scoped CurrentUser context object — all wired up with a single AddSharedAuthentication call.

Key Features

• JWT Validation: Validates tokens using RSA Public Key via Microsoft.AspNetCore.Authentication.JwtBearer.
• Session Cache (Optional): Caches resolved Actor data in IDistributedCache (Redis, Memory, etc.) to reduce Auth Service round-trips. Gracefully degrades if no cache is registered.
• Role-Based Access Control: Validates that the actor holds a permitted role via IClaimManagementService before the request proceeds.
• Scoped CurrentUser: Populates a DI-injectable CurrentUser object with identity and claim data (company, role, application, vendor) on every validated request.
• Token Expiry Header: Automatically sets Token-Expired: true response header when a token has expired.
• Requires .NET 10.0+

Installation & Setup

1. Register Services in Program.cs

using Shared.Authentication.Extensions;

// Option 1: Automatic from Configuration
builder.Services.AddSharedAuthentication(builder.Configuration);

// Option 2: Manual setup via Action
builder.Services.AddSharedAuthentication(options => {
    options.JwtSettings = new Jwt {
        PublicKey              = "-----BEGIN PUBLIC KEY-----...",
        GetSessionBySessionIdUrl = "https://auth-service/api/session/"
    };
    options.IsCacheEnabled    = true;
    options.CacheDurationInSec = 900; // 15 minutes
});

2. Enable Middleware in Program.cs

var app = builder.Build();

app.UseAuthentication();
app.UseAuthorization();

app.Run();

3. Configuration Template (appsettings.json)

{
  "Jwt": {
    "PublicKey": "-----BEGIN PUBLIC KEY-----\nMIIB...\n-----END PUBLIC KEY-----",
    "GetSessionBySessionIdUrl": "https://auth-service.internal/api/session/"
  },
  "CacheSetting": {
    "Token": {
      "Enabled": true,
      "DurationInSec": 900
    }
  }
}

Using CurrentUser in Controllers / Services

Inject CurrentUser directly — it is populated automatically after JWT validation:

public class OrderEndpoint : Endpoint<OrderRequest>
{
    private readonly CurrentUser _currentUser;

    public OrderEndpoint(CurrentUser currentUser)
    {
        _currentUser = currentUser;
    }

    public override async Task HandleAsync(OrderRequest req, CancellationToken ct)
    {
        var userId   = _currentUser.Id;
        var userName = _currentUser.Name;
        var roles    = _currentUser.ClaimRoleIds;   // comma-separated role IDs
        var companies = _currentUser.ClaimCompanyCodes; // comma-separated company codes

        await SendOkAsync(ct);
    }
}

CurrentUser Properties

Helper: IsValidUserId

Checks if the given userId matches the current actor, or if the actor has admin role (Role ID 4):

if (!_currentUser.IsValidUserId(req.TargetUserId))
{
    await SendForbiddenAsync(ct);
    return;
}

Optional: Distributed Cache (Redis)

When IsCacheEnabled = true, the library will use IDistributedCache if one is registered. If none is registered, it falls back to calling the Auth Service on every request without crashing.

// Register Redis cache before AddSharedAuthentication
builder.Services.AddStackExchangeRedisCache(options => {
    options.Configuration = builder.Configuration.GetConnectionString("Redis");
});

builder.Services.AddSharedAuthentication(builder.Configuration);

Dependencies

© 2026 Sprint-OMS Development Team