SqlOS 2.1.0
dotnet add package SqlOS --version 2.1.0
NuGet\Install-Package SqlOS -Version 2.1.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="SqlOS" Version="2.1.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="SqlOS" Version="2.1.0" />
<PackageReference Include="SqlOS" />
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add SqlOS --version 2.1.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: SqlOS, 2.1.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package SqlOS@2.1.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=SqlOS&version=2.1.0
#tool nuget:?package=SqlOS&version=2.1.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
SqlOS
Embedded auth server and fine-grained authorization for .NET — one NuGet package, zero external services.
SqlOS gives your .NET app a complete auth stack — OAuth 2.0 endpoints, a branded login/signup UI, organization management, SAML SSO, OIDC social login, and hierarchical fine-grained authorization — all stored in your own SQL Server database, managed through an embedded admin dashboard.
Think WorkOS / AuthKit, but self-hosted and database-owned.
Why SqlOS?
| External auth services | SqlOS |
|---|---|
| Data lives on someone else's servers | Data lives in your SQL Server |
| Per-MAU pricing that scales against you | MIT-licensed, no usage fees |
| Another vendor dependency to manage | Single NuGet package, ships with your app |
| Limited customization of login flows | Full control — branded AuthPage, custom OIDC, SAML |
Features
AuthServer
- OAuth 2.0 with PKCE —
/authorize,/token,/.well-known/oauth-authorization-server,/.well-known/jwks.json - Branded AuthPage — hosted
/login,/signup, and/logged-outwith customizable branding - Organizations & Users — multi-tenant user management with memberships and roles
- Password Credentials — secure local authentication with session management
- Social Login — Google, Microsoft, Apple, and any custom OIDC provider
- SAML SSO — enterprise single sign-on with home realm discovery by email domain
- Sessions & Refresh Tokens — full lifecycle management with revocation
- Signing Key Rotation — automatic RS256 key rotation with configurable intervals
- Audit Logging — track authentication events across your system
FGA (Fine-Grained Authorization)
- Hierarchical Resource Authorization — define resource types, permissions, and roles
- Access Grants — assign permissions to users, user groups, and service accounts
- EF Core Query Filters — filter authorized resources directly in LINQ queries
- Access Tester — verify authorization decisions through the dashboard
Embedded Admin Dashboard
- Auth Admin — manage organizations, users, clients, OIDC/SAML connections, security settings, sessions, and audit events
- FGA Admin — manage resources, grants, roles, permissions, and test access decisions
- Password-Protected — optional password auth mode for production deployments
Quick Start
Install
dotnet add package SqlOS
Register Services
builder.Services.AddSqlOS<AppDbContext>(options =>
{
options.UseFGA();
options.UseAuthServer();
});
Configure Your DbContext
public sealed class AppDbContext : DbContext, ISqlOSAuthServerDbContext, ISqlOSFgaDbContext
{
public IQueryable<SqlOSFgaAccessibleResource> IsResourceAccessible(
string subjectId,
string permissionKey)
=> FromExpression(() => IsResourceAccessible(subjectId, permissionKey));
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
base.OnModelCreating(modelBuilder);
modelBuilder.UseAuthServer();
modelBuilder.UseFGA(GetType());
}
}
Map Endpoints
var app = builder.Build();
await app.UseSqlOSAsync();
app.MapAuthServer("/sqlos/auth");
app.UseSqlOSDashboard("/sqlos");
That's it. SqlOS bootstraps its own schema, runs embedded migrations, and serves the dashboard — no external infrastructure required.
AuthServer-Only Mode
Already have an authorization layer? Use just the auth server:
builder.Services.AddSqlOSAuthServer<AppDbContext>(auth =>
{
auth.BasePath = "/sqlos/auth";
auth.PublicOrigin = "https://api.example.com";
auth.Issuer = "https://api.example.com/sqlos/auth";
});
await app.UseSqlOSAuthServerAsync();
app.MapAuthServer("/sqlos/auth");
app.UseSqlOSAuthServerDashboard("/sqlos/admin/auth");
Dashboard Access
Protect the dashboard in production with a password:
options.Dashboard.AuthMode = SqlOSDashboardAuthMode.Password;
options.Dashboard.Password = builder.Configuration["SqlOS:Dashboard:Password"];
Or via environment variables:
SqlOS__Dashboard__AuthMode=Password
SqlOS__Dashboard__Password=<strong-password>
Example App
The repo includes a full working example powered by .NET Aspire:
dotnet run --project examples/SqlOS.Example.AppHost/SqlOS.Example.AppHost.csproj
This starts SQL Server, an ASP.NET API with SqlOS, and a Next.js frontend demonstrating password login, social OIDC, SAML SSO, session management, and FGA-protected data.
| URL | |
|---|---|
| Dashboard | http://localhost:5062/sqlos/ |
| Auth Admin | http://localhost:5062/sqlos/admin/auth/ |
| FGA Admin | http://localhost:5062/sqlos/admin/fga/ |
| Web App | http://localhost:3010/ |
Requirements
- .NET 9.0+
- SQL Server (any edition, including LocalDB)
- EF Core 9.0+
Testing
# Unit tests
dotnet test tests/SqlOS.Tests/SqlOS.Tests.csproj
# Integration tests (requires SQL Server)
dotnet test tests/SqlOS.IntegrationTests/SqlOS.IntegrationTests.csproj
# Full suite
dotnet test SqlOS.sln
Repo Layout
src/SqlOS # The library
tests/SqlOS.Tests # Unit tests
tests/SqlOS.IntegrationTests # Integration tests
tests/SqlOS.Benchmarks # Performance benchmarks
examples/SqlOS.Example.Api # ASP.NET API example
examples/SqlOS.Example.Web # Next.js frontend example
examples/SqlOS.Example.AppHost # Aspire orchestration
Documentation
- Configuration — service registration, EF integration, dashboard setup
- Auth Page — hosted OAuth endpoints and branded UI
- OIDC Auth — OpenID Connect provider support
- Google OIDC · Microsoft OIDC · Apple OIDC · Custom OIDC
- Entra SSO Testing — SAML SSO with Microsoft Entra
- Example App — running the demo stack
- Testing — test structure and conventions
- Releasing — versioning and release process
License
MIT
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net9.0 is compatible. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 was computed. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
-
net9.0
- Microsoft.EntityFrameworkCore.SqlServer (>= 9.0.0)
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 9.0.0)
- Microsoft.Extensions.FileProviders.Embedded (>= 9.0.0)
- Microsoft.Extensions.Logging.Abstractions (>= 9.0.0)
- Microsoft.Extensions.Options (>= 9.0.0)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.