CoreIdent 0.4: A Ground-Up Rewrite for .NET 10+
Source: Dev.to
CoreIdent 0.4: A Ground‑Up Rewrite for .NET 10+
Hey .NET community! I have a big update to share regarding CoreIdent: version 0.4 is a complete rewrite, built from scratch on .NET 10, including a rewrite of the objectives and goals.
If you’ve been following the 0.3.x releases (Phase 2, Phase 3, ID tokens, etc.), you might be wondering: why start over? Let me explain.
🔄 Why a Rewrite?
The 0.3.x codebase taught me a lot about what is actually needed from an identity/auth library. It also revealed some fundamental limitations:
- Symmetric keys only – HS256 is fine for demos, but production needs RS256/ES256 with proper JWKS publishing.
- Passwords first – The industry is moving passwordless; we should lead, not follow.
- .NET 9 constraints – .NET 10 brings native passkey support, better metrics, and auth API improvements we want to leverage.
- Test infrastructure debt – The test setup was getting unwieldy; we needed reusable fixtures from day one.
Rather than bolt these onto 0.3.x, I decided to rebuild with the right foundations.
Legacy note: The 0.3.x codebase is preserved at the legacy-0.3.x-main tag if you need it.
The New Vision
CoreIdent 0.4 is designed to be a holistic authentication toolkit—not just an OAuth server, but a single solution covering:
| Scenario | Description |
|---|---|
| Embedded Auth | Drop‑in authentication for ASP.NET Core apps |
| External Providers | Google, Microsoft, GitHub integration |
| Identity Server | Full OAuth 2.0 / OIDC capabilities |
| Client Libraries | Secure auth for MAUI, WPF, Blazor, Console apps |
The key shift: passwordless‑first. Email magic links and passkeys are the primary auth methods; passwords are a fallback.
What’s Working Today
CoreIdent 0.4 already has a solid OAuth/OIDC foundation.
Token Endpoint (/auth/token)
client_credentialsgrantrefresh_tokengrant (with rotation + theft detection)authorization_codegrant (PKCE required)passwordgrant (deprecated; logs a warning)
Authorization Flow
/auth/authorizeendpoint with consent UI/auth/consentfor user grant management- Full PKCE enforcement
Standards Compliance
- Token revocation (RFC 7009)
- Token introspection (RFC 7662)
- OIDC discovery (
/.well-known/openid-configuration) - JWKS publishing (
/.well-known/jwks.json) – public keys only
Asymmetric Key Support
Production‑ready signing with RS256 and ES256:
builder.Services.AddSigningKey(o => o.UseRsa("/path/to/private-key.pem"));
// or
builder.Services.AddSigningKey(o => o.UseEcdsa("/path/to/ec-key.pem"));Pluggable Persistence
- In‑memory stores by default (great for dev/testing)
- EF Core implementations for production:
builder.Services.AddDbContext(options =>
options.UseSqlite(connectionString));
builder.Services.AddEntityFrameworkCoreStores();Test Infrastructure
Reusable fixtures and builders under tests/:
CoreIdentTestFixturefor integration tests- Fluent builders for clients, users, scopes
- Assertion extensions for JWT validation
🚀 Quick Start
Here’s a minimal OAuth server in ~10 lines:
using CoreIdent.Core.Extensions;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddCoreIdent(o =>
{
o.Issuer = "https://issuer.example";
o.Audience = "https://resource.example";
});
builder.Services.AddSigningKey(o => o.UseRsa("/path/to/private-key.pem"));
var app = builder.Build();
app.MapCoreIdentEndpoints();
app.Run();That gives you:
- Token endpoint with multiple grants
- OIDC discovery + JWKS
- Authorization code flow with consent
What’s Next
The roadmap is focused on making CoreIdent a true “one‑stop shop”.
Passwordless Authentication
- Email magic links
- Passkeys (leveraging .NET 10’s native support)
External Providers
- Google, Microsoft, GitHub
- Clean provider abstraction for community additions
Client Libraries
CoreIdent.Client — works in any .NET app
- Platform‑specific: MAUI (SecureStorage), WPF (DPAPI), Blazor WASM
Developer Experience
- Project templates
- Better error messages
- OpenTelemetry metrics integration
📚 Documentation
All planning and implementation docs are in the repo:
- Developer Guide – Start here for practical usage
- Project Overview – Vision and architecture
- Technical Plan – Specifications and interfaces
- DEVPLAN – Task‑level checklist
🤝 Get Involved
CoreIdent is MIT licensed and open for contributions. If you’re interested:
- Check out the repo
- Read the DEVPLAN for current tasks
- Run the integration tests to get familiar with the codebase
- Open an issue or PR!
The goal is to build the identity system we all wish existed—open, modular, and developer‑friendly.
Previous Articles
If you followed the 0.3.x journey:
- CoreIdent v0.3.5: OIDC ID Tokens, Real‑World Gaps, and What’s Next
- Phase 3 Milestone: OAuth 2.0 Authorization Code Flow & Token Security Hardened
- Phase 2 Complete: Adding Persistence and Extensibility
Thanks for following along. Let’s build something great!