Hey .NET developers!
Following up on my previous announcement about Phase 2, I'm thrilled to share that the first major feature set for Phase 3 of CoreIdent is complete and published in version 0.3.1 on NuGet!
This milestone lays critical groundwork for CoreIdent becoming a robust OAuth 2.0 / OpenID Connect provider, moving significantly beyond the basic registration/login established in earlier phases.
What's New in v0.3.1 (Phase 3 Progress)?
This update was packed with foundational OAuth features and significant internal improvements stemming from rigorous testing:
🚀 Authorization Code Flow + PKCE
This is the cornerstone for securely authenticating users in web applications, Single Page Applications (SPAs), and native/mobile clients. CoreIdent now includes:
-
/auth/authorizeEndpoint: Handles the initial authorization request, validates client/redirect URIs, checks user authentication, and issues authorization codes. -
/auth/tokenEndpoint Enhancement: Added support for theauthorization_codegrant type. It securely exchanges the code for tokens, validating the client and performing PKCE (Proof Key for Code Exchange) verification for enhanced security against code interception attacks. - OIDC ID Tokens: Basic OpenID Connect ID Tokens are now issued alongside access/refresh tokens during the Authorization Code flow, containing essential user claims.
🔒 Hardened Refresh Token Security
Based on deep testing and refinement, refresh token handling is now significantly more secure:
- Secure Handle Storage: Refresh tokens now store the raw handle as the primary key in the database (
Handlecolumn) while also storing a separate, securely hashed version (HashedHandlecolumn, using SHA-256 salted with user+client ID). The raw handle is returned to the client, but storage relies on the hash, preventing exposure if the database is compromised. (Documentation updated to reflect this). - Token Theft Detection (Default: RevokeFamily): The default security posture (
TokenSecurity.EnableTokenFamilyTracking = true,TokenSecurity.TokenTheftDetectionMode = RevokeFamily) now actively combats token theft. If a consumed refresh token is reused, CoreIdent not only rejects it but also immediately revokes all other active tokens belonging to the same rotation family. This significantly mitigates the risk of a compromised token being used further.
✅ Test Suite Overhaul & Bug Fixes
A major effort went into strengthening the integration test suite (CoreIdent.Integration.Tests). This involved:
- Fixing numerous bugs related to DbContext lifetime/scoping within
WebApplicationFactory. - Ensuring reliable database migration and seeding within test setups.
- Correcting logic in token storage/lookup (
HandlevsHashedHandle). - Resolving subtle JSON deserialization issues caused by duplicate type definitions.
- Aligning test assertions with the actual (and intended) behavior of features like
RevokeFamilytoken theft detection.
Having passing, reliable integration tests is crucial for confidence and stability!
📚 Updated Documentation
The README.md and docs/Developer_Training_Guide.md have been updated to reflect:
- Correct endpoint paths (using the
/authprefix). - Clarified details on refresh token storage (raw vs. hashed handles).
- Explanation of the
RevokeFamilytoken theft detection behavior. - Notes on DI registration order and test setup best practices.
What's Next?
Phase 3 continues with:
- Client Credentials Flow implementation.
- OIDC Discovery endpoints (
/.well-known/openid-configuration,/.well-known/jwks.json). - Further ID Token refinements.
Get Involved!
CoreIdent aims to be the modern, developer-centric identity solution the .NET community deserves.
- Check out the code: https://github.com/stimpy77/CoreIdent
- Try the NuGet packages:
CoreIdent.Core,CoreIdent.Storage.EntityFrameworkCore,CoreIdent.Adapters.DelegatedUserStore(v0.3.1) - Star the repo! ⭐
- Provide feedback: Open issues, start discussions.
Let's build this together!
What are your biggest pain points with existing .NET identity solutions? Share in the comments!