Cirreum.Authentication.External 1.0.4

dotnet add package Cirreum.Authentication.External --version 1.0.4
                    
NuGet\Install-Package Cirreum.Authentication.External -Version 1.0.4
                    
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="Cirreum.Authentication.External" Version="1.0.4" />
                    
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="Cirreum.Authentication.External" Version="1.0.4" />
                    
Directory.Packages.props
<PackageReference Include="Cirreum.Authentication.External" />
                    
Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add Cirreum.Authentication.External --version 1.0.4
                    
#r "nuget: Cirreum.Authentication.External, 1.0.4"
                    
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package Cirreum.Authentication.External@1.0.4
                    
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=Cirreum.Authentication.External&version=1.0.4
                    
Install as a Cake Addin
#tool nuget:?package=Cirreum.Authentication.External&version=1.0.4
                    
Install as a Cake Tool

Cirreum Authentication - External (BYOID)

NuGet Version License .NET

Multi-tenant external IdP (BYOID) authentication scheme for the Cirreum framework

Overview

Cirreum.Authentication.External enables a single API to accept JWT bearer tokens from multiple customer Identity Providers (Okta, Auth0, customer Entra tenants, etc.) without federating those IdPs into yours. The customer's existing IdP issues tokens; your API validates them per-tenant using the resolved tenant configuration.

Use this package when your customers want to sign in to your API with their own IdP credentials. Use Cirreum.Authentication.Oidc or Cirreum.Authentication.Entra instead when you have a single, configured-by-you IdP.

How it works

  1. The inbound request carries a tenant indicator — a header (X-Tenant-Id), a path segment (/tenants/{slug}/...), or a subdomain ({tenant}.api.example.com).
  2. The package's IExternalTenantResolver (your implementation) maps that indicator to the tenant's configuration: Authority URL, Audience, etc.
  3. JWKS metadata is fetched from the tenant's .well-known/openid-configuration and cached per JwksCacheDurationMinutes.
  4. The inbound Authorization: Bearer {jwt} is validated against the resolved per-tenant configuration.
  5. On success, the ClaimsPrincipal reflects the tenant's claims.

The dynamic forward resolver picks this scheme (via ExternalAuthenticationSchemeSelectorSchemeCategory.Tenant) when both a tenant indicator and a Bearer token are present on the request.

Installation

dotnet add package Cirreum.Authentication.External

Configuration

{
  "Cirreum": {
    "Authentication": {
      "Providers": {
        "External": {
          "Instances": {
            "default": {
              "Enabled": true,
              "TenantIdentifierSource": "Header",
              "TenantHeaderName": "X-Tenant-Id",
              "JwksCacheDurationMinutes": 60,
              "RequireHttpsMetadata": true,
              "TenantNotFoundBehavior": "Reject",
              "ClockSkewSeconds": 30,
              "DetailedErrors": false
            }
          }
        }
      }
    }
  }
}

Then register your tenant resolver:

builder.Services.AddSingleton<IExternalTenantResolver, MyTenantResolver>();

Implementing the tenant resolver

public sealed class MyTenantResolver(IDbConnection db) : IExternalTenantResolver {

    public async Task<ExternalTenantConfig?> ResolveAsync(
        string tenantIdentifier,
        CancellationToken cancellationToken) {

        var row = await db.QueryFirstOrDefaultAsync(
            "SELECT Authority, Audience FROM Tenants WHERE Slug = @Slug AND IsActive = 1",
            new { Slug = tenantIdentifier });

        if (row is null) {
            return null;
        }

        return new ExternalTenantConfig {
            Authority = row.Authority,
            Audience = row.Audience
        };
    }
}

What changed

Selector-based dispatch

ExternalAuthenticationSchemeSelector implements ISchemeSelector with SchemeCategory.Tenant. The dynamic forward resolver picks External when:

  1. A tenant indicator is present (per configured TenantIdentifierSource)
  2. An Authorization: Bearer header is present

The legacy static ExternalSchemeSelector helper class is retired. Detection logic survives as static methods on the new instance class for apps that compose conflict-detection at startup.

Security considerations

  • Tenant configuration trust — your IExternalTenantResolver must return only verified, currently-active tenant configurations. Cache invalidation on tenant deactivation is your responsibility.
  • HTTPS enforcementRequireHttpsMetadata: true (default) blocks JWKS fetches over plain HTTP.
  • Clock skewClockSkewSeconds: 30 is a reasonable default; tighten for high-trust tenants.
  • TenantNotFoundBehaviorReject is the safe default; Fallback is only appropriate when your fallback is your own IdP under your control.

License

MIT — see LICENSE.


Cirreum Foundation Framework Layered simplicity for modern .NET

Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (1)

Showing the top 1 NuGet packages that depend on Cirreum.Authentication.External:

Package Downloads
Cirreum.Runtime.Authentication

App-facing umbrella for the Authentication pillar. Provides AddAuthentication() and the CirreumAuthenticationBuilder type. Transitively references all six Cirreum.Authentication.* schemes (ApiKey, SignedRequest, SessionTicket, OIDC, Entra, External) — apps install this single package to get the full Authentication track.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
1.0.4 93 7/7/2026
1.0.3 101 7/6/2026
1.0.2 93 7/5/2026
1.0.1 118 7/4/2026
1.0.0 110 7/3/2026