Cirreum.Runtime.Authentication 1.0.1

There is a newer version of this package available.
See the version list below for details.
dotnet add package Cirreum.Runtime.Authentication --version 1.0.1
                    
NuGet\Install-Package Cirreum.Runtime.Authentication -Version 1.0.1
                    
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="Cirreum.Runtime.Authentication" Version="1.0.1" />
                    
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="Cirreum.Runtime.Authentication" Version="1.0.1" />
                    
Directory.Packages.props
<PackageReference Include="Cirreum.Runtime.Authentication" />
                    
Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add Cirreum.Runtime.Authentication --version 1.0.1
                    
#r "nuget: Cirreum.Runtime.Authentication, 1.0.1"
                    
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package Cirreum.Runtime.Authentication@1.0.1
                    
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=Cirreum.Runtime.Authentication&version=1.0.1
                    
Install as a Cake Addin
#tool nuget:?package=Cirreum.Runtime.Authentication&version=1.0.1
                    
Install as a Cake Tool

Cirreum Runtime Authentication

NuGet Version NuGet Downloads GitHub Release License .NET

App-facing umbrella for the Cirreum Authentication track. Install this one package to wire up authentication behind a single AddAuthentication() call — every framework-shipped scheme flows in transitively, and only the ones you configure activate.

Overview

Cirreum.Runtime.Authentication is the package your application installs to turn on authentication. A single builder.AddAuthentication(...) call composes the whole track: the framework-shipped schemes, a dynamic forward scheme that picks the right one per request, the audience-routed claims transformer that produces your Cirreum IApplicationUser, and a boot-time validator that fails fast on misconfiguration.

Schemes come in two flavours:

  • Configuration-declaredOidc, Entra, and External activate automatically from their Cirreum:Authentication:Providers:* config sections. No code call is needed; presence of the section is the opt-in.
  • Code-composedApiKey, SignedRequest, and SessionTicket are turned on with a verb inside the AddAuthentication callback.

Every scheme's registration bails early when it isn't configured, so installing this package doesn't activate anything you haven't asked for.

Installation

dotnet add package Cirreum.Runtime.Authentication

Usage

using Cirreum.Runtime;
using Microsoft.Extensions.Hosting;

var builder = DomainApplication.CreateBuilder(args);

builder.AddAuthentication(auth => auth
    // Code-composed schemes:
    .AddApiKey(options => { /* static clients and/or .AddResolver<T>() */ })
    .AddSignedRequest<MyClientResolver>()
    .AddSessionTicket());
    // Oidc / Entra / External activate automatically from their
    // Cirreum:Authentication:Providers:* configuration sections.

await using var app = builder.Build();

app.UseDefaultMiddleware();   // includes UseAuthentication() + UseAuthorization()

app.MapApiEndpoints("/api/v1", api => { /* ... */ });

await app.RunAsync();

AddAuthentication() must run on a Cirreum host (DomainApplication.CreateBuilder), which declares the host's runtime type — the audience-based providers branch on whether the host is a Web API or a Web App. It is idempotent: call it once and reuse the returned CirreumAuthenticationBuilder for any further composition.

Scheme reference

Scheme How to enable
Oidc config section Cirreum:Authentication:Providers:Oidc
Entra config section Cirreum:Authentication:Providers:Entra
External config section Cirreum:Authentication:Providers:External (+ auth.AddExternalTenantResolver<T>() for the tenant resolver)
ApiKey auth.AddApiKey(...) (also reads its config section)
SignedRequest auth.AddSignedRequest<TClientResolver>(...)
SessionTicket auth.AddSessionTicket(bearerPrefix?)

See each scheme's package for its configuration shape and security model — e.g. Cirreum.Authentication.ApiKey, Cirreum.Authentication.Oidc, Cirreum.Authentication.SignedRequest, Cirreum.Authentication.SessionTicket.

How requests are dispatched

AddAuthentication makes a dynamic forward scheme the default. On each request a chain of selectors decides which concrete scheme handles it:

  • a conflict sentinel runs first and fails the request closed (401) when credentials for two different scheme categories are present;
  • an audience selector routes Bearer JWTs to the matching configured provider;
  • an anonymous fallback claims anything left over and returns no result, so [AllowAnonymous] endpoints work.

At startup a Bearer-prefix validator ensures opaque-Bearer schemes (ApiKey, SessionTicket, …) declare unique token prefixes, failing fast on a collision rather than mis-routing at runtime.

What this package contains

  • builder.AddAuthentication(configure?, authentication?) — the one entry point; composes the schemes, selectors, handlers, the dynamic forward scheme, and the claims transformer, then runs the boot-time validator. Returns a CirreumAuthenticationBuilder.
  • The framework-shipped selectors (conflict sentinel, audience, anonymous) and handlers (anonymous, ambiguous) and the CirreumAuthenticationBuilder the scheme packages extend (AddApiKey, AddSignedRequest<T>, AddSessionTicket, AddExternalTenantResolver<T>, AddApplicationUserResolver<T>).

Composition is driven by Cirreum.Runtime.AuthenticationProvider, which flows in transitively.

Dependencies

  • Cirreum.Runtime.AuthenticationProvider — the runtime composition driver
  • All six Cirreum.Authentication.* scheme packages (ApiKey, SignedRequest, SessionTicket, Oidc, Entra, External) — transitive
  • Microsoft.AspNetCore.App

Versioning

Follows Semantic Versioning.

License

MIT — see LICENSE.


Cirreum Foundation Framework
Layered simplicity for modern .NET

Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
1.1.0 53 7/9/2026
1.0.1 99 7/5/2026
1.0.0 103 7/3/2026