Duende.AspNetCore.Authentication.JwtBearer
1.0.1
Prefix Reserved
dotnet add package Duende.AspNetCore.Authentication.JwtBearer --version 1.0.1
NuGet\Install-Package Duende.AspNetCore.Authentication.JwtBearer -Version 1.0.1
<PackageReference Include="Duende.AspNetCore.Authentication.JwtBearer" Version="1.0.1" />
<PackageVersion Include="Duende.AspNetCore.Authentication.JwtBearer" Version="1.0.1" />
<PackageReference Include="Duende.AspNetCore.Authentication.JwtBearer" />
paket add Duende.AspNetCore.Authentication.JwtBearer --version 1.0.1
#r "nuget: Duende.AspNetCore.Authentication.JwtBearer, 1.0.1"
#:package Duende.AspNetCore.Authentication.JwtBearer@1.0.1
#addin nuget:?package=Duende.AspNetCore.Authentication.JwtBearer&version=1.0.1
#tool nuget:?package=Duende.AspNetCore.Authentication.JwtBearer&version=1.0.1
Duende JwtBearer Extensions
Overview
Duende.AspNetCore.Authentication.JwtBearer (JwtBearer Extensions) extends the ASP.NET Core JwtBearer authentication handler with advanced protocol features, most notably support for DPoP. JwtBearer Extensions is an easy-to-use add-on for the JwtBearer authentication handler in ASP.NET Core. To get started, it requires nothing more than a single NuGet package and minimal configuration, but it also supports advanced protocol features like replay detection and server-issued nonces, allows configuring signing algorithms, clocks skews, etc., and enables extensibility.
What is DPoP
DPoP is an OAuth security protocol that protects against one of the most common threats in the ecosystem: abuse of stolen tokens. Stolen access tokens can be abused easily because they are typically bearer tokens, meaning that any bearer, or holder, of the token can use it. DPoP prevents this abuse by sender-constraining tokens so that only the party that was issued a token can use it. This is accomplished by binding tokens to a public-private key pair in the possession of the client.
The client proves possession of the private key by signing a specialized JSON Web Token (JWT) called a DPoP Proof Token with the private key. Whenever the client wants to use its token, it must produce a new proof, because proofs are short-lived and specific to a particular endpoint. This makes a stolen access token unusable by an attacker who does not possess the private key.
Getting Started
To get started, install this package and then add some minimal configuration:
// Keep your existing code that configures the JwtBearer handler unchanged:
var schemeName = "token";
builder.Services.AddAuthentication(schemeName)
.AddJwtBearer("token", options => { /* Your existing configuration here */ });
// Add DPoP support with our extensions:
builder.Services.ConfigureDPoPTokensForScheme(schemeName, options =>
{
options.EnableReplayDetection = false; // Disable replay detection to show a minimal setup
options.AllowBearerTokens = true; // Allow both Bearer and DPoP tokens, to facilitate migration to DPoP
});
Documentation
See our documentation for more information.
Licensing
The Duende JwtBearer Extensions are source-available, but require a paid license for production use.
- Development and Testing: You are free to use and explore the code for development, testing, or personal projects without a license.
- Production: A license is required for production environments.
- Free Community Edition: A free Community Edition license is available for qualifying companies and non-profit organizations. Learn more here.
Reporting Issues and Getting Support
- For bug reports or feature requests, use our developer community forum.
- For security-related concerns, please contact us privately at: security@duendesoftware.com.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 is compatible. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
-
net10.0
- Duende.IdentityModel (>= 8.0.0)
- Microsoft.AspNetCore.Authentication.JwtBearer (>= 10.0.0)
- Microsoft.Extensions.Caching.Hybrid (>= 10.0.0)
-
net8.0
- Duende.IdentityModel (>= 8.0.0)
- Microsoft.AspNetCore.Authentication.JwtBearer (>= 8.0.1)
- Microsoft.Extensions.Caching.Hybrid (>= 10.0.0)
-
net9.0
- Duende.IdentityModel (>= 8.0.0)
- Microsoft.AspNetCore.Authentication.JwtBearer (>= 9.0.3)
- Microsoft.Extensions.Caching.Hybrid (>= 10.0.0)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories (1)
Showing the top 1 popular GitHub repositories that depend on Duende.AspNetCore.Authentication.JwtBearer:
| Repository | Stars |
|---|---|
|
DuendeArchive/BFF
Framework for ASP.NET Core to secure SPAs using the Backend-for-Frontend (BFF) pattern
|
| Version | Downloads | Last Updated |
|---|---|---|
| 1.0.1 | 109 | 2/2/2026 |
| 1.0.0 | 82 | 2/2/2026 |
| 1.0.0-rc.1 | 47 | 1/28/2026 |
| 0.3.0 | 2,941 | 12/2/2025 |
| 0.3.0-rc.1 | 330 | 11/12/2025 |
| 0.3.0-preview.1 | 114 | 10/17/2025 |
| 0.2.0 | 4,246 | 8/1/2025 |
| 0.1.3 | 36,753 | 10/24/2024 |
| 0.1.2 | 131 | 10/24/2024 |
| 0.1.1 | 137 | 10/24/2024 |