MesAuth.Authorizer

Enterprise-grade Authentication & Authorization middleware for MES Vietnam Fully supports .NET 8 · .NET 9 · .NET 10 · JWT · Key Rotation · Refresh Token · Permission-based · Multi-tenant

Table of Contents

• Features
• Installation
• Quick Start
• Authorization Examples
• Sample Permissions
• Requirements
• Contributing

⚠️ Breaking Changes

Version 10.4.0

• JWKS format changed: /.well-known/jwks.json now returns a JWKS Set { "keys": [...] } array instead of a single JsonWebKey object. DiscoveryConfig.JsonWebKey is replaced by DiscoveryConfig.SigningKeys (IList<SecurityKey>).
• Multi-key validation: IssuerSigningKeyResolver is used instead of a static IssuerSigningKey. All active + grace-period keys are accepted simultaneously.
• JWKS cache TTL reduced: Discovery cache drops from 24 hours → 5 minutes to detect key rotation quickly.
• Auto-retry on key rotation: OnAuthenticationFailed automatically calls DiscoveryService.RefreshAsync() and retries validation when a SecurityTokenSignatureKeyNotFoundException is raised — zero downtime during rotation.

Version 10.3.0

• SSL trust helper extracted: Multi-domain certificate trust now uses MesAuth.SslTrustHelper (AddTrustedDomains(params string[])) instead of inline config.

Version 10.2.2

• Removed gRPC dependencies: The package no longer requires gRPC communication. All authentication and authorization now works through HTTP APIs only.
• Simplified architecture: Reduced complexity by removing gRPC client/server components.

Features

• JWT Bearer authentication (RFC 7519 compliant)
• Refresh token with rotation & reuse detection
• Permission-based, Role-based, Policy-based, Claim-based & Tenant-based authorization
• Redis distributed revocation list & refresh token storage
• Multi-tenancy ready (TenantId claim)
• Built-in logging, metrics (Prometheus) and OpenTelemetry tracing
• Fully async & high performance
• HTTP-only communication (no gRPC dependencies)

Updates

• 10.4.0 BREAKING CHANGE: JWT key rotation support. JWKS endpoint now returns { "keys": [...] } array; DiscoveryConfig.SigningKeys replaces JsonWebKey; IssuerSigningKeyResolver handles multi-key validation; OnAuthenticationFailed auto-refreshes JWKS and retries on SecurityTokenSignatureKeyNotFoundException. JWKS cache reduced to 5 minutes.
• 10.3.0 BREAKING CHANGE: SSL certificate trust refactored into MesAuth.SslTrustHelper with multi-domain support via AddTrustedDomains(params string[]).
• 10.2.2 BREAKING CHANGE: Removed gRPC dependencies and communication. Enhanced HttpContext logging extensions (LogInfo/LogError) for centralized audit logging, improved middleware ordering documentation, and streamlined IUser interface
• 10.1.1 Added support for roles in JWT tokens - user roles are now included in tokens and accessible via IUser.Roles
• 10.1.0 Enhanced SSL certificate validation, improved refresh token coordination with automatic cleanup, added configurable gRPC timeout, optimized service registrations, reduced JWT clock skew for better security, and streamlined IUser record
• 10.0.31 Enhanced user profile with HR information support and avatar upload functionality
• 10.0.30 Performance improvements and code refactoring

Installation

# .NET 8+ dotnet add package MesAuth.Authorizer

Quick Start

Basic Setup

builder.Services.AddMesAuth(options => { options.AppId = "your-app-id"; options.AppKey = "your-app-key"; options.WellknowConfigUri = "https://your-auth-server/.well-known/openid-configuration"; options.AutoRegisterEndpoints = false; // Set to true to auto-register auth endpoints }); // In your middleware pipeline app.UseMesAuth();

Exception Handling

For routes that should bypass authentication (like error pages):

app.MapGet("/", () => Results.Ok(new { message = "This is exception page" })) .MesAuthException();

Authorization Examples

Permission-Based Access

// Check permissions in your endpoints app.MapGet("/api/data", async (HttpContext context) => { var user = context.GetUser(); if (user?.Perms?.Contains("read:data") != true) return Results.Forbid(); return Results.Ok("Authorized data"); });

User Information

// Get current user information var user = context.GetUser(); if (user != null) { var userId = user.UserId; var fullName = user.FullName; var permissions = user.Perms; }

Notification Service

// Inject the notification service private readonly ClientNotificationService _notificationService; public MyController(ClientNotificationService notificationService) { _notificationService = notificationService; } // Send notifications await _notificationService.SendNotificationAsync(userId, "Your message here");

Centralized Logging

// Use HttpContext extensions for centralized audit logging await context.LogInfo(ClientLogCategory.SystemEvent, "User uploaded file: {fileName}", fileName); await context.LogError(ClientLogCategory.Security, "Failed login attempt for user: {userName}", userName); // Available categories: // - ClientLogCategory.SystemEvent // - ClientLogCategory.Authorization // - ClientLogCategory.Authentication // - ClientLogCategory.Security

Requirements

• .NET 8.0 or higher
• ASP.NET Core
• Redis (for distributed token storage)
• Valid MesAuth service configuration

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.