.NET standard helper library for claims-based identity, OAuth 2.0 and OpenID Connect.
C# PowerShell Shell
Clone or download
Latest commit ff42ad6 Aug 14, 2018



A .NET standard helper library for claims-based identity, OAuth 2.0 and OpenID Connect.

The nuget package can be found here or use the https://www.myget.org/F/identity/ myget feed for CI builds.


Client library to retrieve OpenID Connect discovery documents and key sets.

var client = new HttpClient();

var disco = await client.GetDiscoveryDocumentAsync("https://demo.identityserver.io");
if (disco.IsError) throw new Exception(disco.Error);

var tokenEndpoint = disco.TokenEndpoint;
var keys = disco.KeySet.Keys;


Simple in-memory cache for discovery documents

var cache = new DiscoveryCache(Constants.Authority);

var disco = await cache.GetAsync();
if (disco.IsError) throw new Exception(disco.Error);


Client library for OAuth 2.0 and OpenID Connect token endpoints.


  • Support for client credentials & resource owner password credential flow
  • Support for exchanging authorization codes with tokens
  • Support for refreshing tokens
  • Support for extensions grants and assertions
  • Support for client secrets via Basic Authentication, POST body and X.509 client certificates
  • Extensible for custom parameters
  • Parsing of token response messages


var client = new HttpClient();

var response = await client.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
    Address = disco.TokenEndpoint,

    ClientId = "client",
    ClientSecret = "secret",
    Scope = "api1"

if (response.IsError) throw new Exception(response.Error);
var token = response.AccessToken;


Client library for the OpenID Connect user info endpoint

var client = new HttpClient();

var response = await client.GetUserInfoAsync(new UserInfoRequest
    Address = disco.UserInfoEndpoint,
    Token = token

if (response.IsError) throw new Exception(response.Error);

foreach (var claim in response.Claims)
    Console.WriteLine("{0}\n {1}", claim.Type, claim.Value);


Client library for the OAuth 2 introspection endpoint

var client = new HttpClient();
var result = await client.IntrospectTokenAsync(new TokenIntrospectionRequest
    Address = disco.IntrospectionEndpoint,

    ClientId = "api1",
    ClientSecret = "secret",
    Token = accessToken

if (result.IsError)
    if (result.IsActive)
        result.Claims.ToList().ForEach(c => Console.WriteLine("{0}: {1}",
            c.Type, c.Value));
        Console.WriteLine("token is not active");


Helper class for creating request URLs (e.g. for authorize and end_session).

var request = new RequestUrl(doc.AuthorizationEndpoint);
var url = request.CreateAuthorizeUrl(
    clientId:         "client",
    responseType:     OidcConstants.ResponseTypes.CodeIdToken,
    responseMode:     OidcConstants.ResponseModes.FormPost,
    redirectUri:     "https://myapp.com/callback",
    state:           CryptoRandom.CreateUniqueId(),
    nonce:           CryptoRandom.CreateUniqueId());


Helper class for parsing OpenID Connect/OAuth 2 authorize responses

var response = new AuthorizeResponse(url);

var accessToken = response.AccessToken;
var idToken = response.IdentityToken;
var state = response.State;

Fluent API to access the X.509 Certificate store

e.g. do
var cert = X509.LocalMachine.My.SubjectDistinguishedName.Find("CN=sts").First();

Base64 URL encoder/decoder

Helper for working with URL safe base64 encodings

Epoch Time Extensions

Helper for converting DateTime and DateTimeOffset to/from Epoch Time

Time Constant Comparer

Helper for comparing strings without leaking timing information

JWT/OpenID Connect Claim Types

Constants for standard claim types used in JWT, OAuth 2.0 and OpenID Connect

OpenID Connect Constants

Constants for the OpenID Connect/OAuth 2 protocol