Skip to content
Authentication module for Magic
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Magic Auth

Magic Auth is an authentication module for Magic. It gives your Magic installation authentication features, allowing you to login and authenticate users, in addition to creating and editing existing users.

Getting started

  1. Download Magic Core if you haven't done so already
  2. Download Magic Auth
  3. Unzip Magic Auth into your Magic folder's "modules" folder, and make sure the folder is named only "magic.auth"
  4. Add all Magic Auth projects into your solution (see below)
  5. Add a reference to magic.auth.web.controller and to your backend, which is normally called "magic.backend" (see below)

If you're using dotnet CLI, you can run the following commands in a terminal window from the root of your Magic installation to add all Magic Auth projects into your main Magic solution.

dotnet sln add modules/magic.auth/magic.auth.contracts/magic.auth.contracts.csproj
dotnet sln add modules/magic.auth/magic.auth.model/magic.auth.model.csproj
dotnet sln add modules/magic.auth/
dotnet sln add modules/magic.auth/magic.auth.web.controller/magic.auth.web.controller.csproj
dotnet sln add modules/magic.auth/magic.auth.web.model/magic.auth.web.model.csproj
dotnet sln add modules/magic.auth/magic.auth.tests/magic.auth.tests.csproj

To add a reference to your controller and service using the dotnet CLI, you can issue the following terminal commands from the root of your Magic folder, assuming your main backend is called "magic.backend".

dotnet add magic.backend reference modules/magic.auth/magic.auth.web.controller/magic.auth.web.controller.csproj
dotnet add magic.backend reference modules/magic.auth/

Auth settings

In order to make the auth module function, you'll need to configure a secret that is used when JSON Web Tokens are signed. In order to do such a thing, you can add something resembling the below code to your appsettings.json file. Please, exchange the actual secret with something of your own before putting this into production.

"auth": {

Start debugging your backend to launch Swagger, and make sure the "Users" HTTP REST endpoints is there to verify you did everything correctly.

Signals published

When a user is deleted, this module will publish the user.deleted signal, with an id parameter being the user's ID.

Security concerns

Magic Auth will automatically create one user and two roles for you if no user and these two roles does not exist from before in your database. The username/password combination of the default user is "admin"/"admin", and it is your responsibility to change this user's password to secure your web API. You should also modify the default secret, and make sure you keep it somewhere safe. If you use the default secret from this README file, and/or give away your secret to anybody else, then all who have access to your secret can impersonate your admin users, and will have full access to do everything any admin account can do within your system. A signature secret should be stored securely, and treated as if it was the pin code to your bank account.

After applying Magic Auth to your Magic installation, you also probably want to start securing your (other) HTTP REST endpoints by applying the [Authorize] attribute to these. You also probably want to modify some of the settings in Magic Auth, such as for instance the JWT properties found in AuthenticateService.Authenticate. An example being the Expires property, and/or make sure the signature for your JWT tokens is created using an asymetric security key. Magic Auth is a framework for applying security yourself, it does not automagically apply security to your web APIs.


Magic Auth is licensed as Affero GPL, which implies that you can only use it to create Open Source software - However, a proprietary enabling license can be obtained for €50 by following this PayPal link and pay me €50 - At which point you are free to create one closed source web app. If you want to create multiple closed source web APIs using Magic, you'll have to purchase one license for each web API project you want to create.

Notice, without a closed source license, your code automatically becomes Open Source, and you'll have to provide a link to your own source code from any website(s), and/or application(s) from where you are consuming your Magic web API. With a closed source license, you can create closed source code, and you don't have to provide a link to neither me, nor your own source code.

Send more Champagne

Quote by Karl Marx

You can’t perform that action at this time.