CoreIdent 0.4: A Ground-Up Rewrite for .NET 10+

Hey .NET community! I have a big update to share regarding CoreIdent : version 0.4 is a complete rewrite, built from scratch on .NET 10, including a rewrite of the objectives and goals.

If you've been following the 0.3.x releases (Phase 2, Phase 3, ID tokens, etc.), you might be wondering: why start over? Let me explain.

🔄 Why a Rewrite?

The 0.3.x codebase taught me a lot about what is actually needed from an identity/auth library. But it also revealed some fundamental limitations:

1. Symmetric keys only — HS256 is fine for demos, but production needs RS256/ES256 with proper JWKS publishing
2. Passwords first — The industry is moving passwordless; we should lead, not follow
3. .NET 9 constraints — .NET 10 brings native passkey support, better metrics, and auth API improvements we want to leverage
4. Test infrastructure debt — The test setup was getting unwieldy; we needed reusable fixtures from day one

Rather than bolt these onto 0.3.x, I decided to rebuild with the right foundations.

Legacy note: The 0.3.x codebase is preserved at the legacy-0.3.x-main tag if you need it.

The New Vision

CoreIdent's goal is to be a holistic authentication toolkit—not just an OAuth server, but a single solution covering:

The key shift: passwordless-first. Email magic links and passkeys are the primary auth methods; passwords are a fallback.

What's Working Today

CoreIdent 0.4 already has a solid OAuth/OIDC foundation:

Token Endpoint (/auth/token)

• client_credentials grant
• refresh_token grant (with rotation + theft detection)
• authorization_code grant (PKCE required)
• password grant (deprecated; logs a warning)

Authorization Flow

• /auth/authorize endpoint with consent UI
• /auth/consent for user grant management
• Full PKCE enforcement

Standards Compliance

• Token revocation (RFC 7009)
• Token introspection (RFC 7662)
• OIDC discovery (/.well-known/openid-configuration)
• JWKS publishing (/.well-known/jwks.json) — public keys only

Asymmetric Key Support

Production-ready signing with RS256 and ES256:

builder.Services.AddSigningKey(o => o.UseRsa("/path/to/private-key.pem"));
// or
builder.Services.AddSigningKey(o => o.UseEcdsa("/path/to/ec-key.pem"));

Pluggable Persistence

• In-memory stores by default (great for dev/testing)
• EF Core implementations for production

builder.Services.AddDbContext<CoreIdentDbContext>(options =>
    options.UseSqlite(connectionString));
builder.Services.AddEntityFrameworkCoreStores();

Test Infrastructure

Reusable fixtures and builders under tests/:

• CoreIdentTestFixture for integration tests
• Fluent builders for clients, users, scopes
• Assertion extensions for JWT validation

🚀 Quick Start

Here's a minimal OAuth server in ~10 lines:

using CoreIdent.Core.Extensions;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddCoreIdent(o =>
{
    o.Issuer = "https://issuer.example";
    o.Audience = "https://resource.example";
});

builder.Services.AddSigningKey(o => o.UseRsa("/path/to/private-key.pem"));

var app = builder.Build();
app.MapCoreIdentEndpoints();
app.Run();

That gives you:

• Token endpoint with multiple grants
• OIDC discovery + JWKS
• Authorization code flow with consent

What's Next

The roadmap is focused on making CoreIdent a true "one-stop shop":

1. Passwordless Authentication

   • Email magic links
   • Passkeys (leveraging .NET 10's native support)

2. External Providers

   • Google, Microsoft, GitHub
   • Clean provider abstraction for community additions

3. Client Libraries

   • CoreIdent.Client — works in any .NET app
   • Platform-specific: MAUI (SecureStorage), WPF (DPAPI), Blazor WASM

4. Developer Experience

   • Project templates
   • Better error messages
   • OpenTelemetry metrics integration

📚 Documentation

All planning and implementation docs are in the repo:

• Developer Guide — Start here for practical usage
• Project Overview — Vision and architecture
• Technical Plan — Specifications and interfaces
• DEVPLAN — Task-level checklist

🤝 Get Involved

CoreIdent is MIT licensed and open for contributions. If you're interested:

1. Check out the repo
2. Read the DEVPLAN for current tasks
3. Run the integration tests to get familiar with the codebase
4. Open an issue or PR!

The goal is to build the identity system we all wish existed—open, modular, and developer-friendly.

Previous Articles

If you followed the 0.3.x journey:

• CoreIdent v0.3.5: OIDC ID Tokens, Real-World Gaps, and What's Next
• Phase 3 Milestone: OAuth 2.0 Authorization Code Flow & Token Security Hardened
• Phase 2 Complete: Adding Persistence and Extensibility

Thanks for following along. Let's build something great!