Minimal ASP.NET Core 10 Minimal-APIs app demonstrating server-side OIDC login using Microsoft.AspNetCore.Authentication.OpenIdConnect. The server holds the client secret and manages the session via an encrypted auth cookie.
- .NET 10 SDK installed (
dotnet --version→ 10.x) dotnet dev-certs https --trust— run once per machine to trust the local dev HTTPS cert- A SecureAuth application configured as a confidential server app (client type
server_web, with a client secret)
- Copy
.env.exampleto.envand fill in your SecureAuth values (includingCLIENT_SECRET) dotnet restoredotnet run --project src- Open https://localhost:4260
- OIDC discovery via
AddOpenIdConnect(options => { options.Authority = ... }) - Authorization Code + PKCE flow (middleware handles code exchange, state validation, PKCE verifier)
- Session carried by an encrypted auth cookie (protected by ASP.NET Core data protection). With
SaveTokens = truethe ID token is serialized into that cookie — no opaque tokens appear in the browser UI, but the cookie itself is a client-stored artifact. - RP-initiated logout via
Results.SignOut(...)on Cookie + OIDC schemes
dotnet test
Covers the four non-library code paths: / unauthenticated, / authenticated (via fake auth scheme), /login challenge, /logout sign-out.
- Replace the dev cert with a real TLS certificate (via a reverse proxy or configured Kestrel endpoint).
- ASP.NET Core's data-protection keys default to in-memory in dev. In production, configure a persistent key ring (filesystem / blob / Redis) so auth cookies survive restarts and work across instances.
- Consider scoping auth middleware to protected routes only via
[Authorize]attributes orRequireAuthorization().