Local Authentication (Email & Password)
Use the broker’s local login endpoint (POST /api/auth/login) with your own credential validator.
Step 1: Install the package
dotnet add package PrimusSaaS.Identity.Broker
Step 2: Configure Program.cs and middleware
Register a credential validator and the broker.
using PrimusSaaS.Identity.Broker;
var builder = WebApplication.CreateBuilder(args);
// Register your credential validator — the broker calls this on POST /api/auth/login
builder.Services.AddScoped<IPrimusAuthCredentialValidator, PortalAuthCredentialValidator>();
// Register broker services and read configuration from appsettings.json
builder.Services.AddPrimusAuthBroker(builder.Configuration, builder.Environment.IsDevelopment());
builder.Services.AddControllers();
var app = builder.Build();
app.UseAuthentication(); // REQUIRED — reads the session cookie and populates User on every request
app.UseAuthorization(); // REQUIRED — enforces [Authorize] attributes on controllers and minimal API endpoints
// Sets the XSRF-TOKEN cookie on responses and validates X-Primus-CSRF on all mutating broker requests
app.UsePrimusCsrfProtection();
app.MapControllers();
// Registers all /api/auth/* endpoints: GET /providers, POST /login, POST /logout, GET /me, etc.
app.MapPrimusAuthBroker();
app.Run();
Example credential validator:
using PrimusSaaS.Identity.Broker;
public class PortalAuthCredentialValidator : IPrimusAuthCredentialValidator
{
public Task<PrimusAuthUser?> ValidateCredentialsAsync(string email, string password, CancellationToken ct = default)
{
// Validate user from your database and return a PrimusAuthUser on success.
return Task.FromResult<PrimusAuthUser?>(new PrimusAuthUser { Id = "1", Email = email, Role = "Admin" });
}
}
This is a placeholder implementation. In production, query your user database, verify the password hash, and return null on failure. The Id, Email, Role, and Roles fields on PrimusAuthUser populate the session cookie claims.
Step 3: Configure appsettings.json
The broker itself has no required configuration for local login — it reads from your registered IPrimusAuthCredentialValidator. The settings below are your application's own config (not consumed by the broker).
{
"ConnectionStrings": {
"DefaultConnection": "Server=localhost;Database=PrimusDB;Trusted_Connection=True;"
}
}
The broker does not read ConnectionStrings, DatabaseProvider, or any seed-user settings. Wire those up in your own IPrimusAuthCredentialValidator implementation using your DI container.
In production (isDevelopment: false), you must register your own IPrimusAuthUserStore. Without it, all logins fail. The broker logs a Critical-level error at startup if none is registered.
Step 4: Configure endpoint
Broker endpoints are mapped by app.MapPrimusAuthBroker().
POST /api/auth/loginPOST /api/auth/logoutGET /api/auth/me
Local login is protected by CSRF. Before the first login attempt, have your client call GET /api/auth/providers. The broker sets the XSRF-TOKEN cookie on the response. Pass that value as the X-Primus-CSRF header on every mutating request (POST /login, POST /logout). A missing or mismatched token returns HTTP 400.