Skip to main content
Version: 2026.04.0

Identity Validator

Release posture: Stable for token validation

Current run evidence: 367/367 tests passed on net8.0, net9.0, and net10.0. The validated boundary is token validation and principal normalization. Supplemental refresh-token helpers remain backward-compatibility surface, not the core validated module boundary.

Multi-issuer JWT/OIDC validation for APIs that already receive bearer tokens. This module runs fully in your application process. It does not depend on a Primus-hosted login runtime and does not send tokens to Primus.

Use This Module When

  • Your API already receives JWTs and only needs validation, claim normalization, and standard ASP.NET Core authentication integration.
  • You need to accept tokens from one or more issuers such as Azure AD, Auth0, Okta, Cognito, Google, GitHub, or a local JWT issuer.
  • You want validation to stay in-process with your own issuer configuration and keys.

Do Not Start Here If

  • You need browser login UI, cookie sessions, or BFF flows. Start with Identity Broker.
  • You need tenant resolution or authorization decisions. Add Multi-Tenancy and RBAC after authentication is working.

Start Here

GoalStart with
Get a minimal API working quicklyQuick Start
Choose the right provider and config shapeProvider Overview
Accept tokens from more than one issuerMulti-Issuer Setup
Combine auth with Multi-Tenancy and RBACCombined .NET Integration

Supported Providers

Verified Surface

  • Register the module with builder.Services.AddPrimusIdentity(...).
  • Validate JWT/OIDC tokens from configured issuers.
  • Normalize the authenticated principal into the standard ASP.NET Core pipeline.
  • Use provider-specific helpers such as UseAuth0, UseAzureAD, UseOkta, UseCognito, UseGoogle, and UseGitHub, or configure issuer entries directly.

For the provider-specific configuration reference, use Identity Validator Overview. That page is the canonical provider guide. This page is the module entry point.

Example Registration

builder.Services.AddPrimusIdentity(options =>
builder.Configuration.GetSection("PrimusIdentity").Bind(options));

Next Steps