Local Authentication (Email & Password)
Use the broker’s local login endpoint (POST /api/auth/login) with your own credential validator.
Step 1: Install the package
dotnet add package PrimusSaaS.Identity.Broker
Step 2: Configure Program.cs and middleware
Register a credential validator and the broker.
using PrimusSaaS.Identity.Broker;
var builder = WebApplication.CreateBuilder(args);
// Register your credential validator — the broker calls this on POST /api/auth/login
builder.Services.AddScoped<IPrimusAuthCredentialValidator, PortalAuthCredentialValidator>();
// Register broker services and read configuration from appsettings.json
builder.Services.AddPrimusAuthBroker(builder.Configuration, builder.Environment.IsDevelopment());
builder.Services.AddControllers();
var app = builder.Build();
app.UseAuthentication(); // REQUIRED — reads the session cookie and populates User on every request
app.UseAuthorization(); // REQUIRED — enforces [Authorize] attributes on controllers and minimal API endpoints
// Sets the XSRF-TOKEN cookie on responses and validates X-Primus-CSRF on all mutating broker requests
app.UsePrimusCsrfProtection();
app.MapControllers();
// Registers all /api/auth/* endpoints: GET /providers, POST /login, POST /logout, GET /me, etc.
app.MapPrimusAuthBroker();
app.Run();
Example credential validator:
using PrimusSaaS.Identity.Broker;
public class PortalAuthCredentialValidator : IPrimusAuthCredentialValidator
{
public Task<PrimusAuthUser?> ValidateCredentialsAsync(string email, string password, CancellationToken ct = default)
{
// Validate user from your database and return a PrimusAuthUser on success.
return Task.FromResult<PrimusAuthUser?>(new PrimusAuthUser { Id = "1", Email = email, Role = "Admin" });
}
}
This is a placeholder implementation. In production, query your user database, verify the password hash, and return null on failure. The Id, Email, Role, and Roles fields on PrimusAuthUser populate the session cookie claims.
Step 3: Configure appsettings.json
The broker itself has no required configuration for local login — it reads from your registered IPrimusAuthCredentialValidator. The settings below are your application's own config (not consumed by the broker).
{
"ConnectionStrings": {
"DefaultConnection": "Server=localhost;Database=PrimusDB;Trusted_Connection=True;"
}
}
The broker does not read ConnectionStrings, DatabaseProvider, or any seed-user settings. Wire those up in your own IPrimusAuthCredentialValidator implementation using your DI container.
In production (isDevelopment: false), you must register your own IPrimusAuthUserStore. Without it, all logins fail. The broker logs a Critical-level error at startup if none is registered.
Step 4: Configure endpoint
Broker endpoints are mapped by app.MapPrimusAuthBroker().
POST /api/auth/loginPOST /api/auth/logoutGET /api/auth/me
Local login is protected by CSRF. Before the first login attempt, have your client call GET /api/auth/providers. The broker sets the XSRF-TOKEN cookie on the response. Pass that value as the X-Primus-CSRF header on every mutating request (POST /login, POST /logout). A missing or mismatched token returns HTTP 400.
Step 5: Test the endpoint
Before the first POST to /api/auth/login, your client needs to obtain the XSRF-TOKEN cookie. Call GET /api/auth/providers first — it is unauthenticated, returns the list of active providers, and seeds the CSRF cookie in the same round-trip. Pass the cookie value as the X-Primus-CSRF header on every POST to /api/auth/*.
Bruno, Postman, Insomnia, and HTTPie manage cookies and CSRF tokens automatically:
- Send
GET http://localhost:5000/api/auth/providers— seeds the CSRF cookie and returns the active provider list. - Send
POST http://localhost:5000/api/auth/loginwith body{"email": "you@example.com", "password": "yourPassword"}— the client forwards the saved cookie automatically.
No manual token extraction needed.
Using curl (Linux / macOS)
# Step 5a — seed the CSRF cookie (also returns the active provider list)
curl -c cookies.txt http://localhost:5000/api/auth/providers
# The response sets an XSRF-TOKEN cookie. Extract its value:
CSRF_TOKEN=$(grep XSRF-TOKEN cookies.txt | awk '{print $NF}')
# Step 5b — login (replace you@example.com and yourPassword with real credentials)
curl -b cookies.txt -c cookies.txt \
-X POST http://localhost:5000/api/auth/login \
-H "Content-Type: application/json" \
-H "X-Primus-CSRF: $CSRF_TOKEN" \
-d '{ "email": "you@example.com", "password": "yourPassword" }'
Then call GET /api/auth/me to confirm the session.
Next Steps
- Integration Guide — complete setup walkthrough including Angular and React frontend samples
- MFA Deep Dive — add TOTP, SMS OTP, or email OTP on top of local login
- Bot Protection & Rate Limiting — protect the local login endpoint against brute-force attacks
- Endpoint Reference — complete request and response shapes for every
/api/auth/*endpoint