Overview
Multi-issuer JWT/OIDC token validation for .NET applications. Supports Azure AD, Auth0, Okta, Cognito, and local JWT with a unified API.
Decision guide
- Use Identity Validator if your API already receives JWTs and you only need to validate them.
- Use Identity Broker if you need login UI and secure cookie sessions for a browser app (BFF).
- Use both if you have a browser app plus downstream APIs.
Why Use Identity Validator?
Integrating authentication across multiple identity providers is complex. Identity Validator provides a unified API for validating tokens from any OIDC-compliant provider.
| Feature | Standard Approach | Identity Validator |
|---|---|---|
| Multi-Provider | Manual per-provider config | Unified API |
| Token Validation | DIY JWT parsing | Built-in validation |
| JWKS Discovery | Manual endpoint calls | Automatic |
| Claims Mapping | Inconsistent | Standardized |
Supported Providers
Azure AD / Entra ID
Enterprise-grade SSO with Microsoft identity platform.
Auth0
Flexible authentication for B2C and B2B applications.
Okta
Enterprise workforce identity management.
AWS Cognito
Scalable authentication for AWS-hosted apps.
Local JWT
HMAC-signed tokens for development and testing.
Social login with Google accounts and Firebase Auth.
GitHub Actions
OIDC federation for CI/CD workload identity.
Multi-Issuer
Combine multiple providers in a single app.
Configuration Reference
These settings apply to every provider. Provider-specific fields are documented on each provider's page.
Top-level PrimusIdentity fields
| Key | Type | Required | Default | Description |
|---|---|---|---|---|
RequireHttpsMetadata | bool | No | true | When false, allows plain HTTP connections. Set to false in development only — always true in production. |
ValidateLifetime | bool | No | true | When true, rejects tokens that are expired (past exp) or not yet valid (before nbf). Disable only for testing. |
ClockSkew | string | No | "00:05:00" | Maximum allowed clock drift between your server and the token issuer. Format is HH:MM:SS. The default (5 minutes) covers typical NTP drift. Set to "00:00:00" for strict enforcement. |
Issuers | array | Yes | — | List of trusted identity providers. At least one entry is required. See issuer fields below. |
Issuer fields — common to all providers
Every entry in the Issuers array shares these fields regardless of provider type.
| Key | Type | Required | Description |
|---|---|---|---|
Name | string | Yes | A friendly label for this issuer. Appears in logs and error messages only — not validated against any token claim. |
Type | string | Yes | Identifies which provider to use. Accepted values: Jwt (Local), AzureAd, Auth0, Okta, Cognito, Google, GitHub |
Issuer | string | Yes | The expected iss claim value in incoming tokens. Must exactly match what the provider puts in the token — even a trailing slash difference will cause IssuerNotConfigured errors. |
Audiences | string[] | Yes | The expected aud claim value(s). A token is accepted if it matches at least one entry. Typically the URL or URI of your API. |
Fields used only by a specific provider (e.g., Secret for Local JWT, Authority for OIDC providers) are documented on each provider's own page.
Result Object
The AddPrimusIdentity() method configures the authentication pipeline. When validation succeeds, the following property is available on HttpContext.User:
| Property | Type | Description |
|---|---|---|
User.Identity.IsAuthenticated | bool | Whether the token is valid |
Next Steps
| Want to... | See Guide |
|---|---|
| Try it live | Interactive Playground |
| Use Local JWT (dev) | Local JWT |
| Configure Azure AD | Azure AD |
| Configure Auth0 | Auth0 |
| Configure Okta | Okta |
| Configure Cognito | AWS Cognito |
| Configure Google | |
| Configure GitHub | GitHub Actions |