.NET SDK
.NET SDK for authenticating services and protecting APIs.
Install
dotnet add package Guardhouse.SDK
Package: Guardhouse.SDK
Repository: github.com/legiosoft/guardhouse-sdk-dotnet
Supported: .NET 6+
Request Access Tokens (Client)
Use AddGuardhouseClient when your service calls protected APIs.
using Guardhouse.SDK.Extensions;
using Guardhouse.SDK.Services;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddGuardhouseClient(options =>
{
options.Authority = "https://your-tenant.guardhouse.cloud";
options.ClientId = "your-client-id";
options.ClientSecret = "your-client-secret";
options.Scope = "api";
});
var app = builder.Build();
app.MapGet("/token", async (IGuardhouseTokenService tokenService) =>
{
var accessToken = await tokenService.GetAccessTokenAsync();
return Results.Ok(new { access_token = accessToken });
});
app.Run();
Refresh Tokens
builder.Services.AddGuardhouseClient(options =>
{
options.Authority = "https://your-tenant.guardhouse.cloud";
options.ClientId = "your-client-id";
options.ClientSecret = "your-client-secret";
options.Scope = "api offline_access";
options.EnableTokenRefresh = true;
});
Protect an API (Resource Server)
Use AddGuardhouseResource to validate tokens on incoming requests.
using Guardhouse.SDK.Extensions;
using Guardhouse.SDK.Models;
using Microsoft.AspNetCore.Authorization;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddGuardhouseResource(options =>
{
options.Authority = "https://your-tenant.guardhouse.cloud";
options.Audience = "my_resource_api";
options.ValidationMode = TokenValidationMode.JwtSignature;
});
builder.Services.AddAuthorization();
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
app.MapGet("/api/protected",
[Authorize(AuthenticationSchemes = "Guardhouse")] () => Results.Ok("Protected data"));
app.Run();
Token Validation Modes
JWT Signature (Default)
Validates tokens using JWKS endpoint. Best performance.
options.ValidationMode = TokenValidationMode.JwtSignature;
Introspection
Validates tokens via introspection endpoint. Enables near real-time revocation checking.
builder.Services.AddGuardhouseResource(options =>
{
options.Authority = "https://your-tenant.guardhouse.cloud";
options.Audience = "my_resource_api";
options.ValidationMode = TokenValidationMode.Introspection;
options.IntrospectionClientId = "your-introspection-client-id";
options.IntrospectionClientSecret = "your-introspection-client-secret";
});
If your server doesn't accept Basic auth:
options.IntrospectionCredentialTransmission = IntrospectionCredentialTransmission.FormData;
Authorization Policies
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("ReadAccess", policy =>
policy.RequireClaim("scope", "read"));
options.AddPolicy("AdminOnly", policy =>
policy.RequireRole("admin"));
});
app.MapGet("/api/reports",
[Authorize(AuthenticationSchemes = "Guardhouse", Policy = "ReadAccess")]
() => Results.Ok());
app.MapDelete("/api/reports/{id}",
[Authorize(AuthenticationSchemes = "Guardhouse", Policy = "AdminOnly")]
(int id) => Results.Ok());
Configuration
Client Options
| Option | Required | Description |
|---|---|---|
Authority | Yes | OIDC issuer URL |
ClientId | Yes | OAuth client ID |
ClientSecret | Yes | OAuth client secret |
Scope | Yes | Requested scopes |
Resource Options
| Option | Required | Description |
|---|---|---|
Authority | Yes | OIDC issuer URL |
Audience | Yes | API audience |
ValidationMode | No | JwtSignature (default) or Introspection |
Troubleshooting
401 Unauthorized
- Check
AuthorityandAudience - Verify token expiration, scopes, roles
Introspection returns invalid_client
- Verify introspection credentials
- Try
IntrospectionCredentialTransmission.FormData
Refresh flow fails
- Add
offline_accessto scope - Enable
EnableTokenRefresh = true