Logo
Frontend
Backend 

.NET Reference

PropelAuth's .NET integration provides all the building blocks you need to add authentication to your .NET projects. The integration uses .NET's claims-based identity namespace to help you secure your backend.

Want to use PropelAuth and .NET to protect your application's frontend? Check out our .NET OAuth2 guide.

Installation

dotnet add package PropelAuth

Initialize

AddPropelAuthAsync performs a one-time initialization of the library. It will verify your apiKey is correct and fetch the metadata needed to verify access tokens in GetUser.

In serverless environments, it's beneficial to skip the fetch, in which case you can pass in publicKey instead of having the library fetch it. You can find your verifier key in the Backend Integration page in your PropelAuth dashboard.

using System.Security.Claims;
using PropelAuth;
using PropelAuth.Models;

var builder = WebApplication.CreateBuilder(args);

await builder.Services.AddPropelAuthAsync(new PropelAuthOptions(
    apiKey: "YOUR_API_KEY",
    authUrl: "YOUR_AUTH_URL"
));

Protect API Routes

The PropelAuth .NET library provides a User Class to validate the access token and provide the user's information if it is valid. To get the User Class, use the GetUser() method on the ClaimsPrincipal Class.

If the access token is not valid, the user's properties will be set to null. If that's the case, you can use .NET's Results Class to return a 401 Unauthorized error.

app.MapGet("/", (ClaimsPrincipal claimsPrincipal) =>
{
    var user = claimsPrincipal.GetUser();
    if (user == null)
    {
        return Results.Unauthorized();
    }
    return Results.Ok($"Hello user with ID {user.userId}");
});

Verifying the access token doesn't require an external request.

Authorization / Organizations

You can also verify which organizations the user is in, and which roles and permissions they have in each organization.

Check Org Membership

Verify that the request was made by a valid user and that the user is a member of the specified organization.

app.MapGet("/api/org/{orgId}", (ClaimsPrincipal claimsPrincipal, string orgId) =>
{
    var user = claimsPrincipal.GetUser();
    if (user == null)
    {
        return Results.Unauthorized();
    }
    var org = user.GetOrg(orgId);
    if (org == null)
    {
        return Results.Forbid();
    }
    return Results.Ok($"You are in {org.orgName}");
});

Check Org Membership and Role

Similar to checking org membership, but will also verify that the user has a specific Role in the organization.

A user has a Role within an organization. By default, the available roles are Owner, Admin, or Member, but these can be configured. These roles are also hierarchical, so Owner > Admin > Member.

app.MapGet("/api/org/{orgId}", (ClaimsPrincipal claimsPrincipal, string orgId) =>
{
    var user = claimsPrincipal.GetUser();
    if (user == null)
    {
        return Results.Unauthorized();
    }
    var org = user.GetOrg(orgId);
    if (org != null && org.IsRole("Admin"))
    {
        return Results.Ok($"You are in {org.orgName}");
    }
    return Results.Forbid();
});

Check Org Membership and Permission

Similar to checking org membership, but will also verify that the user has the specified permission in the organization.

Permissions are arbitrary strings associated with a role. For example, can_view_billing, ProductA::CanCreate, and ReadOnly are all valid permissions. You can create these permissions in the PropelAuth dashboard.

app.MapGet("/api/org/{orgId}", (ClaimsPrincipal claimsPrincipal, string orgId) =>
{
    var user = claimsPrincipal.GetUser();
    if (user == null)
    {
        return Results.Unauthorized();
    }
    var org = user.GetOrg(orgId);
    if (org != null && org.HasPermission("can_view_billing"))
    {
        return Results.Ok($"You are allowed to view billing information for org {org.orgName}");
    }
    return Results.Forbid();
});

User Class

The User Class contains information about the user that made the request. It also contains additional methods such as GetOrgs() and HasPermission(). You must first retrieve the ClaimsPrincipal Class and then convert it to a User Class by doing the following:

app.MapGet("/", (ClaimsPrincipal claimsPrincipal) =>
{
    var user = claimsPrincipal.GetUser();
});
  • Name
    UserId
    Type
    string
    Description

    The unique id of the user.

  • Name
    OrgIdToOrgMemberInfo
    Type
    Dictionary<string, OrgMemberInfo>
    Description

    A dictionary mapping from organization id to OrgMemberInfo object.

  • Name
    Email
    Type
    string
    Description

    The email of the user.

  • Name
    FirstName
    Type
    string
    Description

    The first name of the user.

  • Name
    LastName
    Type
    string
    Description

    The last name of the user.

  • Name
    Username
    Type
    string
    Description

    The username of the user.

  • Name
    Properties
    Type
    Dictionary<string, object>
    Description

    A dictionary of custom properties associated with the user.

  • Name
    LoginMethod
    Type
    LoginMethod
    Description

    The method the user used to log in. Returns the Login Method Property.

  • Name
    ActiveOrgId
    Type
    string | undefined
    Description

    Returns the ID of the Active Org, if the user has an Active Org set.

  • Name
    LegacyUserId
    Type
    string
    Description

    If the user was migrated using our Migration API, this will be the id of the user in the legacy system.

  • Name
    ImpersonatorUserId
    Type
    string
    Description

    If the user is being impersonated, this is id of the user that impersonated them.

  • Name
    GetActiveOrg()
    Type
    fn() -> OrgMemberInfo
    Description

    Returns the OrgMemberInfo of the Active Org.

  • Name
    GetOrg()
    Type
    fn(orgId: string) -> OrgMemberInfo
    Description

    A method to retrieve OrgMemberInfo of the provided org. Returns undefined if user does not belong to org.

  • Name
    GetUserProperty()
    Type
    fn(key: string)
    Description

    A method to retrieve the value of the provided property for the user. Returns undefined if no value is set.

  • Name
    getOrgs()
    Type
    fn() -> OrgMemberInfo[]
    Description

    A method to retrieve an array of each org the user belongs to.

  • Name
    IsImpersonating()
    Type
    fn() -> bool
    Description

    A method to check if the user is being impersonated.

  • Name
    IsRole()
    Type
    fn(orgId: string, role: string) -> bool
    Description

    A method to check if the user is the provided role in the provided org.

  • Name
    IsAtLeastRole()
    Type
    fn(orgId: string, role: string) -> bool
    Description

    A method to check if the user is at least the provided role in the provided org.

  • Name
    HasPermission()
    Type
    fn(orgId: string, permission: string) -> bool
    Description

    A method to check if the user has the provided permission in the provided org.

  • Name
    HasAllPermissions()
    Type
    fn(orgId: string, permission: string[]) -> bool
    Description

    A method to check if the user has all the provided permissions in the provided org.

OrgMemberInfo Class

The OrgMemberInfo Class contains information about the user's membership in an organization.

  • Name
    OrgId
    Type
    string
    Description

    The unique id of the organization.

  • Name
    OrgName
    Type
    string
    Description

    The name of the organization.

  • Name
    OrgMetadata
    Type
    Dictionary<string, object>
    Description

    The metadata associated with the organization.

  • Name
    UrlSafeOrgName
    Type
    string
    Description

    The URL-safe name of the organization.

  • Name
    UserRole
    Type
    string
    Description

    The role of the user in the organization.

  • Name
    InheritedUserRolesPlusCurrentRole
    Type
    IReadOnlyList<string>
    Description

    The role of the user within this organization plus each inherited role.

  • Name
    UserPermissions
    Type
    IReadOnlyList<string>
    Description

    A list of permissions the user has in the organization, based on their role.

  • Name
    IsRole
    Type
    fn(role: string) -> bool
    Description

    A function that returns true if the user has the specified role in the organization.

  • Name
    IsAtLeastRole
    Type
    fn(role: string) -> bool
    Description

    A function that returns true if the user has at least the specified role in the organization.

  • Name
    HasPermission
    Type
    fn(permission: string) -> bool
    Description

    A function that returns true if the user has the specified permission in the organization.

  • Name
    HasAllPermissions
    Type
    fn(permissions: string[]) -> bool
    Description

    A function that returns true if the user has all of the specified permissions in the organization.

  • Name
    OrgRoleStructure
    Type
    string
    Description

    The role structure set for your project. See single and multi role per user for more information.

  • Name
    AdditionalRoles
    Type
    IReadOnlyList<string>
    Description

    If using multiple roles per user, returns an array of roles that the user belongs to. Excludes the userAssignedRole.