Documentation

AuthServer Overview

← All docs

AuthServer Overview

Identity, sessions, organizations, and SSO in one embedded module.

AuthServer is the identity module in SqlOS. It handles user authentication, organizations, sessions, token management, OIDC social login, and SAML enterprise SSO -- all embedded in your .NET app, all stored in your database.

What you get

  • Organizations -- multi-tenant with memberships and roles
  • Users -- email/password, SSO-provisioned, or OIDC-linked
  • Sessions -- access tokens (JWT), refresh token rotation, replay detection
  • OIDC -- Google, Microsoft, Apple, and custom providers
  • SAML SSO -- enterprise SSO with auto-provisioning
  • Hosted or Headless auth UI -- use the built-in auth pages or render your own

Setup

builder.AddSqlOS<AppDbContext>(options =>
{
    options.UseAuthServer();
});

var app = builder.Build();
app.MapSqlOS();

Auth flow

The typical authentication flow works like this:

  1. Frontend redirects to /sqlos/auth/authorize with PKCE
  2. User enters email -- AuthServer runs home realm discovery to determine password vs SSO
  3. User authenticates (password, OIDC, or SAML)
  4. If the user belongs to multiple organizations, they select one
  5. AuthServer issues an authorization code
  6. Frontend exchanges the code for access + refresh tokens

Hosted sign-in page

Dashboard

The auth admin UI at /sqlos/admin/auth/ lets you manage organizations, users, memberships, clients, OIDC connections, SSO, security settings, and active sessions.

Dashboard users

SDK services

ServicePurpose
SqlOSAuthServiceLogin, refresh, logout, token validation
SqlOSAdminServiceCreate orgs, users, memberships, clients, SSO
SqlOSCryptoServiceToken generation, PKCE, password hashing, JWKS
SqlOSHomeRealmDiscoveryServiceRoute users to password or SSO by email domain
SqlOSSsoAuthorizationServiceSAML SSO authorization and code exchange
SqlOSOidcAuthServiceGoogle, Microsoft, Apple, and custom OIDC
SqlOSSettingsServiceSession lifetimes and security configuration

Presentation modes

SqlOS separates the auth protocol from the login UI:

  • Hosted AuthPage (default) -- SqlOS renders the sign-in and sign-up pages
  • Headless Auth -- SqlOS owns the OAuth protocol while your app renders the UI

Read more in Headless Auth and Hosted vs Headless.