A centralized Authentication & Authorization API built with ASP.NET Core and Clean Architecture.
The project provides a secure and reusable authentication system that can be integrated with multiple applications. It supports JWT authentication, refresh token rotation, role-based authorization, password management, and security protections against common attacks.
- User Registration
- User Login
- User Logout
- Logout From All Devices
- Current User Information (
/me)
- JWT Access Tokens
- Refresh Tokens
- Refresh Token Rotation
- Secure Token Revocation
- Change Password
- Forgot Password
- Reset Password
- Argon2 Password Hashing
- Role-Based Authorization
- Rate Limiting
- Brute Force Protection
- Account Lockout After Failed Login Attempts
- Global Exception Handling
- Request Logging Middleware
- Request Logging Middleware
- Audit Logging
- Centralized Logging
- Request Tracking
- Global Exception Handling Middleware
- Standardized API Responses
- Consistent Error Responses
- Standardized API Response Wrapper
- DTO-based Communication
- Clean Separation of Concerns
The project follows Clean Architecture principles.
AuthService.API
│
├── Controllers
├── Middleware
│
AuthService.Application
│
├── Interfaces
├── Services
├── Exceptions
│
AuthService.Domain
│
├── Entities
├── Enums
│
AuthService.Infrastructure
│
├── Data
├── Repositories
├── Migrations
│
AuthService.Shared
│
├── DTOs
├── Helpers
├── Responses
Handles HTTP requests, responses, middleware, and endpoint exposure.
Contains business logic, use cases, service contracts, and application rules.
Contains core entities and business models.
Handles data access, repositories, database operations, and migrations.
Contains DTOs, helper classes, and standardized API responses.
| Method | Endpoint |
|---|---|
| POST | /api/auth/register |
| POST | /api/auth/login |
| POST | /api/auth/refresh |
| GET | /api/auth/me |
| POST | /api/auth/logout |
| POST | /api/auth/logout-all |
| POST | /api/auth/change-password |
| POST | /api/auth/forgot-password |
| POST | /api/auth/reset-password |
Project structure following Clean Architecture principles.
Swagger documentation exposing all available authentication endpoints.
Successful login returns both Access Token and Refresh Token.
- ASP.NET Core Web API
- Entity Framework Core
- SQL Server
- JWT Bearer Authentication
- Swagger / OpenAPI
- Clean Architecture
- Dependency Injection
The authentication flow follows modern security practices:
- User logs in using email and password.
- API issues an Access Token and Refresh Token.
- Access Token is used for protected endpoints.
- Refresh Token Rotation generates a new refresh token on every refresh request.
- Logout revokes active refresh tokens.
- Failed login attempts are tracked and can trigger account lockout.
v1.3.0
- Authentication System
- Authorization System
- Refresh Token Rotation
- Password Management
- Security Hardening
- Clean Architecture Implementation
- Email Service Integration
- Two-Factor Authentication (2FA)
- Docker Support
- CI/CD Pipeline
Swagger UI is included for testing and exploring all available endpoints.