What is AuthService?
AuthService is a complete authentication service built with ASP.NET Core 8 that goes beyond basic JWT tutorials. It implements the full security lifecycle needed for production applications: user registration, login, token rotation, revocation, and protection against brute-force attacks.This service was built because most JWT tutorials skip over refresh token implementation—yet that’s exactly where production security bugs occur.
Key Features
Token Rotation
Automatic refresh token rotation with reuse detection
Security Features
PBKDF2-SHA512 hashing with 600k iterations
Account Protection
Account lockout after failed login attempts
Audit Trail
Full token revocation history with IP tracking
Why AuthService?
Most JWT examples in .NET simply returnnew JwtSecurityToken(...) and call it done. AuthService implements what you actually need in production:
- Real token rotation: Every time you use a refresh token, the old one is revoked and a new one is issued. If someone tries to reuse an old token, the entire token family for that user is revoked.
- Proper password hashing: PBKDF2-SHA512 with 600,000 iterations (OWASP 2024 recommendation), 32-byte random salt, and constant-time comparison to prevent timing attacks.
- Failed login protection: After 5 failed attempts, the account is locked for 15 minutes. Error messages are intentionally generic to avoid revealing whether an email exists in the system.
- Revocation with traceability: Every token stores the IP address it was created from, when it was revoked, why it was revoked, and which token replaced it.
Quick Example
Program.cs
Get Started
Quickstart
Get up and running in 5 minutes
Installation
Install and configure AuthService
Authentication Flow
Understand how token flow works
API Reference
Explore the authentication endpoints