SqlOS
.NET + EF Core native

Enterprise auth for your .NET app.

SqlOS gives your .NET app OAuth server, branded login, social auth, SAML, and fine-grained authorization as a single NuGet package that runs in your process and stores in your database.

Get startedRead the docsGitHub
localhost:5062/sqlos/admin/auth
Auth Server
Users
+ Create
Users
11
Sessions
4
Orgs
2
Providers
3
UserProviderStatusLogins
SC
Sarah Chen
sarah@acme.co
Entra IDActive86
JM
James Miller
james@acme.co
GoogleActive42
AT
Alex Torres
alex@acme.co
PasswordActive15
Program.cs
builder.AddSqlOS<AppDbContext>();

var app = builder.Build();
app.MapSqlOS();

Authentication

From first user to enterprise SSO

SqlOS ships a brandable login page backed by a real OAuth 2.0 server rendered from your server, not a third-party. Start with password auth, add social login through the dashboard, and enable SAML SSO when your customers need it. No code changes between stages.

Guided provider setup

The dashboard walks you through Google, Microsoft, Apple, and custom OIDC configuration with provider-specific instructions and copy-ready callback URIs.

Enterprise SSO in minutes

Create a SAML draft, hand your customer the Entity ID and ACS URL, import their federation metadata. Home realm discovery routes users by email domain automatically.

Sessions, keys, and audit

Refresh token rotation, automatic RS256 key rotation with grace windows, session revocation, and a full audit log all visible in the dashboard.

app.yourproduct.com/sqlos/auth/login
YP
Sign in to YourProduct
name@company.com
acme.co uses SSO — redirecting
or
AuthServer
Home realm discovery

The auth stack

Enterprise SSO, social auth, and a whole lot more

One integration connects your app to every identity provider your customers use. Configure Google, Microsoft, Apple, SAML, or custom OIDC from the dashboard or go headless and build your own login UI on top of the OAuth APIs.

Add auth to your app
SqlOS
AuthServer
Google
Microsoft
Apple
Okta
Entra ID
Custom

SSO for any provider

Support SAML and OIDC identity providers with a single integration. Configure per-org from the embedded dashboard.

User and org management

Manage users, organizations, memberships, and sessions from the dashboard or programmatically via APIs.

Social authentication

Google, Microsoft, Apple, or custom OIDC. Guided setup with provider-specific instructions and copy-ready callback URIs.

Hosted UI or headless APIs

Use the branded AuthPage to ship fast, or build your own frontend and call the OAuth and session APIs directly.

FGA
Resource Hierarchy
Live
Acme Corp
organization
organization
workspace
chain
store

Authorization

Flat roles break down. Resource hierarchies do not.

Every multi-tenant app eventually outgrows if (user.Role == "Admin"). SqlOS FGA lets your resources form a tree that mirrors your product. Assign a role at any node and it cascades down with no role explosion and no special cases.

ResourcesDefine types and nest them into a hierarchy that matches your product.
GrantsAssign a role at any node and permissions inherit downward automatically.
QueriesAccess checks fold into EF Core LINQ as a WHERE clause, not a service call.

Built on SHRBAC and explained in The Developer's Guide to Hierarchical RBAC.

How it works

Authorization is a database query, not an API call

Most auth systems make you choose: fetch data then check permissions, or call an external API per resource. SqlOS does neither. The access check is a Table-Valued Function that folds directly into your SQL execution plan with filtering, sorting, pagination, and authorization in a single query.

3.47ms
per page at 1.2M rows
<1.5ms
point checks, D=10
O(k·D)
bounded, N-free
ProjectsEndpoint.cs
// Authorization is a WHERE clause, not a service call
var filter = await fga.BuildFilterAsync<Project>(
    subjectId: user.Id,
    permissionKey: "projects.read");

var projects = await db.Projects
    .Where(filter)          // TVF folds into the query plan
    .Where(p => p.IsActive)
    .OrderBy(p => p.Name)
    .Take(20)
    .ToListAsync();         // One query. One round-trip.

What ships

Everything you need for OAuth, AuthN, and AuthZ in .NET

SqlOS combines authentication and authorization in one library with OAuth 2.0, SAML SSO, OIDC, a branded login page, and FGA-based access control. It is built for large datasets with strong consistency and proven performance.

OAuth 2.0 + PKCE

/authorize, /token, JWKS, and discovery endpoints in your ASP.NET pipeline.

Branded AuthPage

Server-rendered login, signup, and logout with your logo, your colors, and your domain.

Social + OIDC

Google, Microsoft, Apple, and custom providers with guided setup and copy-ready callbacks.

SAML SSO

Org-scoped enterprise SSO with home realm discovery by email domain.

FGA engine

Hierarchical resources, role grants, time-windowed access, and EF Core query filters.

Admin dashboard

Embedded UI for orgs, users, providers, grants, sessions, and audit with optional password protection.

Key rotation

Automatic RS256 signing key rotation with configurable intervals and grace windows.

Orgs and users

Multi-tenant user management with memberships, sessions, refresh tokens, and audit log.

Example stack

Aspire AppHost plus a .NET API and Next.js frontend exercising every flow so you can run it and fork it.

Follow the getting started guide

Get started in minutes

Install the package. Run the example stack. Read the source.

dotnet add package SqlOS
Getting started guideDocumentation