Enterprise auth for your .NET app.
OAuth server, branded login, social auth, SAML SSO, and fine-grained authorization in one NuGet package — in your process, in your SQL Server.

Open source
SqlOS on GitHub
2 stars — auth, SSO, and FGA in one .NET package.
Research
SHRBAC / COMPSAC 2026
Hierarchical RBAC with SQL-native access checks and bounded query cost.
Performance
3.47ms per page
At 1.2M rows with O(k·D) point checks — authorization in the query plan.
Example apps
Todo, Retail FGA, full stack
Runnable samples with hosted auth, headless flows, and EF Core filters.
Authentication
From first user to enterprise SSO
SqlOS ships a brandable login page backed by a real OAuth 2.0 server in your ASP.NET pipeline. Start with password auth, add social login from the dashboard, and enable SAML SSO when your customers need it — no rewrites between stages.
Guided provider setup
The dashboard walks you through Google, Microsoft, Apple, and custom OIDC configuration with provider-specific instructions and copy-ready callback URIs.
Enterprise SSO in minutes
Create a SAML draft, hand your customer the Entity ID and ACS URL, import their federation metadata. Home realm discovery routes users by email domain automatically.
Sessions, keys, and audit
Refresh token rotation, automatic RS256 key rotation with grace windows, session revocation, and a full audit log all visible in the dashboard.
The auth stack
Enterprise SSO, social auth, and a whole lot more
One integration connects your app to every identity provider your customers use. Configure Google, Microsoft, Apple, SAML, or custom OIDC from the dashboard — or go headless and build your own login UI on the OAuth APIs.
Add auth to your appSSO for any provider
Support SAML and OIDC identity providers with a single integration. Configure per-org from the embedded dashboard.
User and org management
Manage users, organizations, memberships, and sessions from the dashboard or programmatically via APIs.
Social authentication
Google, Microsoft, Apple, or custom OIDC. Guided setup with provider-specific instructions and copy-ready callback URIs.
Hosted UI or headless APIs
Use the branded AuthPage to ship fast, or build your own frontend and call the OAuth and session APIs directly.

Authorization
Authorization in SQL, not middleware
Every multi-tenant app eventually outgrows if (user.Role == "Admin"). SqlOS FGA mirrors your product hierarchy. Assign a role at any node and permissions cascade down — no role explosion, no per-request policy service.
Built on SHRBAC and explained in The Developer's Guide to Hierarchical RBAC.
Developer experience
Three steps to a running auth server
Install the package, register SqlOS on your EF Core context, and map routes. Your dashboard, OAuth endpoints, hosted login, and FGA admin UI are live on the same origin as your API.
Full getting started guidedotnet add package SqlOSHow it works
Authorization is a database query, not an API call
Most auth systems make you choose: fetch data then check permissions, or call an external API per resource. SqlOS folds access checks into your SQL execution plan — filtering, sorting, pagination, and authorization in a single query.
// Authorization is a WHERE clause, not a service call
var filter = await fga.BuildFilterAsync<Project>(
subjectId: user.Id,
permissionKey: "projects.read");
var projects = await db.Projects
.Where(filter) // TVF folds into the query plan
.Where(p => p.IsActive)
.OrderBy(p => p.Name)
.Take(20)
.ToListAsync(); // One query. One round-trip.Example apps
Run it, then fork it
Every sample ships in the repo with Aspire hosts, seeded clients, and docs that walk through the same flows you will use in production.
Todo sample
Hosted auth, per-user FGA, and MCP-oriented client onboarding in about five minutes.
Run Todo sampleExample stack
Full Aspire host with .NET API, Next.js, Angular, and Expo clients.
Explore example stackRetail FGA
Multi-level retail hierarchy with chain, store, and inventory authorization.
See FGA in actionWhat ships
Everything you need for OAuth, AuthN, and AuthZ in .NET
SqlOS combines authentication and authorization in one library with OAuth 2.0, SAML SSO, OIDC, a branded login page, and FGA-based access control — built for large datasets with strong consistency.
OAuth 2.0 + PKCE
/authorize, /token, JWKS, and discovery endpoints in your ASP.NET pipeline.
Branded AuthPage
Server-rendered login, signup, and logout with your logo, your colors, and your domain.
Social + OIDC
Google, Microsoft, Apple, and custom providers with guided setup and copy-ready callbacks.
SAML SSO
Org-scoped enterprise SSO with home realm discovery by email domain.
FGA engine
Hierarchical resources, role grants, time-windowed access, and EF Core query filters.
Admin dashboard
Embedded UI for orgs, users, providers, grants, sessions, and audit with optional password protection.
Key rotation
Automatic RS256 signing key rotation with configurable intervals and grace windows.
Calendar integration
Google and Microsoft 365 calendar connections per user or org with encrypted tokens and scheduled sync.
Orgs and users
Multi-tenant user management with memberships, sessions, refresh tokens, and audit log.
Example stack
Aspire AppHost plus a .NET API and Next.js frontend exercising every flow so you can run it and fork it.
Get started in minutes
Install the package. Run the Todo sample. Read the source.
dotnet add package SqlOS