SqlOS
Auth + FGA inside EF Core

Enterprise auth for your .NET app.

OAuth server, branded login, social auth, SAML SSO, and fine-grained authorization in one NuGet package — in your process, in your SQL Server.

SqlOS
SqlOS admin dashboard

Authentication

From first user to enterprise SSO

SqlOS ships a brandable login page backed by a real OAuth 2.0 server in your ASP.NET pipeline. Start with password auth, add social login from the dashboard, and enable SAML SSO when your customers need it — no rewrites between stages.

Guided provider setup

The dashboard walks you through Google, Microsoft, Apple, and custom OIDC configuration with provider-specific instructions and copy-ready callback URIs.

Enterprise SSO in minutes

Create a SAML draft, hand your customer the Entity ID and ACS URL, import their federation metadata. Home realm discovery routes users by email domain automatically.

Sessions, keys, and audit

Refresh token rotation, automatic RS256 key rotation with grace windows, session revocation, and a full audit log all visible in the dashboard.

app.yourproduct.com/sqlos/auth/login
YP
Sign in to YourProduct
name@company.com
acme.co uses SSO — redirecting
or
AuthServer
Home realm discovery

The auth stack

Enterprise SSO, social auth, and a whole lot more

One integration connects your app to every identity provider your customers use. Configure Google, Microsoft, Apple, SAML, or custom OIDC from the dashboard — or go headless and build your own login UI on the OAuth APIs.

Add auth to your app
SqlOS
AuthServer
Google
Microsoft
Apple
Okta
Entra ID
Custom

SSO for any provider

Support SAML and OIDC identity providers with a single integration. Configure per-org from the embedded dashboard.

User and org management

Manage users, organizations, memberships, and sessions from the dashboard or programmatically via APIs.

Social authentication

Google, Microsoft, Apple, or custom OIDC. Guided setup with provider-specific instructions and copy-ready callback URIs.

Hosted UI or headless APIs

Use the branded AuthPage to ship fast, or build your own frontend and call the OAuth and session APIs directly.

FGA
Resource Hierarchy
Live
Acme Corp
organization
organization
workspace
chain
store
SqlOS
SqlOS FGA resources dashboard

Authorization

Authorization in SQL, not middleware

Every multi-tenant app eventually outgrows if (user.Role == "Admin"). SqlOS FGA mirrors your product hierarchy. Assign a role at any node and permissions cascade down — no role explosion, no per-request policy service.

ResourcesDefine types and nest them into a hierarchy that matches your product.
GrantsAssign a role at any node and permissions inherit downward automatically.
QueriesAccess checks fold into EF Core LINQ as a WHERE clause, not a service call.

Built on SHRBAC and explained in The Developer's Guide to Hierarchical RBAC.

Developer experience

Three steps to a running auth server

Install the package, register SqlOS on your EF Core context, and map routes. Your dashboard, OAuth endpoints, hosted login, and FGA admin UI are live on the same origin as your API.

Full getting started guide
dotnet add package SqlOS

How it works

Authorization is a database query, not an API call

Most auth systems make you choose: fetch data then check permissions, or call an external API per resource. SqlOS folds access checks into your SQL execution plan — filtering, sorting, pagination, and authorization in a single query.

3.47ms
per page at 1.2M rows
<1.5ms
point checks, D=10
O(k·D)
bounded, N-free
ProjectsEndpoint.cs
// Authorization is a WHERE clause, not a service call
var filter = await fga.BuildFilterAsync<Project>(
    subjectId: user.Id,
    permissionKey: "projects.read");

var projects = await db.Projects
    .Where(filter)          // TVF folds into the query plan
    .Where(p => p.IsActive)
    .OrderBy(p => p.Name)
    .Take(20)
    .ToListAsync();         // One query. One round-trip.

What ships

Everything you need for OAuth, AuthN, and AuthZ in .NET

SqlOS combines authentication and authorization in one library with OAuth 2.0, SAML SSO, OIDC, a branded login page, and FGA-based access control — built for large datasets with strong consistency.

OAuth 2.0 + PKCE

/authorize, /token, JWKS, and discovery endpoints in your ASP.NET pipeline.

Branded AuthPage

Server-rendered login, signup, and logout with your logo, your colors, and your domain.

Social + OIDC

Google, Microsoft, Apple, and custom providers with guided setup and copy-ready callbacks.

SAML SSO

Org-scoped enterprise SSO with home realm discovery by email domain.

FGA engine

Hierarchical resources, role grants, time-windowed access, and EF Core query filters.

Admin dashboard

Embedded UI for orgs, users, providers, grants, sessions, and audit with optional password protection.

Key rotation

Automatic RS256 signing key rotation with configurable intervals and grace windows.

Calendar integration

Google and Microsoft 365 calendar connections per user or org with encrypted tokens and scheduled sync.

Orgs and users

Multi-tenant user management with memberships, sessions, refresh tokens, and audit log.

Example stack

Aspire AppHost plus a .NET API and Next.js frontend exercising every flow so you can run it and fork it.

Get started in minutes

Install the package. Run the Todo sample. Read the source.

dotnet add package SqlOS