Security Overview

See the Authentication and Authorization docs to learn about Authentication in ServiceStack which is encompassed by the high-level Overview:

Authentication Overview

ServiceStack uses a standard HTTP Session implementation which uses an Auth Repository to persist users and a Caching Provider to store Authenticated User Sessions:

Session Based Authentication

Once Authentication is established Session Cookies are used to reference a Users typed Authenticated User Session:

Session Requests

ServiceStack also supports Auth Providers that "Authenticate per request" where both Authentication and Validation are performed within the same request:

Auth with Request Auth Providers

Auth Providers

ServiceStack's built-in Auth Providers fall into 3 main categories:

Credentials Auth Providers

If using ServiceStack to manage your Apps entire Authentication and persistence of Users you would use one of the available Auth Repositories and authenticate against one of the following Auth Providers:

ProviderClass NameRouteDescription
CredentialsCredentialsAuthProvider/auth/credentialsStandard Authentication using Username/Password
Basic AuthBasicAuthProviderHTTP Basic AuthUsername/Password sent via HTTP Basic Auth
Digest AuthDigestAuthProviderHTTP Digest AuthUsername/Password hash via HTTP Digest Auth

OAuth Providers

The following OAuth Providers are built into ServiceStack and can be used in both ASP.NET Core and .NET Framework Apps:

ProviderClass NameRouteCreate OAuth App Link
FacebookFacebookAuthProvider/auth/facebookdevelopers.facebook.com/apps
TwitterTwitterAuthProvider/auth/twitterdev.twitter.com/apps
GoogleGoogleAuthProvider/auth/googleconsole.developers.google.com
GitHubGithubAuthProvider/auth/githubgithub.com/settings/applications/new
MicrosoftMicrosoftGraphAuthProvider/auth/microsoftgraphapps.dev.microsoft.com
LinkedInLinkedInAuthProvider/auth/linkedinwww.linkedin.com/secure/developer
YammerYammerAuthProvider/auth/yammerwww.yammer.com/client_applications
YandexYandexAuthProvider/auth/yandexoauth.yandex.ru/client/new
VKVkAuthProvider/auth/vkcomvk.com/editapp?act=create
OdnoklassnikiOdnoklassnikiAuthProvider/auth/odnoklassnikiwww.odnoklassniki.ru/devaccess

IAuthWithRequest Auth Providers

The following Auth Providers all implement IAuthWithRequest and "Authenticate per-request":

ProviderClass NameAuth MethodDescription
JWTJwtAuthProviderBearer TokenStateless Auth Provider using JSON Web Tokens
API KeysApiKeyAuthProviderBearer TokenAllow 3rd Parties access to authenticate without a password
Basic AuthBasicAuthProviderBasic AuthAuthentication using HTTP Basic Auth
Digest AuthDigestAuthProviderDigest AuthAuthentication using HTTP Digest Auth

Other special Auth Providers that Authenticate per-request:

  • Windows Auth in AspNetWindowsAuthProvider - Authentication using Windows Auth built into ASP.NET.
  • Claims Auth in NetCoreIdentityAuthProvider - Pass through Auth Provider that delegates to ASP.NET Core Identity Auth or Identity Server.

Additional documentation for specific Auth Providers:

ASP.NET Core Project Templates with integrated Auth

World Validation

See the annotated World Validation Docs for a detailed walks through and showcases the implementation of how the most popular Server HTML rendered approaches and Client UI rendered technologies use the same Authentication and Registration Services.

Live Demos

To illustrate Authentication integration with ServiceStack, see the authentication-enabled Live Demos below:

.NET Core

Mobile

.NET Framework

Sessions

See the Session docs for more info about customizing Sessions and handling different Session and Auth events.

Restricting Services

See the Restricting Services docs for learning how to control the Visibility and Access restrictions on any service using the [Restrict] attribute.

Community Resources