Authorization Server Project Template

You can find the official source for the template here:
GitHub – AuthorizationServer Template

---

Overview

The Authorization Server template implements:

1. Authentication using JWT Bearer tokens.
2. Authorization using claims-based policies.
3. API Versioning and CORS configuration.
4. Password Policies, Password Expiration, Login Attempt Policies.
5. Provider abstraction for storing accounts, refresh tokens, user groups, etc.
   • PostgreSQL provider (recommended for production)
   • JSON file-based provider (for development/testing, stored in App_Data folder)
6. Swagger/OpenAPI documentation support.
7. HSTS and response compression.
8. Serilog logging.

It is ready to run out-of-the-box with either PostgreSQL or file-based JSON repositories, depending on configuration.

For more details on the security-related API endpoints, see:
Web API Security

---

Switching Providers

This template supports two repository provider types:

Provider Type	Setting	Usage
PostgreSQL	"Repository:UsePostgreSQL": true	Stores all authentication data in a PostgreSQL database. Requires a valid connection string in appsettings.json.
JSON Files	"Repository:UsePostgreSQL": false	Stores all authentication data as .json files inside App_Data folder.

Repository types are switched in appsettings.json or via environment variables.

Example PostgreSQL settings in appsettings.json:

"Repository": {
  "UsePostgreSQL": true,
  "PostgreSQL": {
    "ConnectionString": "Server=localhost;Port=5432;Username=postgres;Password=Solutions!;Database=AccountTest;",
    "LogConnectionString": "Server=localhost;Port=5432;Username=postgres;Password=Solutions!;Database=AccountTest;Table=public.logging;"
  }
}

Example JSON-based settings in appsettings.json:

"Repository": {
  "UsePostgreSQL": false
}

Configuration

The main configuration file is appsettings.json.
Key sections include:

• AppConfiguration – General server settings.
• Registration – URIs for account activation, password reset, SMTP server info.
• Tokens – JWT Issuer, Audience, RSA keys, expiration settings.
• Repository – Repository provider type and connection strings.
• Swagger – API documentation title, description, and OpenAPI specification name.
• PermittedOrigins – Allowed CORS origins.

See the provided appsettings.json for full example values.

---

First Run: Bootstrap Admin Account

On the very first launch—when the repository has no authentication tables yet—the Authorization Server will automatically create the database schema and seed a temporary administrator account so you can sign in and set up real users:

• Username: demo_admin_to_be_deleted
• Password: webapi

Use this account to log in via the Swagger UI and create the users/admins you need.

Security reminder: Immediately after provisioning your own admin account(s), delete the bootstrap account (or at least change its password) and proceed with your normal hardening steps (e.g., rotate keys, review password/lockout policies).

This bootstrap step runs only when the auth tables are missing. Once the schema exists, the server won’t recreate or reset the account. It works with both the PostgreSQL and JSON providers.

Quick start flow

1. Start the server (Docker or local).
2. Open Swagger at the server URL.
3. Sign in with demo_admin_to_be_deleted / webapi.
4. Create your permanent admin/user accounts.
5. Delete (recommended) or disable the bootstrap account.

---

Running the Authorization Server

1. Using Docker Compose (recommended for quick start)

The repository includes a docker-compose.yml file that sets up:

• PostgreSQL database (v11)
• Authorization Server container
• Test Runner container for running automated tests

Run:

docker-compose up --build

This will:

• Create a PostgreSQL container named authserver_postgres
• Build and run the authserver container on port 8080
• Automatically apply configuration from docker-compose.yml

Swagger UI will be available at:

http://localhost:8080/swagger

---

2. Running Locally Without Docker

If you prefer to run without Docker:

1. Make sure the .NET SDK is installed (see the template on GitHub for the current target framework).
2. Install and start a PostgreSQL instance.
3. Create the database configured in appsettings.json:

   CREATE DATABASE AccountTest;
   

   (or whatever name of your database, depending on your settings)
4. Update the ConnectionString and LogConnectionString in appsettings.json if needed.
5. Run the project
6. Access Swagger at:

   http://localhost:5000/swagger
   

---

Related Documentation

• Web API Security – Details on DHI.Services.Security.WebApi usage
• Domain Services Overview
• How to Leverage Domain Services

---

Notes

• In production, PostgreSQL is strongly recommended over JSON-based repositories.
• RSA keys in appsettings.json should be replaced with secure production keys.
• Swagger descriptions are loaded from [AppData]SwaggerInfo.md, which should be customized for your API.