Olympus Docs
IntegrateBackends

ASP.NET Core integration

Authenticate via Olympus in an ASP.NET Core service

ASP.NET Core has first-class OpenID Connect support via the Microsoft.AspNetCore.Authentication.OpenIdConnect package.

Setup

dotnet add package Microsoft.AspNetCore.Authentication.OpenIdConnect
dotnet add package Microsoft.AspNetCore.Authentication.Cookies

Configuration

Program.cs:

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(options =>
{
    options.Authority = Environment.GetEnvironmentVariable("OLYMPUS_ISSUER");
    options.ClientId = Environment.GetEnvironmentVariable("OLYMPUS_CLIENT_ID");
    options.ClientSecret = Environment.GetEnvironmentVariable("OLYMPUS_CLIENT_SECRET");
    options.ResponseType = "code";
    options.UsePkce = true;
    options.Scope.Add("openid");
    options.Scope.Add("profile");
    options.Scope.Add("email");
    options.GetClaimsFromUserInfoEndpoint = true;
    options.SaveTokens = true;
});

builder.Services.AddAuthorization();

In the request pipeline:

app.UseAuthentication();
app.UseAuthorization();

Controller

[Authorize]
public class HomeController : Controller
{
    public IActionResult Index()
    {
        var sub = User.FindFirst("sub")?.Value;
        var email = User.FindFirst("email")?.Value;
        return View(new HomeViewModel { Email = email });
    }
}

Anonymous endpoints get [AllowAnonymous]; default-authenticated apps protect everything else.

API resource server

For API-only (no UI):

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.Authority = Environment.GetEnvironmentVariable("OLYMPUS_ISSUER");
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = false,  // Or set ValidAudience
        };
    });

This validates JWT access tokens (if Hydra is configured for JWT). For opaque tokens, use the introspection pattern.

Role-based authorization

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("AdminOnly", policy =>
        policy.RequireClaim("role", "admin"));
});

[Authorize(Policy = "AdminOnly")]
public class AdminController : Controller { ... }

Logout

public async Task<IActionResult> Logout()
{
    await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
    await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
    return Redirect("/");
}

ASP.NET Core's OIDC handler triggers RP-initiated logout automatically.

Actix Web (Rust) integration

Authenticate Actix Web routes against Olympus

Django integration

Authenticate via Olympus in a Django backend

On this page

SetupConfigurationControllerAPI resource serverRole-based authorizationLogoutRelated