Rig.TUnit.Security.OAuth 0.1.0-beta.2

.NET 10.0 This package targets .NET 10.0. The package is compatible with this framework or higher.
This is a prerelease version of Rig.TUnit.Security.OAuth. 
dotnet add package Rig.TUnit.Security.OAuth --version 0.1.0-beta.2
                    


                    

                
NuGet\Install-Package Rig.TUnit.Security.OAuth -Version 0.1.0-beta.2
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="Rig.TUnit.Security.OAuth" Version="0.1.0-beta.2" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="Rig.TUnit.Security.OAuth" Version="0.1.0-beta.2" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="Rig.TUnit.Security.OAuth" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add Rig.TUnit.Security.OAuth --version 0.1.0-beta.2
                    


                    

                
#r "nuget: Rig.TUnit.Security.OAuth, 0.1.0-beta.2"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package Rig.TUnit.Security.OAuth@0.1.0-beta.2
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=Rig.TUnit.Security.OAuth&version=0.1.0-beta.2&prerelease
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=Rig.TUnit.Security.OAuth&version=0.1.0-beta.2&prerelease
                    


                            Install as a Cake Tool

Rig.TUnit.Security.OAuth

In-process mock OAuth 2.0 / OIDC server with /authorize, /token, /jwks, /.well-known/openid-configuration — client-credentials + auth-code + PKCE S256 + refresh.

What this package is

MockOAuthServer is an in-process OAuth 2.0 / OpenID Connect mock that exposes the four endpoints client code expects (/authorize, /token, /jwks, /.well-known/openid-configuration) and issues JWTs signed with a rotating key set. Tokens are accepted by a real JwtBearerHandler via JWKS discovery — the production validation pipeline runs unchanged. Supports the three grant flows tests need: client-credentials, authorization-code + PKCE (S256), and refresh-token.

When to use it

  • Integration tests for services that authenticate via OAuth / OIDC.
  • Verifying PKCE flow and refresh-token rotation.
  • Testing JWKS key rollover without touching a real identity provider.
  • Not for: end-to-end tests against a real IDP — MockOAuthServer does not replicate provider-specific quirks (Azure AD B2C claim mappings, Auth0 rules, etc.).

Prerequisites

  • .NET 10 SDK
  • ASP.NET Core host (fixture uses FrameworkReference Microsoft.AspNetCore.App).

Quick start

using Rig.TUnit.Security.OAuth.Fixtures;

await using var mock = new MockOAuthServer(new MockOAuthServerOptions
{
    Issuer = "https://mock",
});
await mock.StartAsync();

Options

Property Type Default Description
Issuer string "https://mock.oauth" OIDC issuer URL
DefaultScopes string[] ["openid", "profile"] Tokens minted with these by default
AccessTokenTtl TimeSpan 15m TTL for access tokens
RefreshTokenTtl TimeSpan 7d TTL for refresh tokens
EnablePkce bool true Require PKCE for auth-code flow

Fixture + helper APIs

  • Rig.TUnit.Security.OAuth.Fixtures.MockOAuthServer
  • Rig.TUnit.Security.OAuth.Options.MockOAuthServerOptions
  • Rig.TUnit.Security.OAuth.Builder.OAuthRigBuilder

Per-test isolation

Each MockOAuthServer binds a random ephemeral port; multiple fixtures run concurrently without collision. Signing keys are per-fixture (rotatable via mock.RotateSigningKey()).

Parallelism + performance

  • Startup: ~25 ms per fixture.
  • /token endpoint latency: ~5 ms (JWT signing dominant).
  • Safe under full parallelism.

Troubleshooting

  • JWKS discovery fails — the API under test cached the JWKS endpoint at startup; rotating keys mid-test requires resetting the cache or raising TokenValidationParameters.RefreshInterval.
  • PKCE code_verifier mismatch — ensure the verifier on /token matches the S256 hash sent on /authorize; use the helper's PKCE pair generator to avoid manual errors.

See docs/troubleshooting.md#oauth.

Provider quirks + edge cases

  • /.well-known/openid-configuration is served at the issuer base URL; misconfigured Authority values on consumer fixtures will fail discovery silently.
  • Refresh-token rotation: each /token call with grant_type=refresh_ token issues a new refresh and invalidates the old. Tests asserting "old refresh still works" will fail — by design.

Benchmarks

See OAuthBenchmarks.cs; baseline in benchmarks/baseline-005.json.

License

MIT. See LICENSE.

Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (1)

Showing the top 1 NuGet packages that depend on Rig.TUnit.Security.OAuth:

Package Downloads
Rig.TUnit.All

Meta-package containing every Rig.TUnit.* package. DISCOURAGED — prefer per-feature or per-stack meta-packages (Rig.TUnit, Rig.TUnit.Microservices).

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
0.1.0-beta.2 48 4/27/2026
0.0.0-alpha.0.14 43 4/26/2026