udap-dotnet

UDAP SDK and reference implementation for .NET

---

Note: Active development happens on the develop branch. The main branch contains the latest stable release.

---

UDAP is a PKI extension profile to OAuth 2.0. One or more PKIs can be hosted by a Community. Joining a community results in a public/private key issued to a client. The client explicitly trusts one of the issuing certificates in that chain. Full certificate chain validation including certificate revocation to a trusted root is performed.

• FHIR® is the registered trademark of HL7 and is used with the permission of HL7. Use of the FHIR trademark does not constitute endorsement of the contents of this repository by HL7.
• UDAP® and the UDAP gear logo, ecosystem gears, and green lock designs are trademarks of UDAP.org.

---

Specifications Supported

Specification	Status	Description
UDAP.org		Base UDAP specs — server metadata, DCR, JWT client auth, authorization grants, tiered OAuth, C&E, TLS client auth. All 7 specs in docs/specifications/UDAP.org/
HL7 FHIR UDAP Security IG (SSRAA)		Security for Scalable Registration, Authentication, and Authorization
TEFCA Facilitated FHIR		Trusted Exchange Framework and Common Agreement. B2B flows, XP code validation, IAS extensions. Specs in docs/specifications/TEFCA/

---

Features at a Glance

Discovery & Registration

Feature	Status
.well-known/udap metadata endpoint	✅
Multiple Trust Communities	✅
Multi-Domain Metadata — dynamic cert selection by request URL	✅
Metadata JWT & certificate chain validation	✅
Dynamic Client Registration (create / update / cancel)	✅
Certifications & Endorsements	✅

Authorization & Authentication

Feature	Status
Consumer-Facing (authorization_code)	✅
Business-to-Business (client_credentials)	✅
Tiered OAuth — federated user authentication	✅

Authorization Extension Objects (AEOs)

Extension	Spec	Status	Description
hl7-b2b	SSRAA / TEFCA	✅	B2B extension for client_credentials — purpose_of_use enforcement
hl7-b2b-user	SSRAA	✅	B2B extension for authorization_code with user context (FHIR Person)
tefca-ias	TEFCA	✅	Individual Access Services — patient/user info, consent, id_token

Pluggable validation via IUdapAuthorizationExtensionValidator with per-community rules:

• SSRAA — validates against HL7 v3 PurposeOfUse value set (60+ codes)
• TEFCA — validates against 12 TEFCA Exchange Purpose (XP) codes, enforces single purpose_of_use, SAN URI matching

TEFCA-Specific Features

Feature	Status
Exchange Purpose validation (all 12 XP codes)	✅
SAN URI exchange purpose matching	✅
Organization ID validation (RCE Directory format)	✅
TEFCA Authorization Error extension (consent_required)	✅
IAS flow via tefca-ias extension	✅

---

NuGet Packages

Core

Package	Description
	Data models and constants (zero external dependencies)
	Certificate & trust chain validation, ICertificateStore, ITrustAnchorStore
	Discovery, registration, token requests via IUdapClient
	.well-known/udap endpoint for resource servers
	Authorization server extensions (Duende IdentityServer), DCR
	EF Core persistence (SQLite, SQL Server, PostgreSQL)
	Federated OAuth / external IdP integration

Profile-Specific

Package	Description
	SSRAA community validation (purpose_of_use value set, required extensions)
	TEFCA extension models (tefca-ias, XP constants)
	TEFCA community validation (XP codes, SAN matching)

Configuration Docs

• Resource Server — Udap.Metadata.Server docs | Multi-domain metadata
• Client — Udap.Client docs
• Authorization Server — Udap.Server docs

---

Examples

See the examples/ folder. Full list below.

Servers

Project	Description
FhirLabsApi	FHIR R4B resource server — passes all udap.org conformance tests
Udap.Auth.Server	Authorization server with Duende IdentityServer + UDAP
Udap.Proxy.Server	YARP reverse proxy — add UDAP security to existing FHIR servers
Tefca.Proxy.Server	TEFCA-configured reverse proxy

Identity Providers

Project	Description
Udap.Identity.Provider	Tiered OAuth IdP
Udap.Identity.Provider.2	Second IdP for federation testing

Admin & Tooling

Project	Description
Udap.Auth.Server.Admin	Admin UI for UDAP tables
Udap.Pki.Cli	CLI tool for PKI operations
UdapEd	UDAP testing and exploration tool (separate repository)

Sigil — PKI Management Tool

Sigil is a modern certificate authority and PKI management tool built with .NET, Blazor Server, FluentUI v4, and PostgreSQL.

➡️ Full feature list | Roadmap

Capability	Details
Certificate Explorer	Hierarchical tree view, color-coded status badges, chain validation, ASN.1 viewer
Certificate Issuance	Configurable templates (Root CA, Intermediate CA, UDAP Client, SSL Server), RSA & ECDSA
Certificate Lifecycle	Import (drag & drop, batch), renewal (re-key / re-sign), archive, revocation
CRL Management	Import, online resolution via CDP, revocation status tracking
Remote Signing	Pluggable ISigningProvider — HashiCorp Vault Transit and Google Cloud KMS
Aspire Orchestration	Dev / Docker / GCP launch profiles via Sigil.AppHost

---

Getting Started

Build

dotnet restore
dotnet test _tests/Udap.PKI.Generator   # Generate test PKI (required once)
dotnet build Udap.sln

Test

dotnet test _tests/Udap.Common.Tests
dotnet test _tests/UdapMetadata.Tests
dotnet test _tests/UdapServer.Tests

Tip: Avoid Udap.Client.System.Tests in CI — those test against live servers. If SQLite DB sync issues occur, clean the bin folder in affected test projects.

Run Examples Locally

# Install Tye (one-time)
dotnet tool install -g Microsoft.Tye --version "0.12.0-*" \
  --add-source https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet6/nuget/v3/index.json

# Start all services with hot reload
tye run --watch

Quick Start — Tiered OAuth

builder.Services.AddAuthentication()
    .AddTieredOAuth(options =>
    {
        options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
    });

---

Database Migrations

Project	Target
UdapDb.SqlServer	SQL Server
UdapDb.Postgres	PostgreSQL

Key Dependencies

Package	Purpose
Duende.IdentityServer	Identity & auth platform
BouncyCastle.Cryptography	X.509 PKI operations
Hl7.Fhir.R4B	FHIR models
YARP	Reverse proxy

Versions centrally managed in Directory.Packages.props.