Core Middleware

This is the main thread for the Core Middleware for SQRL
If your intrested in using SQRL in an Core setting please use the NuGet package here:

Other links
NuGet package:
Slack: (join here:

Current version: 1.4.1

Release notes
Version 1.4.1
  • Fix for missing comma in JSON for custom login pages
  • Fix for new line terminator in SQRL protocol responses
Version 1.4.0
  • Added option for QR code scale
  • Added option for QR code boarder size
  • Added option for QR code error correction level (ECC)
  • Fixed helpers been enabled creating lot's of NUT's if no helper path defined
  • Helper paths now required
  • Paths in options changed to be PathString objects rather than strings this is a braking change
  • Started work on unit tests
1.3.1 - NUT size reduction
1.3.0 - Fix for spelling mistake for MillieSeconds so its not MilliSeconds
Fix for 500 error with clients that don't send opt in request (opt is now optional)
Changed hooks to be clear and use less requests for operations
1.2.0 - Added async hooks and Logging for middleware. Fixed bug with OnTicketReceived been called twice
1.1.0 - Added ASK capabilities, HTML helpers and SQRL Provider (used to get SQRL links server side)
1.0.1 - Added the removal of old NUTs for default in memory operation
1.0.0 - Production ready!!! CPS implomented and all opts have hooks
0.9.0 - .net core 3.0 friendly
0.8.1 - Fixed bug found by DEllner with iOS app expecting content type of application/x-www-form-urlencoded this is now sent
0.8.0 - Custom login pages now allow you to create your own styled login page
0.6.0 - Diagnostic pages now ready to use and work started on custom login pages
0.5.3 - Added response to diagnostics page
0.5.2 - Added a simple diagnostics page to help with diagnosing issues
0.5.1 - Fix for missing validation on RemoveUser Action
0.5.0 - Beta release added support for Enable, Disable and Remove
0.1.0 - Beta release awaiting feedback from SQRL developer groups
Last edited:
  • Like
Reactions: Ian Treleaven
Hey Liam, it's great to see you here. I don't know if English is your first language or not and I don't want to be rude, but I would suggest you should spell check your content on your page. If you want your product to be taken seriously, then you need to be worried about how it is perceived, and poor spelling and/or poor grammar are usually detractors.

Some things I saw:
protocal -> protocol
beleafe -> belief
confermation -> confirmation
I looked at your code a bit, and it's a bit of mental gymnastics for me because I am not that familiar with C# despite its similarity to Java (with which I have many years experience.)

I saw you using something you called FirstNut... I don't understand this. You should NEVER need to keep any older NUT... since you should NEVER EVER reuse a NUT. Please explain your intentions?
In the implementation I could find and understand (same issue as you with my code hehe) and the reading of the docs @Steve has written it looked like it have to do this so the page polling to check if the user is logged in can send the only nut it knows about the first nut you have got to one of the point i waa less sure about.
I forgot to check the login here to see what that was doing which I did at the start :(

What is it I should be doing to let the login page poll for authorised login success?
The first thing we need to set clear here is a framework issue. I have no experience with any .NET framework, so I must ask you some boring/obvious questions.

Are you wanting a site that only allows a single user to authenticate (some sort of personal project) or do you expect to allow any number of different users to authenticate?

Assuming the latter, how do you store your user database. The most common way is to use a relational database. Database schema design is practically a science unto its own, but the obvious base approach would be to have a table that maps IDKs to user IDs and then a table that links user IDs to other data such as the actual user info (avatar, display name, email, site privileges, date of late login, and the SQRL flags like SQRLOnly.)

So when someone is logged into the site, you would have a valid userID which would let you know all the user info you need.
For .net specifically we can pick from many different data stores but I personally use a MSSQL database.

As you outlined I have a table for users and another for external system ids which is my lookup table for OAuth users who login. I have as by design for my website cooped this for SQRL users too.

So I have:
A user table - holds user information
A authentication system table - holds I'd like idk

A user can have many authentication system table records has identity which holds claims like role which is out if scope for the middleware and is done in app specific code.

How a user stores data is also in app code the middleware exposes actions and functions in the options class for the middleware that have to be implemented or exceptions are thrown.
A SQRL server needs to implement a series of transactions. To tie these together, you will need some user session state. The state will hold things like the NUT (ONLY the current one, which needs to be verified with EVERY transaction) and the IP address, timers and/or expiry dates and the IDK and possibly the userID.

When the login page is generated, it will be generated with a new session, which will be tied to the NUT. When the user connects back, it should first verify that the transaction is valid, that it is signed, and that the signature is valid, and then that the nut is valid and hasn't expired. The TIF will indicate all the problems up to that point. Assuming you pass that point, then you can act on the users transaction, based on the state tied to the session you find from the NUT.
Hi all,
So the last five working days have been fun I decided to create the SQRL middleware for .NET standard to use on my personal website which I have got to a point where the GRC SQRL client will authenticate a user and login both same device and cross device
@TechLiam, That's awesome!! I love to hear that it is "that easy"! developers are going to want this to be quick and easy to work with.
Oh, you are absolutely right! We want this to be as simple and as ubiquitous as possible! And there is no shortage of opportunities.

I have published the code here but I have published a NuGet package so developers can start using this code right away
Great! Thanks!

(this is not for production will this forum has validated the code).
Smart!! We are fortunate to have so great many wise and dedicated members here!

Thanks for the work you have already done!

@Dave thanks I really have wanted to do this for ages but time just started a new job that allows me to do this sort of work though so I now can :)

@PHolder when you say session are you talking about a server session? This would normally be a cookie is and would work when signing in with a mobile phone pointing at my desktop.

Currently the nuts are stored I one if two dictionary the nut list and the authorized nut list these are in the options class for the middleware as I wanted to allow for a load balanced server setup which would need developers to implement there own but storage which is up to them. I can talk more about my thoughts on that later.

Every request that the SQRL client makes gets a new nut back in the server side nut info is tied to that nut the first nut is stored in this info but has been removed after the first request from the SQRL client which from my testing is a query with opt suk .

Can you explain how the login page is to check if the ident command happened and if it was idmatch and ipmatch (when it need to) with out the server knowing the nut on the login page and been able to tie that back to the nut that was used in the idemt or marking that first nut as authorised.
The SQRL protocol is stateful... HTTPS is not. Most frameworks probably have their own concept of session to provide statefulness, but as I said previously, I don't know anything about your framework choice or implementation.

You will NEED a way to inject the current NUT into the stateful session for the user. If you cannot do that in your framework, you will need to do this outside it. Do not use the NUT for anything other than securing the protocol. The IDK is the user's identifier... not the NUT.
Ok so I did a bit of investigation to how this sites login seams to work. Once you have opened the login page and it's shown a QR code it starts polling with the nut in the link which is also encoded in the QR code as well.

From this observation I would be happy saying unless told other wise by @Steve that my approach of using the first nut is good and inline with his implementation. It's statfull as the current nut is unique none repeating but can be related to the origin cookie.
@TechLiam I will let @Steve feed back to you when he can, but please know it will likely be many weeks... he's traveling right now and hasn't really been active on this site in over a month. If you would like to get more concrete feedback, you should consider using his newsgroup for SQRL. (See here for details .)

In any case, whether you reuse the first NUT for a session identifier or not, I think you should not call the variable name FirstNut as this is confusing the purpose of the NUT. You could call it something like SessionIdentifier to be more clear of its purpose.

Also, I want to make sure you're aware of these documents: This is Steve's attempt to make clear all the of necessary processes to make SQRL work.
@PHolder thank you for your feed back it is very helpful. I agree that first nut might not be the best name but for clarity it is the first nut in this authentication activity.

Thanks for the links I has read and reread GRC documents already but I have also reread them in which I found the answer to the polling question I had
While any SQRL sign-in page is being displayed and is visible in the foreground, that page’s JavaScript is periodically querying (polling) the website’s SQRL server or service using the ‘nut’ received to ask the server whether any change should be made in the currently displayed page. If a site wishes, it might choose to have its SQRL sign-in JavaScript establish a single persistent connection to await a
page change reply, but this may overtax busy systems. In any event, the specific mechanism is left to the implementor.
This is in the case of a cross device authentication, which by reading the documentation again I have realised I have not implemented the CPS and CAN for same device login I will be doing this today as a matter of importance.

Again thanks for the feedback
Last edited:
@TechLiam I'm building a new site and I was hoping someone would start on a server side implementation for SQRL for .NET Core. I'll look over your code, but I don't know how much value I can add.

I went to your personal website and got a different experience with each of the 3 SQRL clients I have installed:
1) Jeff Arthur's client for IOS: Got an error. See attached image
2) GRC's official client for Windows v1.0.7098.1, release 1: It didn't pop up like when I login to this SQRL forum.
3) SQRL Chrome Plugin v0.0.51: Worked just fine (


  • 20191006_195011736_iOS.png
    207.8 KB · Views: 10
Thank you so much @DEllner any feedback is welcome there is a NuGet package you can use in your project.

I'm glad you tested the IOS version as I don't have a device to test with for that id assume that Jeff Arthur is expecting the content type application/x-www-form-urlencoded which right now I'm not sending I'll look to change this tomorrow in a patch for 0.8.0.

For GRCS client this should be working I have tested in but tomorrow (I'm UK based so it's late here) I can turn on diagnostics and see or if you can try the example projects in the GitHub that would be grate.

If you have the browser plugin installed in my testing I noticed that overrides the GRC client.

Any feedback or changes you like to see in the m8dfleware please please let me know and I'd be intrested in finding out about the usability from a dev point of view of my package.
For this SQRL forum login, I get prompted to login with SQRL via Chrome browser plugin, but the GRC client takes control of all input so I enter my password there and it logs me in. I get nothing for the GRC client on your website for Chrome browser. The GRC client is invoked from Edge browser but I get the "No Identity Spoof Protection" warning shown in the attached screenshot.

I'll add your project to my website solution in a separate branch and give you feedback. I'll also use the NuGet package in another branch as well. Might take a week or two to get the time. Will keep you posted. Keep up the good work!


  • Capture.PNG
    41.3 KB · Views: 9
Not sure why the GRC client takes over from the browser plugin that a question for @Jaap and @Steve to explain (although not best practice you can turn off the gray overlay thing in GRC's client and use the browser one instead then or cancel the GRC client).

You will always get the screen you attached with GRC's client as its a warning @Steve wanted to add in for users to make them careful.

I look forward to finding out about your projects integration please do keep me posted and any help I'm happy to assist
  • Like
Reactions: warwagon