5-improve-encrypted-storage (#6)

Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation.

Co-authored-by: eelke <eelke@eelkeklein.nl>
Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com>
Reviewed-on: #6

IdentityShroud.Api.Tests/Apis/ClientApiTests.cs

@@ -0,0 +1,179 @@
+using System.Net;
+using System.Net.Http.Json;
+using IdentityShroud.Core;
+using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Tests.Fixtures;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace IdentityShroud.Api.Tests.Apis;
+
+public class ClientApiTests : IClassFixture<ApplicationFactory>
+{
+    private readonly ApplicationFactory _factory;
+
+    public ClientApiTests(ApplicationFactory factory)
+    {
+        _factory = factory;
+
+        using var scope = _factory.Services.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<Db>();
+        if (!db.Database.EnsureCreated())
+        {
+            db.Database.ExecuteSqlRaw("TRUNCATE realm CASCADE;");
+        }
+    }
+
+    [Theory]
+    [InlineData(null, false, "ClientId")]
+    [InlineData("", false, "ClientId")]
+    [InlineData("my-client", true, "")]
+    public async Task Create_Validation(string? clientId, bool succeeds, string fieldName)
+    {
+        // setup
+        Realm realm = await CreateRealmAsync("test-realm", "Test Realm");
+
+        var client = _factory.CreateClient();
+
+        // act
+        var response = await client.PostAsync(
+            $"/api/v1/realms/{realm.Id}/clients",
+            JsonContent.Create(new { ClientId = clientId }),
+            TestContext.Current.CancellationToken);
+
+#if DEBUG
+        string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
+#endif
+
+        if (succeeds)
+        {
+            Assert.Equal(HttpStatusCode.Created, response.StatusCode);
+        }
+        else
+        {
+            Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+            var problemDetails =
+                await response.Content.ReadFromJsonAsync<ValidationProblemDetails>(
+                    TestContext.Current.CancellationToken);
+
+            Assert.Contains(problemDetails!.Errors, e => e.Key == fieldName);
+        }
+    }
+
+    [Fact]
+    public async Task Create_Success_ReturnsCreatedWithLocation()
+    {
+        // setup
+        Realm realm = await CreateRealmAsync("create-realm", "Create Realm");
+
+        var client = _factory.CreateClient();
+
+        // act
+        var response = await client.PostAsync(
+            $"/api/v1/realms/{realm.Id}/clients",
+            JsonContent.Create(new { ClientId = "new-client", Name = "New Client" }),
+            TestContext.Current.CancellationToken);
+
+#if DEBUG
+        string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
+#endif
+
+        // verify
+        Assert.Equal(HttpStatusCode.Created, response.StatusCode);
+
+        var body = await response.Content.ReadFromJsonAsync<ClientCreateReponse>(
+            TestContext.Current.CancellationToken);
+
+        Assert.NotNull(body);
+        Assert.Equal("new-client", body.ClientId);
+        Assert.True(body.Id > 0);
+    }
+
+    [Fact]
+    public async Task Create_UnknownRealm_ReturnsNotFound()
+    {
+        var client = _factory.CreateClient();
+
+        var response = await client.PostAsync(
+            $"/api/v1/realms/{Guid.NewGuid()}/clients",
+            JsonContent.Create(new { ClientId = "some-client" }),
+            TestContext.Current.CancellationToken);
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task Get_Success()
+    {
+        // setup
+        Realm realm = await CreateRealmAsync("get-realm", "Get Realm");
+        Client dbClient = await CreateClientAsync(realm, "get-client", "Get Client");
+
+        var httpClient = _factory.CreateClient();
+
+        // act
+        var response = await httpClient.GetAsync(
+            $"/api/v1/realms/{realm.Id}/clients/{dbClient.Id}",
+            TestContext.Current.CancellationToken);
+
+#if DEBUG
+        string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
+#endif
+
+        // verify
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+
+        var body = await response.Content.ReadFromJsonAsync<ClientRepresentation>(
+            TestContext.Current.CancellationToken);
+
+        Assert.NotNull(body);
+        Assert.Equal(dbClient.Id, body.Id);
+        Assert.Equal("get-client", body.ClientId);
+        Assert.Equal("Get Client", body.Name);
+        Assert.Equal(realm.Id, body.RealmId);
+    }
+
+    [Fact]
+    public async Task Get_UnknownClient_ReturnsNotFound()
+    {
+        // setup
+        Realm realm = await CreateRealmAsync("notfound-realm", "NotFound Realm");
+
+        var httpClient = _factory.CreateClient();
+
+        // act
+        var response = await httpClient.GetAsync(
+            $"/api/v1/realms/{realm.Id}/clients/99999",
+            TestContext.Current.CancellationToken);
+
+        // verify
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    private async Task<Realm> CreateRealmAsync(string slug, string name)
+    {
+        using var scope = _factory.Services.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<Db>();
+        var realm = new Realm { Slug = slug, Name = name };
+        db.Realms.Add(realm);
+        await db.SaveChangesAsync(TestContext.Current.CancellationToken);
+        return realm;
+    }
+
+    private async Task<Client> CreateClientAsync(Realm realm, string clientId, string? name = null)
+    {
+        using var scope = _factory.Services.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<Db>();
+        var client = new Client
+        {
+            RealmId = realm.Id,
+            ClientId = clientId,
+            Name = name,
+            CreatedAt = DateTime.UtcNow,
+        };
+        db.Clients.Add(client);
+        await db.SaveChangesAsync(TestContext.Current.CancellationToken);
+        return client;
+    }
+}

IdentityShroud.Api.Tests/Apis/RealmApisTests.cs

@@ -1,16 +1,35 @@
 using System.Net;
 using System.Net.Http.Json;
-using FluentResults;
-using IdentityShroud.Core.Messages.Realm;
-using IdentityShroud.Core.Services;
+using System.Security.Cryptography;
+using System.Text.Json.Nodes;
+using IdentityShroud.Core;
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Tests.Fixtures;
+using IdentityShroud.TestUtils.Asserts;
 using Microsoft.AspNetCore.Mvc;
-using NSubstitute.ClearExtensions;
+using Microsoft.AspNetCore.WebUtilities;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
 
 namespace IdentityShroud.Api.Tests.Apis;
 
-public class RealmApisTests(ApplicationFactory factory) : IClassFixture<ApplicationFactory>
+public class RealmApisTests : IClassFixture<ApplicationFactory>
 {
+    private readonly ApplicationFactory _factory;
+
+    public RealmApisTests(ApplicationFactory factory)
+    {
+        _factory = factory;
+
+        using var scope = _factory.Services.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<Db>();
+        if (!db.Database.EnsureCreated())
+        {
+            db.Database.ExecuteSqlRaw("TRUNCATE realm CASCADE;");
+        }
+    }
+
     [Theory]
     [InlineData(null, null, null, false, "Name")]
     [InlineData(null, null, "Foo", true, "")]
@@ -22,14 +41,12 @@ public class RealmApisTests(ApplicationFactory factory) : IClassFixture<Applicat
     [InlineData("00000000-0000-0000-0000-000000000000", "foo", "Foo", false, "Id")]
     public async Task Create(string? id, string? slug, string? name, bool succeeds, string fieldName)
     {
-        var client = factory.CreateClient();
-
-        factory.RealmService.ClearSubstitute();
-        factory.RealmService.Create(Arg.Any<RealmCreateRequest>(), Arg.Any<CancellationToken>())
-            .Returns(Result.Ok(new RealmCreateResponse(Guid.NewGuid(), "foo", "Foo")));
+        var client = _factory.CreateClient();
 
         Guid? inputId = id is null ? (Guid?)null : new Guid(id);
-        var response = await client.PostAsync("/realms", JsonContent.Create(new
+        
+        // act
+        var response = await client.PostAsync("/api/v1/realms", JsonContent.Create(new
             {
                 Id = inputId,
                 Slug = slug,
@@ -43,19 +60,110 @@ public class RealmApisTests(ApplicationFactory factory) : IClassFixture<Applicat
         if (succeeds)
         {
             Assert.Equal(HttpStatusCode.Created, response.StatusCode);
-            await factory.RealmService.Received(1).Create(
-                Arg.Is<RealmCreateRequest>(r => r.Id == inputId && r.Slug == slug && r.Name == name), 
-                Arg.Any<CancellationToken>());
+            // await factory.RealmService.Received(1).Create(
+            //     Arg.Is<RealmCreateRequest>(r => r.Id == inputId && r.Slug == slug && r.Name == name),
+            //     Arg.Any<CancellationToken>());
         }
         else
         {
             Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
-            var problemDetails = await response.Content.ReadFromJsonAsync<ValidationProblemDetails>(TestContext.Current.CancellationToken);
+            var problemDetails =
+                await response.Content.ReadFromJsonAsync<ValidationProblemDetails>(
+                    TestContext.Current.CancellationToken);
 
             Assert.Contains(problemDetails!.Errors, e => e.Key == fieldName);
-            await factory.RealmService.DidNotReceive().Create(
-                Arg.Any<RealmCreateRequest>(), 
-                Arg.Any<CancellationToken>());
+            // await factory.RealmService.DidNotReceive().Create(
+            //     Arg.Any<RealmCreateRequest>(),
+            //     Arg.Any<CancellationToken>());
         }
     }
+
+    [Fact]
+    public async Task GetOpenIdConfiguration_Success()
+    {
+        // setup
+        await ScopedContextAsync(async db =>
+        {
+            db.Realms.Add(new Realm() { Slug = "foo", Name = "Foo" });
+            await db.SaveChangesAsync(TestContext.Current.CancellationToken);
+        });
+
+        // act
+        var client = _factory.CreateClient();
+        var response = await client.GetAsync("auth/realms/foo/.well-known/openid-configuration",
+            TestContext.Current.CancellationToken);
+
+        // verify
+#if DEBUG
+        string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
+#endif
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);        
+        
+        var result = await response.Content.ReadFromJsonAsync<JsonObject>(TestContext.Current.CancellationToken);
+        Assert.NotNull(result);
+        JsonObjectAssert.Equal("http://localhost/auth/realms/foo/openid-connect/auth", result, "authorization_endpoint");
+        JsonObjectAssert.Equal("http://localhost/auth/realms/foo", result, "issuer");
+        JsonObjectAssert.Equal("http://localhost/auth/realms/foo/openid-connect/token", result, "token_endpoint");
+        JsonObjectAssert.Equal("http://localhost/auth/realms/foo/openid-connect/jwks", result, "jwks_uri");
+    }
+
+    [Theory]
+    [InlineData("")]
+    [InlineData("bar")]
+    public async Task GetOpenIdConfiguration_NotFound(string slug)
+    {
+        // act
+        var client = _factory.CreateClient();
+        var response = await client.GetAsync($"/realms/{slug}/.well-known/openid-configuration",
+            TestContext.Current.CancellationToken);
+        
+        // verify
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task GetJwks()
+    {
+        // setup
+        IDekEncryptionService dekEncryptionService = _factory.Services.GetRequiredService<IDekEncryptionService>();
+
+        using var rsa = RSA.Create(2048);
+        RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
+
+        RealmKey realmKey = new()
+        {
+            Id = Guid.NewGuid(),
+            KeyType = "RSA",
+            Key = dekEncryptionService.Encrypt(rsa.ExportPkcs8PrivateKey()),
+            CreatedAt = DateTime.UtcNow,
+        };
+
+        await ScopedContextAsync(async db =>
+        {
+            db.Realms.Add(new Realm() { Slug = "foo", Name = "Foo", Keys = [ realmKey ]});
+            await db.SaveChangesAsync(TestContext.Current.CancellationToken);
+        });
+    
+        // act
+        var client = _factory.CreateClient();
+        var response = await client.GetAsync("/auth/realms/foo/openid-connect/jwks",
+            TestContext.Current.CancellationToken);
+        
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        JsonObject? payload = await response.Content.ReadFromJsonAsync<JsonObject>(TestContext.Current.CancellationToken);
+
+        Assert.NotNull(payload);
+        JsonObjectAssert.Equal(realmKey.Id.ToString(), payload, "keys[0].kid"); 
+        JsonObjectAssert.Equal(WebEncoders.Base64UrlEncode(parameters.Modulus!), payload, "keys[0].n"); 
+        JsonObjectAssert.Equal(WebEncoders.Base64UrlEncode(parameters.Exponent!), payload, "keys[0].e"); 
+    }
+    
+    private async Task ScopedContextAsync(
+        Func<Db, Task> action
+    ) 
+    {
+        using var scope = _factory.Services.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<Db>();
+        await action(db);
+    }
 }

IdentityShroud.Api.Tests/Fixtures/ApplicationFactory.cs

@@ -1,24 +1,56 @@
-using IdentityShroud.Core.Services;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Testing;
-using Microsoft.Extensions.DependencyInjection;
-using Microsoft.VisualStudio.TestPlatform.TestHost;
+using Microsoft.Extensions.Configuration;
+using Testcontainers.PostgreSql;
 
 namespace IdentityShroud.Core.Tests.Fixtures;
 
-public class ApplicationFactory : WebApplicationFactory<Program>
+public class ApplicationFactory : WebApplicationFactory<Program>, IAsyncLifetime
 {
-    public IRealmService RealmService { get; } = Substitute.For<IRealmService>();
+    private readonly PostgreSqlContainer _postgresqlServer;
+    
+//    public IRealmService RealmService { get; } = Substitute.For<IRealmService>();
+
+    public ApplicationFactory()
+    {
+        _postgresqlServer = new PostgreSqlBuilder("postgres:18.1")
+            .WithName($"is-applicationFactory-{Guid.NewGuid():N}")
+            .Build();
+    }
 
     protected override void ConfigureWebHost(IWebHostBuilder builder)
     {
         base.ConfigureWebHost(builder);
         
-        builder.ConfigureServices(services =>
+        builder.ConfigureAppConfiguration((context, configBuilder) =>
         {
-            services.AddScoped<IRealmService>(c => RealmService);
+            configBuilder.AddInMemoryCollection(
+                new Dictionary<string, string?>
+                {
+                    ["Db:ConnectionString"] = _postgresqlServer.GetConnectionString(),
+                    ["secrets:master:0:Id"] = "94970f27-3d88-4223-9940-7dd57548f5b5",
+                    ["secrets:master:0:Active"] = "true",
+                    ["secrets:master:0:Algorithm"] = "AES",
+                    ["secrets:master:0:Key"] = "GVd07qW0frRX9quPX/X62L88BeRR7+IzgRJHtG7ZzHw=",
                 });
+        });
+        
+        // builder.ConfigureServices(services =>
+        // {
+        //     services.AddScoped<IRealmService>(c => RealmService);
+        // });
         
         builder.UseEnvironment("Development");
     }
+
+    public async ValueTask InitializeAsync()
+    {
+        await _postgresqlServer.StartAsync();
+    }
+
+    public override async ValueTask DisposeAsync()
+    {
+        await _postgresqlServer.StopAsync();
+        await base.DisposeAsync();
+    }
 }

IdentityShroud.Api.Tests/IdentityShroud.Api.Tests.csproj

@@ -26,6 +26,7 @@
 
     <ItemGroup>
       <ProjectReference Include="..\IdentityShroud.Api\IdentityShroud.Api.csproj" />
+      <ProjectReference Include="..\IdentityShroud.TestUtils\IdentityShroud.TestUtils.csproj" />
     </ItemGroup>
     
     

IdentityShroud.Api.Tests/Mappers/KeyServiceTests.cs

@@ -0,0 +1,46 @@
+using System.Buffers.Text;
+using System.Security.Cryptography;
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security;
+using IdentityShroud.Core.Security.Keys;
+using IdentityShroud.Core.Services;
+using IdentityShroud.TestUtils.Substitutes;
+
+namespace IdentityShroud.Api.Tests.Mappers;
+
+public class KeyServiceTests
+{
+    private readonly NullDekEncryptionService _dekEncryptionService = new(); 
+
+    [Fact]
+    public void Test()
+    {
+        // Setup
+        using RSA rsa = RSA.Create(2048);
+
+        RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
+
+        DekId kid = DekId.NewId();
+        
+        RealmKey realmKey = new()
+        {
+            Id = new("60bb79cf-4bac-4521-87f2-ac87cc15541f"),
+            KeyType = "RSA",
+            Key = new(_dekEncryptionService.KeyId, rsa.ExportPkcs8PrivateKey()),
+            CreatedAt = DateTime.UtcNow,
+            Priority = 10,
+        };
+        
+        // Act
+        KeyService sut = new(_dekEncryptionService, new KeyProviderFactory(), new ClockService());
+        var jwk = sut.CreateJsonWebKey(realmKey);
+
+        Assert.NotNull(jwk);
+        Assert.Equal("RSA", jwk.KeyType);
+        Assert.Equal(realmKey.Id.ToString(), jwk.KeyId);
+        Assert.Equal("sig", jwk.Use);
+        Assert.Equal(parameters.Exponent, Base64Url.DecodeFromChars(jwk.Exponent));
+        Assert.Equal(parameters.Modulus, Base64Url.DecodeFromChars(jwk.Modulus));
+    }
+}

IdentityShroud.Api/Apis/ClientApi.cs

@@ -0,0 +1,73 @@
+using FluentResults;
+using IdentityShroud.Api.Mappers;
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Model;
+using Microsoft.AspNetCore.Http.HttpResults;
+using Microsoft.AspNetCore.Mvc;
+
+namespace IdentityShroud.Api;
+
+
+
+public record ClientCreateReponse(int Id, string ClientId);
+
+/// <summary>
+/// The part of the api below realms/{slug}/clients
+/// </summary>
+public static class ClientApi
+{
+    public const string ClientGetRouteName = "ClientGet";
+    
+    public static void MapEndpoints(this IEndpointRouteBuilder erp)
+    {
+        RouteGroupBuilder clientsGroup = erp.MapGroup("clients");        
+        
+        clientsGroup.MapPost("", ClientCreate)
+            .Validate<ClientCreateRequest>() 
+            .WithName("ClientCreate")
+            .Produces(StatusCodes.Status201Created);
+        
+        var clientIdGroup = clientsGroup.MapGroup("{clientId}")
+            .AddEndpointFilter<ClientIdValidationFilter>();
+            
+        clientIdGroup.MapGet("", ClientGet)
+            .WithName(ClientGetRouteName);
+    }
+
+    private static Ok<ClientRepresentation> ClientGet(
+        Guid realmId,
+        int clientId,
+        HttpContext context)
+    {
+        Client client = (Client)context.Items["ClientEntity"]!;
+        return TypedResults.Ok(new ClientMapper().ToDto(client));
+    }
+
+    private static async Task<Results<CreatedAtRoute<ClientCreateReponse>, InternalServerError>>
+        ClientCreate(
+            Guid realmId,
+            ClientCreateRequest request, 
+            [FromServices] IClientService service,
+            HttpContext context,
+            CancellationToken cancellationToken)
+    {
+        Realm realm = context.GetValidatedRealm();
+        Result<Client> result = await service.Create(realm.Id, request, cancellationToken);
+
+        if (result.IsFailed)
+        {
+            throw new NotImplementedException();
+        }
+
+        Client client = result.Value;
+
+        return TypedResults.CreatedAtRoute(
+            new ClientCreateReponse(client.Id, client.ClientId),
+            ClientGetRouteName, 
+            new RouteValueDictionary()
+            {
+                ["realmId"] = realm.Id,
+                ["clientId"] = client.Id, 
+            });
+    }
+}

IdentityShroud.Api/Apis/Dto/ClientRepresentation.cs

@@ -0,0 +1,16 @@
+namespace IdentityShroud.Api;
+
+public record ClientRepresentation
+{
+    public int Id { get; set; }
+    public Guid RealmId { get; set; }
+    public required string ClientId { get; set; }
+    public string? Name { get; set; }
+    public string? Description { get; set; }
+    
+    public string? SignatureAlgorithm { get; set; }
+    
+    public bool AllowClientCredentialsFlow { get; set; } = false;
+    
+    public required DateTime CreatedAt { get; set; }
+}

IdentityShroud.Api/Apis/EndpointRouteBuilderExtensions.cs

@@ -0,0 +1,15 @@
+namespace IdentityShroud.Api;
+
+public static class EndpointRouteBuilderExtensions
+{
+    public static RouteHandlerBuilder Validate<TDto>(this RouteHandlerBuilder builder) where TDto : class
+        => builder.AddEndpointFilter<ValidateFilter<TDto>>();
+    
+    public static void MapApis(this IEndpointRouteBuilder erp)
+    {
+        RealmApi.MapRealmEndpoints(erp);
+        
+        OpenIdEndpoints.MapEndpoints(erp);
+    }
+    
+}

IdentityShroud.Api/Apis/Filters/ClientIdValidationFilter.cs

@@ -0,0 +1,21 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Model;
+
+namespace IdentityShroud.Api;
+
+public class ClientIdValidationFilter(IClientService clientService) : IEndpointFilter
+{
+    public async ValueTask<object?> InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
+    {
+        Guid realmId = context.Arguments.OfType<Guid>().First();
+        int id = context.Arguments.OfType<int>().First();
+        Client? client = await clientService.FindById(realmId, id, context.HttpContext.RequestAborted);
+        if (client is null)
+        {
+            return Results.NotFound();
+        }
+        context.HttpContext.Items["ClientEntity"] = client;
+
+        return await next(context);
+    }
+}

IdentityShroud.Api/Apis/Filters/RealmIdValidationFilter.cs

@@ -0,0 +1,20 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Model;
+
+namespace IdentityShroud.Api;
+
+public class RealmIdValidationFilter(IRealmService realmService) : IEndpointFilter
+{
+    public async ValueTask<object?> InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
+    {
+        Guid id = context.Arguments.OfType<Guid>().First();
+        Realm? realm = await realmService.FindById(id, context.HttpContext.RequestAborted);
+        if (realm is null)
+        {
+            return Results.NotFound();
+        }
+        context.HttpContext.Items["RealmEntity"] = realm;
+
+        return await next(context);
+    }
+}

IdentityShroud.Api/Apis/Filters/RealmSlugValidationFilter.cs

@@ -0,0 +1,27 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Model;
+
+namespace IdentityShroud.Api;
+
+/// <summary>
+/// Note the filter depends on the slug path parameter to be the first string argument on the context.
+/// The endpoint handlers should place path arguments first and in order of the path to ensure this works
+/// consistently.
+/// </summary>
+/// <param name="realmService"></param>
+public class RealmSlugValidationFilter(IRealmService realmService) : IEndpointFilter
+{
+    public async ValueTask<object?> InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
+    {
+        string realmSlug = context.Arguments.OfType<string>().FirstOrDefault()
+            ?? throw new InvalidOperationException("Expected argument missing, ensure you include path parameters in your handlers signature even when you don't use them");
+        Realm? realm = await realmService.FindBySlug(realmSlug, context.HttpContext.RequestAborted);
+        if (realm is null)
+        {
+            return Results.NotFound();
+        }
+        context.HttpContext.Items["RealmEntity"] = realm;
+
+        return await next(context);
+    }
+}

IdentityShroud.Api/Apis/Mappers/ClientMapper.cs

@@ -0,0 +1,11 @@
+using IdentityShroud.Core.Model;
+using Riok.Mapperly.Abstractions;
+
+namespace IdentityShroud.Api.Mappers;
+
+[Mapper]
+public partial class ClientMapper
+{
+    [MapperIgnoreSource(nameof(Client.Secrets))]
+    public partial ClientRepresentation ToDto(Client client);
+}

IdentityShroud.Api/Apis/Mappers/KeyMapper.cs

@@ -0,0 +1,22 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Messages;
+using IdentityShroud.Core.Model;
+
+namespace IdentityShroud.Api.Mappers;
+
+public class KeyMapper(IKeyService keyService)
+{
+    public JsonWebKeySet KeyListToJsonWebKeySet(IEnumerable<RealmKey> keys)
+    {
+        JsonWebKeySet wks = new();
+        foreach (var k in keys)
+        {
+            var wk = keyService.CreateJsonWebKey(k);
+            if (wk is {})
+            {
+                wks.Keys.Add(wk);
+            }
+        }
+        return wks;
+    }
+}

IdentityShroud.Api/Apis/OpenIdEndpoints.cs

@@ -0,0 +1,72 @@
+using IdentityShroud.Api.Mappers;
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Messages;
+using IdentityShroud.Core.Model;
+using Microsoft.AspNetCore.Http.HttpResults;
+using Microsoft.AspNetCore.Mvc;
+
+namespace IdentityShroud.Api;
+
+public static class OpenIdEndpoints
+{
+    // openid: auth/realms/{realmSlug}/.well-known/openid-configuration
+    // openid: auth/realms/{realmSlug}/openid-connect/(auth|token|jwks)
+    
+    
+    public static void MapEndpoints(this IEndpointRouteBuilder erp)
+    {
+        var realmsGroup = erp.MapGroup("/auth/realms");
+        
+        var realmSlugGroup = realmsGroup.MapGroup("{realmSlug}")
+            .AddEndpointFilter<RealmSlugValidationFilter>();
+        realmSlugGroup.MapGet(".well-known/openid-configuration", GetOpenIdConfiguration);
+
+        var openidConnect = realmSlugGroup.MapGroup("openid-connect");
+        openidConnect.MapPost("auth", OpenIdConnectAuth);
+        openidConnect.MapPost("token", OpenIdConnectToken);
+        openidConnect.MapGet("jwks", OpenIdConnectJwks);
+    }
+    
+    private static async Task<JsonHttpResult<OpenIdConfiguration>> GetOpenIdConfiguration(
+        string realmSlug,
+        [FromServices]IRealmService realmService,
+        HttpContext context)
+    {
+        Realm realm = context.GetValidatedRealm();
+        
+        var s = $"{context.Request.Scheme}://{context.Request.Host}{context.Request.Path}";
+        var searchString = $"realms/{realmSlug}";
+        int index = s.IndexOf(searchString, StringComparison.OrdinalIgnoreCase);
+        string baseUri = s.Substring(0, index + searchString.Length);
+
+        return TypedResults.Json(new OpenIdConfiguration()
+        {
+            AuthorizationEndpoint = baseUri + "/openid-connect/auth",
+            TokenEndpoint = baseUri + "/openid-connect/token",
+            Issuer =  baseUri,
+            JwksUri =  baseUri + "/openid-connect/jwks",
+        }, AppJsonSerializerContext.Default.OpenIdConfiguration);
+    }
+
+    private static async Task<Results<Ok<JsonWebKeySet>, BadRequest>> OpenIdConnectJwks(
+        string realmSlug,
+        [FromServices]IRealmService realmService,
+        [FromServices]KeyMapper keyMapper,
+        HttpContext context)
+    {
+        Realm realm = context.GetValidatedRealm();
+        await realmService.LoadActiveKeys(realm);
+        return TypedResults.Ok(keyMapper.KeyListToJsonWebKeySet(realm.Keys));
+    }
+
+    private static Task OpenIdConnectToken(HttpContext context)
+    {
+        throw new NotImplementedException();
+    }
+
+    private static Task OpenIdConnectAuth(HttpContext context)
+    {
+        throw new NotImplementedException();
+    }
+
+}

IdentityShroud.Api/Apis/RealmApi.cs

@@ -1,31 +1,39 @@
-using FluentResults;
-using IdentityShroud.Api.Validation;
-using IdentityShroud.Core.Messages;
+using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Messages.Realm;
+using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Services;
 using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Mvc;
 
 namespace IdentityShroud.Api;
 
+public static class HttpContextExtensions
+{
+    public static Realm GetValidatedRealm(this HttpContext context) => (Realm)context.Items["RealmEntity"]!;    
+}
+
+// api: api/v1/realms/{realmId}/....
+// api: api/v1/realms/{realmId}/clients/{clientId}
+
+
+
 public static class RealmApi
 {
-    public static void MapRealmEndpoints(this IEndpointRouteBuilder app)
+    public static void MapRealmEndpoints(IEndpointRouteBuilder erp)
     {
-        var realmsGroup = app.MapGroup("/realms");
+        var realmsGroup = erp.MapGroup("/api/v1/realms");
         realmsGroup.MapPost("", RealmCreate)
             .Validate<RealmCreateRequest>() 
             .WithName("Create Realm")
             .Produces(StatusCodes.Status201Created);
         
-        var realmSlugGroup = app.MapGroup("{slug}");
-        realmSlugGroup.MapGet("", GetRealmInfo);
-        realmSlugGroup.MapGet(".well-known/openid-configuration", GetOpenIdConfiguration);
+        var realmIdGroup = realmsGroup.MapGroup("{realmId}")
+            .AddEndpointFilter<RealmIdValidationFilter>();
+
+        ClientApi.MapEndpoints(realmIdGroup);
+        
+            
 
-        var openidConnect = realmSlugGroup.MapGroup("openid-connect");
-        openidConnect.MapPost("auth", OpenIdConnectAuth);
-        openidConnect.MapPost("token", OpenIdConnectToken);
-        openidConnect.MapGet("jwks", OpenIdConnectJwks);
     }
     
     private static async Task<Results<Created<RealmCreateResponse>, InternalServerError>> 
@@ -38,78 +46,4 @@ public static class RealmApi
         // TODO make helper to convert failure response to a proper HTTP result.
         return TypedResults.InternalServerError();
     }
-
-    private static Task OpenIdConnectJwks(HttpContext context)
-    {
-        throw new NotImplementedException();
-    }
-
-    private static Task OpenIdConnectToken(HttpContext context)
-    {
-        throw new NotImplementedException();
-    }
-
-    private static Task OpenIdConnectAuth(HttpContext context)
-    {
-        throw new NotImplementedException();
-    }
-
-    private static async Task<Results<JsonHttpResult<OpenIdConfiguration>, BadRequest>> GetOpenIdConfiguration(string slug, HttpContext context)
-    {
-        if (string.IsNullOrEmpty(slug))
-            return TypedResults.BadRequest();
-        var s = $"{context.Request.Scheme}://{context.Request.Host}{context.Request.Path}";
-        var searchString = $"realms/{slug}";
-        int index = s.IndexOf(searchString, StringComparison.OrdinalIgnoreCase);
-        string baseUri = s.Substring(0, index + searchString.Length);
-
-        return TypedResults.Json(new OpenIdConfiguration()
-        {
-            AuthorizationEndpoint = baseUri + "/openid-connect/auth",
-            TokenEndpoint = baseUri + "/openid-connect/token",
-            Issuer =  baseUri,
-            JwksUri =  baseUri + "/openid-connect/jwks",
-        }, AppJsonSerializerContext.Default.OpenIdConfiguration);
-    }
-
-    private static string GetRealmInfo()
-    {
-        return "Hello World!";
-        
-        /* keycloak returns this
-         {
-             "realm": "mpluskassa",
-             "public_key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApYbLAeOLDEwzL4tEwuE2LfisOBXoQqWA9RdP3ph6muwF1ErfhiBSIB2JETKf7F1OsiF1/qnuh4uDfn0TO8bK3lSfHTlIHWShwaJ/UegS9ylobfIYXJsz0xmJK5ToFaSYa72D/Dyln7ROxudu8+zc70sz7bUKQ0/ktWRsiu76vY6Kr9+18PgaooPmb2QP8lS8IZEv+gW5SLqoMc1DfD8lsih1sdnQ8W65cBsNnenkWc97AF9cMR6rdD2tZfLAxEHKYaohAL9EsQsLic3P2f2UaqRTAOvgqyYE5hyJROt7Pyeyi8YSy7zXD12h2mc0mrSoA+u7s/GrOLcLoLLgEnRRVwIDAQAB",
-             "token-service": "https://iam.kassacloud.nl/auth/realms/mpluskassa/protocol/openid-connect",
-             "account-service": "https://iam.kassacloud.nl/auth/realms/mpluskassa/account",
-             "tokens-not-before": 0
-           }
-           */
-    }
-
-    // [HttpGet("")]
-    // public ActionResult Index()
-    // {
-    //     return new JsonResult("Hello world!");
-    // }
-
-    // [HttpGet("{slug}/.well-known/openid-configuration")]
-    // public ActionResult GetOpenIdConfiguration(
-    //     string slug,
-    //     [FromServices]LinkGenerator linkGenerator)
-    // {
-    //     var s = $"{HttpContext.Request.Scheme}://{HttpContext.Request.Host}{HttpContext.Request.Path}";
-    //     var searchString = $"realms/{slug}";
-    //     int index = s.IndexOf(searchString, StringComparison.OrdinalIgnoreCase);
-    //     string baseUri = s.Substring(0, index + searchString.Length);
-    //     
-    //     return new JsonResult(baseUri); 
-    // }
-    
-    // [HttpPost("{slug}/protocol/openid-connect/token")]
-    // public ActionResult GetOpenIdConnectToken(string slug)
-    //
-    // {
-    //     return new JsonResult("Hello world!");    
-    // }
 }

IdentityShroud.Api/Apis/Validation/ClientCreateRequestValidator.cs

@@ -0,0 +1,22 @@
+using FluentValidation;
+using IdentityShroud.Core.Contracts;
+
+namespace IdentityShroud.Api;
+
+public class ClientCreateRequestValidator : AbstractValidator<ClientCreateRequest>
+{
+    // most of standard ascii minus the control characters and space 
+    private const string ClientIdPattern = "^[\x21-\x7E]+";
+
+    private string[] AllowedAlgorithms = [ "RS256", "ES256" ];
+    
+    public ClientCreateRequestValidator()
+    {
+        RuleFor(e => e.ClientId).NotEmpty().MaximumLength(40).Matches(ClientIdPattern);
+        RuleFor(e => e.Name).MaximumLength(80);
+        RuleFor(e => e.Description).MaximumLength(2048);
+        RuleFor(e => e.SignatureAlgorithm)
+            .Must(v => v is null || AllowedAlgorithms.Contains(v))
+            .WithMessage($"SignatureAlgorithm must be one of {string.Join(", ", AllowedAlgorithms)} or null");
+    }
+}

IdentityShroud.Api/Apis/Validation/RealmCreateRequestValidator.cs

@@ -1,7 +1,7 @@
 using FluentValidation;
 using IdentityShroud.Core.Messages.Realm;
 
-namespace IdentityShroud.Api.Validation;
+namespace IdentityShroud.Api;
 
 public class RealmCreateRequestValidator : AbstractValidator<RealmCreateRequest>
 {

IdentityShroud.Api/Apis/Validation/ValidateFilter.cs

@@ -1,6 +1,6 @@
 using FluentValidation;
 
-namespace IdentityShroud.Api.Validation;
+namespace IdentityShroud.Api;
 
 public class ValidateFilter<T> : IEndpointFilter where T : class
 {

IdentityShroud.Api/AppJsonSerializerContext.cs

@@ -1,8 +1,9 @@
 using System.Text.Json.Serialization;
 using IdentityShroud.Core.Messages;
-using Microsoft.Extensions.Diagnostics.HealthChecks;
+using IdentityShroud.Core.Messages.Realm;
 
 [JsonSerializable(typeof(OpenIdConfiguration))]
+[JsonSerializable(typeof(RealmCreateRequest))]
 internal partial class AppJsonSerializerContext : JsonSerializerContext
 {
 }

IdentityShroud.Api/IdentityShroud.Api.csproj

@@ -17,7 +17,7 @@
     <ItemGroup>
         <PackageReference Include="FluentValidation.DependencyInjectionExtensions" Version="12.1.1" />
         <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.0"/>
-        <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.2" />
+        <PackageReference Include="Riok.Mapperly" Version="4.3.1" />
         <PackageReference Include="Serilog" Version="4.3.0" />
         <PackageReference Include="Serilog.AspNetCore" Version="10.0.0" />
         <PackageReference Include="Serilog.Expressions" Version="5.0.0" />

IdentityShroud.Api/IdentityShroud.Api.csproj.DotSettings

@@ -0,0 +1,5 @@
+<wpf:ResourceDictionary xml:space="preserve" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:ss="urn:shemas-jetbrains-com:settings-storage-xaml" xmlns:wpf="http://schemas.microsoft.com/winfx/2006/xaml/presentation">
+	<s:Boolean x:Key="/Default/CodeInspection/NamespaceProvider/NamespaceFoldersToSkip/=apis_005Cdto/@EntryIndexedValue">True</s:Boolean>
+	<s:Boolean x:Key="/Default/CodeInspection/NamespaceProvider/NamespaceFoldersToSkip/=apis_005Cfilters/@EntryIndexedValue">True</s:Boolean>
+	<s:Boolean x:Key="/Default/CodeInspection/NamespaceProvider/NamespaceFoldersToSkip/=apis_005Cvalidation/@EntryIndexedValue">True</s:Boolean>
+	<s:Boolean x:Key="/Default/CodeInspection/NamespaceProvider/NamespaceFoldersToSkip/=validation/@EntryIndexedValue">True</s:Boolean></wpf:ResourceDictionary>

IdentityShroud.Api/Program.cs

@@ -1,9 +1,11 @@
 using FluentValidation;
 using IdentityShroud.Api;
-using IdentityShroud.Api.Validation;
+using IdentityShroud.Api.Mappers;
 using IdentityShroud.Core;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Security;
+using IdentityShroud.Core.Security.Keys;
+using IdentityShroud.Core.Services;
 using Serilog;
 using Serilog.Formatting.Json;
 
@@ -34,10 +36,21 @@ void ConfigureBuilder(WebApplicationBuilder builder)
     // Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi
     services.AddOpenApi();
     services.AddScoped<Db>();
+    services.AddScoped<IClientService, ClientService>();
+    services.AddSingleton<IClock, ClockService>();
+    services.AddSingleton<IDekEncryptionService, DekEncryptionService>();
+    services.AddScoped<IDataEncryptionService, DataEncryptionService>();
+    services.AddScoped<IRealmContext, RealmContext>();
+    services.AddScoped<IKeyProviderFactory, KeyProviderFactory>();
+    services.AddScoped<IKeyService, KeyService>();
+    services.AddScoped<IRealmService, RealmService>();
     services.AddOptions<DbConfiguration>().Bind(configuration.GetSection("db"));
     services.AddSingleton<ISecretProvider, ConfigurationSecretProvider>();
+    services.AddScoped<KeyMapper>();
+    services.AddScoped<IRealmContext, RealmContext>();
     
     services.AddValidatorsFromAssemblyContaining<RealmCreateRequestValidator>();
+    services.AddHttpContextAccessor();
     
     builder.Host.UseSerilog((context, services, configuration) => configuration
         .Enrich.FromLogContext()
@@ -52,7 +65,8 @@ void ConfigureApplication(WebApplication app)
         app.MapOpenApi();
     }
     app.UseSerilogRequestLogging();
-    app.MapRealmEndpoints();
+    app.MapApis();
+    
     // app.UseRouting();
     // app.MapControllers();
 }

IdentityShroud.Api/Validation/EndpointRouteBuilderExtensions.cs

@@ -1,7 +0,0 @@
-namespace IdentityShroud.Api.Validation;
-
-public static class EndpointRouteBuilderExtensions
-{
-    public static RouteHandlerBuilder Validate<TDto>(this RouteHandlerBuilder builder) where TDto : class
-        => builder.AddEndpointFilter<ValidateFilter<TDto>>();    
-}

IdentityShroud.Core.Tests/Fixtures/DbFixture.cs

@@ -1,5 +1,4 @@
-using DotNet.Testcontainers.Containers;
-using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 using Npgsql;
 using Testcontainers.PostgreSql;
@@ -8,23 +7,13 @@ namespace IdentityShroud.Core.Tests.Fixtures;
 
 public class DbFixture : IAsyncLifetime
 {
-    private readonly IContainer _postgresqlServer;
+    private readonly PostgreSqlContainer _postgresqlServer;
 
-    private string ConnectionString =>
-                        $"Host={_postgresqlServer.Hostname};" +
-                        $"Port={DbPort};" +
-                        $"Username={Username};Password={Password}";
-
-    private string Username => "postgres";
-    private string Password => "password";
-    private string DbHostname => _postgresqlServer.Hostname;
-    private int DbPort => _postgresqlServer.GetMappedPublicPort(PostgreSqlBuilder.PostgreSqlPort);
-    
-    public Db CreateDbContext(string dbName)
+    public Db CreateDbContext(string dbName = "testdb")
     {
         var db = new Db(Options.Create<DbConfiguration>(new()
         {
-            ConnectionString = ConnectionString + ";Database=" + dbName,
+            ConnectionString = _postgresqlServer.GetConnectionString(),
             LogSensitiveData = false,
         }), new NullLoggerFactory());
         return db;
@@ -33,8 +22,7 @@ public class DbFixture : IAsyncLifetime
     public DbFixture()
     {
         _postgresqlServer = new PostgreSqlBuilder("postgres:18.1")
-            .WithName("KMS-Test-Infra-" + Guid.NewGuid().ToString("D"))
-            .WithPassword(Password)
+            .WithName("is-dbfixture-" + Guid.NewGuid().ToString("D"))
             .Build();
     }
 
@@ -50,7 +38,7 @@ public class DbFixture : IAsyncLifetime
 
     public NpgsqlConnection GetConnection(string dbname)
     {
-        string connString = ConnectionString
+        string connString = _postgresqlServer.GetConnectionString()
             + $";Database={dbname}";
         var connection = new NpgsqlConnection(connString);
         connection.Open();

IdentityShroud.Core.Tests/Helpers/Base64UrlConverterTests.cs

@@ -0,0 +1,36 @@
+using System.Text;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using IdentityShroud.Core.Helpers;
+
+namespace IdentityShroud.Core.Tests.Helpers;
+
+public class Base64UrlConverterTests
+{
+    internal class Data
+    {
+        [JsonConverter(typeof(Base64UrlConverter))]
+        public byte[]? X { get; set; }
+    }
+
+    [Fact]
+    public void Serialize()
+    {
+        Data d = new() { X = ">>>???"u8.ToArray() };
+        string s = JsonSerializer.Serialize(d);
+
+        Assert.Contains("\"Pj4-Pz8_\"", s);
+    }
+    
+    [Fact]
+    public void Deerialize()
+    {
+        var jsonstring = """
+            { "X": "Pj4-Pz8_" }
+            """;
+        var d = JsonSerializer.Deserialize<Data>(jsonstring);
+
+        Assert.Equal(">>>???", Encoding.UTF8.GetString(d.X)); 
+    }
+    
+}

IdentityShroud.Core.Tests/Helpers/SlugHelperTests.cs

@@ -0,0 +1,26 @@
+using IdentityShroud.Core.Helpers;
+
+namespace IdentityShroud.Core.Tests.Helpers;
+
+public class SlugHelperTests
+{
+    [Theory]
+    [InlineData("", 40, "")]
+    [InlineData("test", 40, "test")]
+    [InlineData("Test", 40, "test")]
+    [InlineData("tést", 40, "test")]
+    [InlineData("foo_bar", 40, "foo-bar")]
+    [InlineData("foo bar", 40, "foo-bar")]
+    [InlineData("-foo", 40, "foo")]
+    [InlineData("foo-", 40, "foo")]
+    [InlineData("_foo", 40, "foo")]
+    [InlineData("foo_", 40, "foo")]
+    [InlineData("slug_would_be_too_long", 16, "slug-woul-frYeRw")] // not at word boundary
+    [InlineData("slug_would_be_too_long", 18, "slug-would-frYeRw")] // at word boundary
+    public void Test(string input, int max_length, string expected)
+    {
+        string result = SlugHelper.GenerateSlug(input, max_length);
+        
+        Assert.Equal(expected, result);
+    }
+}

IdentityShroud.Core.Tests/IdentityShroud.Core.Tests.csproj

@@ -25,7 +25,9 @@
     </ItemGroup>
 
     <ItemGroup>
+      <ProjectReference Include="..\IdentityShroud.Api\IdentityShroud.Api.csproj" />
       <ProjectReference Include="..\IdentityShroud.Core\IdentityShroud.Core.csproj" />
+      <ProjectReference Include="..\IdentityShroud.TestUtils\IdentityShroud.TestUtils.csproj" />
     </ItemGroup>
 
 </Project>

IdentityShroud.Core.Tests/JwtSignatureGeneratorTests.cs

@@ -0,0 +1,83 @@
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json;
+using IdentityShroud.Core.Messages;
+using Microsoft.AspNetCore.WebUtilities;
+
+namespace IdentityShroud.Core.Tests;
+
+public class JwtSignatureGeneratorTests
+{
+
+    [Fact]
+    public void VerifySignatureValid()
+    {
+        using var rsa = RSA.Create(2048);
+        
+        string header = WebEncoders.Base64UrlEncode("fake header"u8.ToArray());
+        string payload = WebEncoders.Base64UrlEncode("fake payload"u8.ToArray());
+        var jwtString = JwtSignatureGenerator.GenerateCompleteJwt(header, payload, rsa);
+        
+        Assert.True(ValidateJwtSignature(jwtString, rsa));
+    }
+    
+    /// <summary>
+    /// This test is to prove our signature verification code is correct. The inputs are
+    /// all from a production keycloak instance.
+    /// </summary>
+    [Fact]
+    public void ValidateKeycloakSignature()
+    {
+        string keycloakGeneratedJwt =
+            "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJybVZ3TU5rM0o1WHlmMWhyS3NVbEVYN1BNUm42dlZKY0h3U3FYMUVQRnFJIn0.eyJleHAiOjE3NzEwNTQxMDksImlhdCI6MTc3MTA1MzgwOSwiYXV0aF90aW1lIjoxNzcxMDUzODA4LCJqdGkiOiI5MTEzZjEwNC03YzllLTQzNzItYmU4Yy03NDMwMmI1ZTU1NGUiLCJpc3MiOiJodHRwczovL2lhbS5rYXNzYWNsb3VkLm5sL2F1dGgvcmVhbG1zL21wbHVza2Fzc2EiLCJhdWQiOlsia2Fzc2EtbWFuYWdlbWVudC1zZXJ2aWNlIiwiYXBhY2hlMi1pbnRyYW5ldC1hdXRoIiwiYWNjb3VudCJdLCJzdWIiOiIwOTNjY2YxNS1jNGE5LTRhYjQtOTcxZi1kNWEwMjIzNmQ4NWEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkZWFsZXJfc3VwcG9ydCIsInNpZCI6IjRiYjI0OGQ1LWVkNzktNGU0Yy05NWNjLTAwYzgzMzliZmZiMyIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cHM6Ly9tcGx1c2thc3NhLm9ubGluZSIsImh0dHBzOi8vd3d3Lm1wbHVza2Fzc2Euc3VwcG9ydCIsImh0dHBzOi8vbXBsdXNrYXNzYS5zdXBwb3J0IiwiaHR0cDovL2xvY2FsaG9zdDo0MDkwIiwiaHR0cHM6Ly93d3cubXBsdXNrYXNzYS5vbmxpbmUiLCJodHRwOi8vbG9jYWxob3N0IiwiLyoiLCJodHRwOi8vbG9jYWxob3N0OjQyMDAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtbXBsdXNrYXNzYSIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWFsZXItbWVkZXdlcmtlci1yb2xlIiwibXBsdXNrYXNzYS1tZWRld2Vya2VyLXJvbGUiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhcGFjaGUyLWludHJhbmV0LWF1dGgiOnsicm9sZXMiOlsiaW50cmFuZXQiLCJyZWxlYXNlbm90ZXNfd3JpdGUiXX0sImthc3NhLW1hbmFnZW1lbnQtc2VydmljZSI6eyJyb2xlcyI6WyJwb3NhY2NvdW50X3Bhc3N3b3JkcmVzZXQiLCJkcmFmdF9saWNlbnNlX3dyaXRlIiwibGljZW5zZV9yZWFkIiwia25vd2xlZGdlSXRlbV9yZWFkIiwibWFpbGluZ19yZWFkIiwibXBsdXNhcGlfcmVhZCIsImRhdGFiYXNlX3VzZXJfd3JpdGUiLCJlbnZpcm9ubWVudF93cml0ZSIsImdrc19hdXRoY29kZV9yZWFkIiwiZW1wbG95ZWVfcmVhZCIsImRhdGFiYXNlX3VzZXJfcmVhZCIsImFwaWFjY291bnRfcGFzc3dvcmRyZXNldCIsIm1wbHVzYXBpX3dyaXRlIiwiZW52aXJvbm1lbnRfcmVhZCIsImtub3dsZWRnZUl0ZW1fd3JpdGUiLCJkYXRhYmFzZV91c2VyX3Bhc3N3b3JkX3JlYWQiLCJsaWNlbnNlX3dyaXRlIiwiY3VzdG9tZXJfd3JpdGUiLCJkZWFsZXJfcmVhZCIsImVtcGxveWVlX3dyaXRlIiwiZGF0YWJhc2VfY29uZmlndXJhdGlvbl93cml0ZSIsInJlbGF0aW9uc19yZWFkIiwiZGF0YWJhc2VfdXNlcl9wYXNzd29yZF9tcGx1c19lbmNyeXB0ZWRfcmVhZCIsImRyYWZ0X2xpY2Vuc2VfcmVhZCIsImRhdGFiYXNlX2NvbmZpZ3VyYXRpb25fcmVhZCJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQga21zIGVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiZGVhbGVySWQiOjEsIm5hbWUiOiJFZWxrZSBLbGVpbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImVlbGtlQGJvbHQubmwiLCJsb2NhbGUiOiJlbiIsImdpdmVuX25hbWUiOiJFZWxrZSIsImZhbWlseV9uYW1lIjoiS2xlaW4iLCJlbWFpbCI6ImVlbGtlQGJvbHQubmwiLCJlbXBsb3llZU51bWJlciI6NTR9.SHjVTWsFwiaKTxBX-0GZM1pK8rOodkYnEu_QJ4dlPpozai9j3RRJK3DswsuEbJC8PdQXI4-AI0-5JGBQi2gDXdFSVHhAblnmjva0sWCaY7lG2ASa65UKM_4RzH-6nvQ9EiZXdANzsWkLG350l-dLiqdt--Lpjpw2huK_GKAx20SKfauKBmm990rHzrl0Uii3wQ3fPHlAJ_8-WSnSBquOH8xsYJHa1LOsc2WqbEDnMA4hRnGvCoubwhkOANfWSx0OCwSIKBddrcts64ZAxFhmilZXGzWMqDkblY2fDU8_jrlysgYsymQlOVwwg7V5Ps-DJkGXWvmpncKfyYd3Vuwusg";
+        string keycloakKeySet = """
+            {
+              "keys": [
+                {
+                  "kid": "rmVwMNk3J5Xyf1hrKsUlEX7PMRn6vVJcHwSqX1EPFqI",
+                  "kty": "RSA",
+                  "alg": "RS256",
+                  "use": "sig",
+                  "n": "pYbLAeOLDEwzL4tEwuE2LfisOBXoQqWA9RdP3ph6muwF1ErfhiBSIB2JETKf7F1OsiF1_qnuh4uDfn0TO8bK3lSfHTlIHWShwaJ_UegS9ylobfIYXJsz0xmJK5ToFaSYa72D_Dyln7ROxudu8-zc70sz7bUKQ0_ktWRsiu76vY6Kr9-18PgaooPmb2QP8lS8IZEv-gW5SLqoMc1DfD8lsih1sdnQ8W65cBsNnenkWc97AF9cMR6rdD2tZfLAxEHKYaohAL9EsQsLic3P2f2UaqRTAOvgqyYE5hyJROt7Pyeyi8YSy7zXD12h2mc0mrSoA-u7s_GrOLcLoLLgEnRRVw",
+                  "e": "AQAB",
+                  "x5c": [
+                    "MIICozCCAYsCBgFwfLC07DANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDAptcGx1c2thc3NhMB4XDTIwMDIyNTE0MTAyMFoXDTMwMDIyNTE0MTIwMFowFTETMBEGA1UEAwwKbXBsdXNrYXNzYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKWGywHjiwxMMy+LRMLhNi34rDgV6EKlgPUXT96YeprsBdRK34YgUiAdiREyn+xdTrIhdf6p7oeLg359EzvGyt5Unx05SB1kocGif1HoEvcpaG3yGFybM9MZiSuU6BWkmGu9g/w8pZ+0TsbnbvPs3O9LM+21CkNP5LVkbIru+r2Oiq/ftfD4GqKD5m9kD/JUvCGRL/oFuUi6qDHNQ3w/JbIodbHZ0PFuuXAbDZ3p5FnPewBfXDEeq3Q9rWXywMRBymGqIQC/RLELC4nNz9n9lGqkUwDr4KsmBOYciUTrez8nsovGEsu81w9dodpnNJq0qAPru7Pxqzi3C6Cy4BJ0UVcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYcJVYv8HzZQIMrqhIyu7EVihPAx0w9NaZ1xzB9qCHrwie6ZLQdnMm8l0IdehyYuY+0HK7FjC8dAcT4nklOQDg4iCp7ZrM7vFNP+60pR0i7aIbf0cFXy9VTOPvUsXmu+p1LqRQLRJD0BjO29gupTe68KyTtyuX5A7JfmCq84j5i45Md8A9MAMZWnXMSHiaZLtlOS/4t4cdc371uq9fH7SKusnvUY0d14+BzcrHi/eurhKUUjJZ1xclUE2trOXFrE78fSMUmeGbIlpAV0MtrJW7OmXmaHH8Q1wTm78RH/dn4EmWSoFcigdVcDge941/MT2soDSIGLUnYiYrW8d6HE2Lg=="
+                  ],
+                  "x5t": "rj9_q26MIdowvyJJbyHySeUl1y8",
+                  "x5t#S256": "KNyQ8ngE925F__ZPJm-wCNUnGBJQGJbZGGjlCvmwBkM"
+                }
+              ]
+            }
+            """;
+
+        JsonWebKeySet keySet = JsonSerializer.Deserialize<JsonWebKeySet>(keycloakKeySet)!;
+        using RSA publicKey = LoadFromJwk(keySet.Keys[0]);
+        
+        Assert.True(ValidateJwtSignature(keycloakGeneratedJwt, publicKey));
+    }
+
+    private bool ValidateJwtSignature(string jwtString, RSA publicKey)
+    {
+        int lastDotIndex = jwtString.LastIndexOf('.');
+
+        return publicKey.VerifyData(
+            Encoding.UTF8.GetBytes(jwtString, 0, lastDotIndex), 
+            WebEncoders.Base64UrlDecode(jwtString, lastDotIndex + 1, jwtString.Length - (lastDotIndex + 1)),
+            HashAlgorithmName.SHA256,
+            RSASignaturePadding.Pkcs1);
+    }
+    
+    private static RSA LoadFromJwk(JsonWebKey jwk)
+    {
+        var rsa = RSA.Create();
+        var parameters = new RSAParameters
+        {
+            Modulus = WebEncoders.Base64UrlDecode(jwk.Modulus!),
+            Exponent = WebEncoders.Base64UrlDecode(jwk.Exponent!)
+        };
+        
+        rsa.ImportParameters(parameters);
+        return rsa;
+    }    
+    
+}

IdentityShroud.Core.Tests/Model/RealmTests.cs

@@ -1,51 +0,0 @@
-using IdentityShroud.Core.Contracts;
-using IdentityShroud.Core.Model;
-
-namespace IdentityShroud.Core.Tests.Model;
-
-public class RealmTests
-{
-    [Fact]
-    public void SetNewKey()
-    {
-        byte[] privateKey = [5, 6, 7, 8];
-        byte[] encryptedPrivateKey = [1, 2, 3, 4];
-        
-        var encryptionService = Substitute.For<IEncryptionService>();
-        encryptionService
-            .Encrypt(Arg.Any<byte[]>())
-            .Returns(x => encryptedPrivateKey); 
-        
-        Realm realm = new();
-        realm.SetPrivateKey(encryptionService, privateKey);
-
-        // should be able to return original without calling decrypt
-        Assert.Equal(privateKey, realm.GetPrivateKey(encryptionService));
-        Assert.Equal(encryptedPrivateKey, realm.PrivateKeyEncrypted);
-
-        encryptionService.Received(1).Encrypt(privateKey);
-        encryptionService.DidNotReceive().Decrypt(Arg.Any<byte[]>());
-    }
-    
-    [Fact]
-    public void GetDecryptedKey()
-    {
-        byte[] privateKey = [5, 6, 7, 8];
-        byte[] encryptedPrivateKey = [1, 2, 3, 4];
-        
-        var encryptionService = Substitute.For<IEncryptionService>();
-        encryptionService
-            .Decrypt(encryptedPrivateKey)
-            .Returns(x => privateKey); 
-        
-        Realm realm = new();
-        realm.PrivateKeyEncrypted = encryptedPrivateKey;
-
-        // should be able to return original without calling decrypt
-        Assert.Equal(privateKey, realm.GetPrivateKey(encryptionService));
-        Assert.Equal(encryptedPrivateKey, realm.PrivateKeyEncrypted);
-
-        encryptionService.Received(1).Decrypt(encryptedPrivateKey);
-    }
-    
-}

IdentityShroud.Core.Tests/Security/AesGcmHelperTests.cs

@@ -1,21 +0,0 @@
-using System.Security.Cryptography;
-using System.Text;
-using IdentityShroud.Core.Security;
-
-namespace IdentityShroud.Core.Tests.Security;
-
-public class AesGcmHelperTests
-{
-    [Fact]
-    public void EncryptDecryptCycleWorks()
-    {
-        string input = "Hello, world!";
-
-        var encryptionKey = RandomNumberGenerator.GetBytes(32);
-
-        var cypher = AesGcmHelper.EncryptAesGcm(Encoding.UTF8.GetBytes(input), encryptionKey);
-        var output = AesGcmHelper.DecryptAesGcm(cypher, encryptionKey);
-        
-        Assert.Equal(input, Encoding.UTF8.GetString(output));
-    }
-}

IdentityShroud.Core.Tests/Security/ConfigurationSecretProviderTests.cs

@@ -0,0 +1,63 @@
+using System.Text;
+using IdentityShroud.Core.Security;
+using Microsoft.Extensions.Configuration;
+
+namespace IdentityShroud.Core.Tests.Security;
+
+public class ConfigurationSecretProviderTests
+{
+    private static IConfiguration BuildConfigFromJson(string json)
+    {
+        // Convert the JSON string into a stream that the config builder can read.
+        var jsonBytes = Encoding.UTF8.GetBytes(json);
+        using var stream = new MemoryStream(jsonBytes);
+
+        // Build the configuration just like the real app does, but from the stream.
+        var config = new ConfigurationBuilder()
+            .AddJsonStream(stream)   // <-- reads from the in‑memory JSON
+            .Build();
+
+        return config;
+    }
+
+    [Fact]
+    public void Test()
+    {
+        string jsonConfig = """
+            {
+                "secrets": {
+                    "master": [
+                        {
+                            "Id": "5676d159-5495-4945-aa84-59ee694aa8a2",
+                            "Active": true,
+                            "Algorithm": "AES",
+                            "Key": "yoQ4W7EaNjo7s3FBYkWo5BLyX1BnLyWd7BlSaDIrkzo="
+                        },
+                        {
+                            "Id": "b82489e7-a05a-4d64-b9a5-58d2f2c0dc39",
+                            "Active": false,
+                            "Algorithm": "AES",
+                            "Key": "YSWK6vTJXCJOGLpCo+TtZ6anKNzvA1VT2xXLHbmq4M0="
+                        }
+                    ]    
+                }
+            }
+            """;
+        
+
+        ConfigurationSecretProvider sut = new(BuildConfigFromJson(jsonConfig));
+
+        // act
+        var keys = sut.GetKeys("master");
+
+        // verify
+        Assert.Equal(2, keys.Length);
+        var active = keys.Single(k => k.Active);
+        Assert.Equal(new Guid("5676d159-5495-4945-aa84-59ee694aa8a2"), active.Id.Id);
+        Assert.Equal("AES", active.Algorithm);
+        Assert.Equal(Convert.FromBase64String("yoQ4W7EaNjo7s3FBYkWo5BLyX1BnLyWd7BlSaDIrkzo="), active.Key);
+
+        var inactive = keys.Single(k => !k.Active);
+        Assert.Equal(new Guid("b82489e7-a05a-4d64-b9a5-58d2f2c0dc39"), inactive.Id.Id);
+    }
+}

IdentityShroud.Core.Tests/Services/ClientServiceTests.cs

@@ -0,0 +1,155 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Services;
+using IdentityShroud.Core.Tests.Fixtures;
+using IdentityShroud.TestUtils.Substitutes;
+using Microsoft.EntityFrameworkCore;
+
+namespace IdentityShroud.Core.Tests.Services;
+
+public class ClientServiceTests : IClassFixture<DbFixture>
+{
+    private readonly DbFixture _dbFixture;
+    private readonly NullDataEncryptionService _dataEncryptionService = new();
+    
+    private readonly IClock _clock = Substitute.For<IClock>();
+    private readonly Guid _realmId = new("a1b2c3d4-0000-0000-0000-000000000001");
+
+    public ClientServiceTests(DbFixture dbFixture)
+    {
+        _dbFixture = dbFixture;
+        using Db db = dbFixture.CreateDbContext();
+        if (!db.Database.EnsureCreated())
+            TruncateTables(db);
+        EnsureRealm(db);
+    }
+
+    private void TruncateTables(Db db)
+    {
+        db.Database.ExecuteSqlRaw("TRUNCATE client CASCADE;");
+        db.Database.ExecuteSqlRaw("TRUNCATE realm CASCADE;");
+    }
+
+    private void EnsureRealm(Db db)
+    {
+        if (!db.Realms.Any(r => r.Id == _realmId))
+        {
+            db.Realms.Add(new() { Id = _realmId, Slug = "test-realm", Name = "Test Realm" });
+            db.SaveChanges();
+        }
+    }
+
+    [Theory]
+    [InlineData(false)]
+    [InlineData(true)]
+    public async Task Create(bool allowClientCredentialsFlow)
+    {
+        // Setup
+        DateTime now = DateTime.UtcNow;
+        _clock.UtcNow().Returns(now);
+
+        Client val;
+        await using (var db = _dbFixture.CreateDbContext())
+        {
+            // Act
+            ClientService sut = new(db, _dataEncryptionService, _clock);
+            var response = await sut.Create(
+                _realmId,
+                new ClientCreateRequest
+                {
+                    ClientId = "test-client",
+                    Name = "Test Client",
+                    Description = "A test client",
+                    AllowClientCredentialsFlow = allowClientCredentialsFlow,
+                },
+                TestContext.Current.CancellationToken);
+
+            // Verify
+            val = ResultAssert.Success(response);
+            Assert.Equal(_realmId, val.RealmId);
+            Assert.Equal("test-client", val.ClientId);
+            Assert.Equal("Test Client", val.Name);
+            Assert.Equal("A test client", val.Description);
+            Assert.Equal(allowClientCredentialsFlow, val.AllowClientCredentialsFlow);
+            Assert.Equal(now, val.CreatedAt);
+        }
+
+        await using (var db = _dbFixture.CreateDbContext())
+        {
+            var dbRecord = await db.Clients
+                .Include(e => e.Secrets)
+                .SingleAsync(e => e.Id == val.Id, TestContext.Current.CancellationToken);
+
+            if (allowClientCredentialsFlow)
+                Assert.Single(dbRecord.Secrets);
+            else
+                Assert.Empty(dbRecord.Secrets);
+        }
+    }
+
+    [Theory]
+    [InlineData("existing-client", true)]
+    [InlineData("missing-client", false)]
+    public async Task GetByClientId(string clientId, bool shouldFind)
+    {
+        // Setup
+        _clock.UtcNow().Returns(DateTime.UtcNow);
+        await using (var setupContext = _dbFixture.CreateDbContext())
+        {
+            setupContext.Clients.Add(new()
+            {
+                RealmId = _realmId,
+                ClientId = "existing-client",
+                CreatedAt = DateTime.UtcNow,
+            });
+
+            await setupContext.SaveChangesAsync(TestContext.Current.CancellationToken);
+        }
+
+        await using var actContext = _dbFixture.CreateDbContext();
+        // Act
+        ClientService sut = new(actContext, _dataEncryptionService, _clock);
+        Client? result = await sut.GetByClientId(_realmId, clientId, TestContext.Current.CancellationToken);
+
+        // Verify
+        if (shouldFind)
+            Assert.NotNull(result);
+        else
+            Assert.Null(result);
+    }
+
+    [Theory]
+    [InlineData(true)]
+    [InlineData(false)]
+    public async Task FindById(bool shouldFind)
+    {
+        // Setup
+        _clock.UtcNow().Returns(DateTime.UtcNow);
+        int existingId;
+        await using (var setupContext = _dbFixture.CreateDbContext())
+        {
+            Client client = new()
+            {
+                RealmId = _realmId,
+                ClientId = "find-by-id-client",
+                CreatedAt = DateTime.UtcNow,
+            };
+            setupContext.Clients.Add(client);
+            await setupContext.SaveChangesAsync(TestContext.Current.CancellationToken);
+            existingId = client.Id;
+        }
+
+        int searchId = shouldFind ? existingId : existingId + 9999;
+
+        await using var actContext = _dbFixture.CreateDbContext();
+        // Act
+        ClientService sut = new(actContext, _dataEncryptionService, _clock);
+        Client? result = await sut.FindById(_realmId, searchId, TestContext.Current.CancellationToken);
+
+        // Verify
+        if (shouldFind)
+            Assert.NotNull(result);
+        else
+            Assert.Null(result);
+    }
+}

IdentityShroud.Core.Tests/Services/DataEncryptionServiceTests.cs

@@ -0,0 +1,64 @@
+using System.Security.Cryptography;
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security;
+using IdentityShroud.Core.Services;
+using IdentityShroud.TestUtils.Substitutes;
+
+namespace IdentityShroud.Core.Tests.Services;
+
+public class DataEncryptionServiceTests
+{
+    private readonly IRealmContext _realmContext = Substitute.For<IRealmContext>();
+    private readonly IDekEncryptionService _dekCryptor = new NullDekEncryptionService();// Substitute.For<IDekEncryptionService>();
+
+    private readonly DekId _activeDekId = DekId.NewId();
+    private readonly DekId _secondDekId = DekId.NewId();
+    private DataEncryptionService CreateSut()
+        => new(_realmContext, _dekCryptor);
+
+    [Fact]
+    public void Encrypt_UsesActiveKey()
+    {
+        _realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([
+            CreateRealmDek(_secondDekId, false),
+            CreateRealmDek(_activeDekId, true),
+        ]);
+
+        var cipher = CreateSut().Encrypt("Hello"u8);
+        
+        Assert.Equal(_activeDekId, cipher.DekId);
+    }
+
+    [Fact]
+    public void Decrypt_UsesCorrectKey()
+    {
+        var first = CreateRealmDek(_activeDekId, true);
+        _realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([ first ]);
+
+        var sut = CreateSut();
+        var cipher = sut.Encrypt("Hello"u8);
+
+        // Deactivate original key
+        first.Active = false;
+        // Make new active
+        var second = CreateRealmDek(_secondDekId, true);
+        // Return both
+        _realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([ first, second ]);
+
+
+        var decoded = sut.Decrypt(cipher);
+
+        Assert.Equal("Hello"u8, decoded);
+    }
+    
+    private RealmDek CreateRealmDek(DekId id, bool active)
+        => new()
+        {
+            Id = id,
+            Active = active,
+            Algorithm = "AES",
+            KeyData = new(KekId.NewId(), RandomNumberGenerator.GetBytes(32)),
+            RealmId = default,
+        };
+}

IdentityShroud.Core.Tests/Services/DekEncryptionServiceTests.cs

@@ -0,0 +1,123 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
+using IdentityShroud.Core.Services;
+
+namespace IdentityShroud.Core.Tests.Services;
+
+public class DekEncryptionServiceTests
+{
+    [Fact]
+    public void RoundtripWorks()
+    {
+        // Note this code will tend to only test the latest verion.
+
+        // setup
+        byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
+        var secretProvider = Substitute.For<ISecretProvider>();
+        KeyEncryptionKey[] keys =
+        [
+            new KeyEncryptionKey(KekId.NewId(), true, "AES", keyValue)
+        ];
+        secretProvider.GetKeys("master").Returns(keys);
+        
+            
+        ReadOnlySpan<byte> input = "Hello, World!"u8;
+        
+        // act
+        DekEncryptionService sut = new(secretProvider);
+        EncryptedDek cipher = sut.Encrypt(input.ToArray());
+        byte[] result = sut.Decrypt(cipher);
+
+        // verify
+        Assert.Equal(input, result);
+    }
+
+    [Fact]
+    public void DetectsCorruptInput()
+    {
+        // When introducing a new version we need version specific tests to 
+        // make sure decoding of legacy data still works.
+        KekId kid = KekId.NewId();
+        // setup
+        byte[] cipher = // NOTE INCORRECT CIPHER DO NOT USE IN OTHER TESTS
+        [
+            1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
+            193, 75, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
+        ];
+        EncryptedDek secret = new(kid, cipher);
+        
+        byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
+        var secretProvider = Substitute.For<ISecretProvider>();
+        KeyEncryptionKey[] keys =
+        [
+            new KeyEncryptionKey(kid, true, "AES", keyValue)
+        ];
+        secretProvider.GetKeys("master").Returns(keys);
+
+        // act
+        DekEncryptionService sut = new(secretProvider);
+        Assert.Throws<InvalidOperationException>(
+            () => sut.Decrypt(secret),
+            ex => ex.Message.Contains("Decryption failed") ? null : "Expected Decryption failed in message");
+    }
+
+    [Fact]
+    public void DecodeSelectsRightKey()
+    {
+        // The key is marked inactive also it is the second key
+        
+        // setup
+        KekId kid1 = KekId.NewId();
+        KekId kid2 = KekId.NewId();
+
+        byte[] cipher =
+        [
+            1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
+            193, 74, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
+        ];
+        EncryptedDek secret = new(kid1, cipher);
+        
+        byte[] keyValue1 = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
+        byte[] keyValue2 = Convert.FromBase64String("Dat1RwRvuLX3wdKMMP4NwHdBl8tJJsKfp01qikyo8aw=");
+        var secretProvider = Substitute.For<ISecretProvider>();
+        KeyEncryptionKey[] keys =
+        [
+            new KeyEncryptionKey(kid2, true, "AES", keyValue2),
+            new KeyEncryptionKey(kid1, false, "AES", keyValue1),
+        ];
+        secretProvider.GetKeys("master").Returns(keys);
+
+        // act
+        DekEncryptionService sut = new(secretProvider);
+        byte[] result = sut.Decrypt(secret);
+
+        // verify
+        Assert.Equal("Hello, World!"u8, result);
+    }
+    
+    [Fact]
+    public void EncryptionUsesActiveKey()
+    {
+        // setup
+        KekId kid1 = KekId.NewId();
+        KekId kid2 = KekId.NewId();
+
+        byte[] keyValue1 = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
+        byte[] keyValue2 = Convert.FromBase64String("Dat1RwRvuLX3wdKMMP4NwHdBl8tJJsKfp01qikyo8aw=");
+        var secretProvider = Substitute.For<ISecretProvider>();
+        KeyEncryptionKey[] keys =
+        [
+            new KeyEncryptionKey(kid1, false, "AES", keyValue1),
+            new KeyEncryptionKey(kid2, true, "AES", keyValue2),
+        ];
+        secretProvider.GetKeys("master").Returns(keys);
+
+        ReadOnlySpan<byte> input = "Hello, World!"u8;
+        // act
+        DekEncryptionService sut = new(secretProvider);
+        EncryptedDek cipher = sut.Encrypt(input.ToArray());
+        
+        // Verify
+        Assert.Equal(kid2, cipher.KekId);
+    }
+}

IdentityShroud.Core.Tests/Services/EncryptionServiceTests.cs

@@ -1,22 +0,0 @@
-using System.Security.Cryptography;
-using IdentityShroud.Core.Services;
-
-namespace IdentityShroud.Core.Tests.Services;
-
-public class EncryptionServiceTests
-{
-    [Fact]
-    public void RoundtripWorks()
-    {
-        // setup
-        string key = Convert.ToBase64String(RandomNumberGenerator.GetBytes(32));
-        EncryptionService sut = new(key);
-        byte[] input = RandomNumberGenerator.GetBytes(16);
-        
-        // act
-        var cipher = sut.Encrypt(input);
-        var result = sut.Decrypt(cipher);
-
-        Assert.Equal(input, result);
-    }
-}

IdentityShroud.Core.Tests/Services/EncryptionTests.cs

@@ -0,0 +1,30 @@
+using IdentityShroud.Core.Security;
+using IdentityShroud.Core.Services;
+
+namespace IdentityShroud.Core.Tests.Services;
+
+public class EncryptionTests
+{
+    [Fact]
+    public void DecodeV1_Success()
+    {
+        // When introducing a new version we need version specific tests to 
+        // make sure decoding of legacy data still works.
+        
+        // setup
+        byte[] cipher =
+        [
+            1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
+            193, 74, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
+        ];
+        byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
+        
+        // act
+        byte[] result = Encryption.Decrypt(cipher, keyValue);
+
+        // verify
+        Assert.Equal("Hello, World!"u8, result);
+    }
+
+    
+}

IdentityShroud.Core.Tests/Services/RealmServiceTests.cs

@@ -1,26 +1,29 @@
-using FluentResults;
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security;
+using IdentityShroud.Core.Security.Keys;
 using IdentityShroud.Core.Services;
 using IdentityShroud.Core.Tests.Fixtures;
-using IdentityShroud.Core.Tests.Substitutes;
 using Microsoft.EntityFrameworkCore;
 
 namespace IdentityShroud.Core.Tests.Services;
 
 public class RealmServiceTests : IClassFixture<DbFixture>
 {
-    private readonly Db _db;
+    private readonly DbFixture _dbFixture;
+    private readonly IKeyService _keyService = Substitute.For<IKeyService>();
 
     public RealmServiceTests(DbFixture dbFixture)
     {
-        _db = dbFixture.CreateDbContext("realmservice");
-
-        if (!_db.Database.EnsureCreated())
-            TruncateTables();
+        _dbFixture = dbFixture;
+        using Db db = dbFixture.CreateDbContext();
+        if (!db.Database.EnsureCreated())
+            TruncateTables(db);
     }
 
-    private void TruncateTables()
+    private void TruncateTables(Db db)
     {
-        _db.Database.ExecuteSqlRaw("TRUNCATE realm CASCADE;");
+        db.Database.ExecuteSqlRaw("TRUNCATE realm CASCADE;");
     }
 
     [Theory]
@@ -28,18 +31,30 @@ public class RealmServiceTests : IClassFixture<DbFixture>
     [InlineData("a7c2a39c-3ed9-4790-826e-43bb2e5e480c")]
     public async Task Create(string? idString)
     {
+        // Setup
         Guid? realmId = null;
         if (idString is not null)
             realmId = new(idString);
 
-        var encryptionService = EncryptionServiceSubstitute.CreatePassthrough();
-        RealmService sut = new(_db, encryptionService);
-        
+        RealmCreateResponse? val;
+        await using (var db = _dbFixture.CreateDbContext())
+        {
+            _keyService.CreateKey(Arg.Any<KeyPolicy>())
+                .Returns(new RealmKey() 
+                { 
+                    Id = Guid.NewGuid(), 
+                    KeyType = "TST", 
+                    Key = new(KekId.NewId(), [21]),
+                    CreatedAt = DateTime.UtcNow
+                });
+            // Act
+            RealmService sut = new(db, _keyService);
             var response = await sut.Create(
                 new(realmId, "slug", "New realm"),
                 TestContext.Current.CancellationToken);
 
-        RealmCreateResponse val = ResultAssert.Success(response);
+            // Verify
+            val = ResultAssert.Success(response);
             if (realmId.HasValue)
                 Assert.Equal(realmId, val.Id);
             else
@@ -48,6 +63,81 @@ public class RealmServiceTests : IClassFixture<DbFixture>
             Assert.Equal("slug", val.Slug);
             Assert.Equal("New realm", val.Name);
 
-        // TODO verify data has been stored!
+            _keyService.Received().CreateKey(Arg.Any<KeyPolicy>());
+        }
+
+        await using (var db = _dbFixture.CreateDbContext())
+        {
+            var dbRecord = await db.Realms
+                .Include(e => e.Keys)
+                .SingleAsync(e => e.Id == val.Id, TestContext.Current.CancellationToken);
+            Assert.Equal("TST", dbRecord.Keys[0].KeyType);
+        }
+    }
+
+    [Theory]
+    [InlineData("slug", null)]
+    [InlineData("foo", "Foo")]
+    public async Task FindBySlug(string slug, string? name)
+    {
+        await using (var setupContext = _dbFixture.CreateDbContext())
+        {
+            setupContext.Realms.Add(new()
+            {
+                Slug = "foo",
+                Name = "Foo",
+            });
+            setupContext.Realms.Add(new()
+            {
+                Slug = "bar",
+                Name = "Bar",
+            });
+            
+            await setupContext.SaveChangesAsync(TestContext.Current.CancellationToken);
+        }
+
+        await using var actContext = _dbFixture.CreateDbContext();
+        // Act
+        RealmService sut = new(actContext, _keyService);
+        var result = await sut.FindBySlug(slug, TestContext.Current.CancellationToken);
+
+        // Verify
+        Assert.Equal(name, result?.Name);
+    }
+
+    [Theory]
+    [InlineData("b0423bba-2411-497b-a5b6-c5adf404b862", true)]
+    [InlineData("65ac9dba-6d43-4fa4-b57f-133ed639fbcb", false)]
+    public async Task FindById(string idString, bool shouldFind)
+    {
+        Guid id = new(idString);
+        await using (var setupContext = _dbFixture.CreateDbContext())
+        {
+            setupContext.Realms.Add(new()
+            {
+                Id = new("b0423bba-2411-497b-a5b6-c5adf404b862"),
+                Slug = "foo",
+                Name = "Foo",
+            });
+            setupContext.Realms.Add(new()
+            {
+                Id = new("d4ffc7d0-7b2c-4f02-82b9-a74610435b0d"),
+                Slug = "bar",
+                Name = "Bar",
+            });
+            
+            await setupContext.SaveChangesAsync(TestContext.Current.CancellationToken);
+        }
+
+        await using var actContext = _dbFixture.CreateDbContext();
+        // Act
+        RealmService sut = new(actContext, _keyService);
+        Realm? result = await sut.FindById(id, TestContext.Current.CancellationToken);
+
+        // Verify
+        if (shouldFind)
+            Assert.NotNull(result);
+        else 
+            Assert.Null(result);
     }
 }

IdentityShroud.Core.Tests/Substitutes/EncryptionServiceSubstitute.cs

@@ -1,18 +0,0 @@
-using IdentityShroud.Core.Contracts;
-
-namespace IdentityShroud.Core.Tests.Substitutes;
-
-public static class EncryptionServiceSubstitute
-{
-    public static IEncryptionService CreatePassthrough()
-    {
-        var encryptionService = Substitute.For<IEncryptionService>();
-        encryptionService
-            .Encrypt(Arg.Any<byte[]>())
-            .Returns(x => x.ArgAt<byte[]>(0));
-        encryptionService
-            .Decrypt(Arg.Any<byte[]>())
-            .Returns(x => x.ArgAt<byte[]>(0));
-        return encryptionService;
-    }
-}

IdentityShroud.Core.Tests/UnitTest1.cs

@@ -1,7 +1,7 @@
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
-using IdentityShroud.Core.Messages;
+using IdentityShroud.Core.DTO;
 using Microsoft.AspNetCore.WebUtilities;
 
 namespace IdentityShroud.Core.Tests;
@@ -35,7 +35,6 @@ public class UnitTest1
             
             // Option 3: Generate a new key for testing
             rsa.KeySize = 2048;
-            
             // Your already encoded header and payload
             string header = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJybVZ3TU5rM0o1WHlmMWhyS3NVbEVYN1BNUm42dlZKY0h3U3FYMUVQRnFJIn0";
             string payload = "eyJleHAiOjE3Njk5MzY5MDksImlhdCI6MTc2OTkzNjYwOSwianRpIjoiMjNiZDJmNjktODdhYi00YmM2LWE0MWQtZGZkNzkxNDc4ZDM0IiwiaXNzIjoiaHR0cHM6Ly9pYW0ua2Fzc2FjbG91ZC5ubC9hdXRoL3JlYWxtcy9tcGx1c2thc3NhIiwiYXVkIjpbImthc3NhLW1hbmFnZW1lbnQtc2VydmljZSIsImFwYWNoZTItaW50cmFuZXQtYXV0aCIsImFjY291bnQiXSwic3ViIjoiMDkzY2NmMTUtYzRhOS00YWI0LTk3MWYtZDVhMDIyMzZkODVhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibXBvYmFja2VuZCIsInNpZCI6IjI2NmUyNjJiLTU5NjMtNDUyZi04ZTI3LWIwZTkzMjBkNTZkNiIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLW1wbHVza2Fzc2EiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwiZGVhbGVyLW1lZGV3ZXJrZXItcm9sZSIsIm1wbHVza2Fzc2EtbWVkZXdlcmtlci1yb2xlIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYXBhY2hlMi1pbnRyYW5ldC1hdXRoIjp7InJvbGVzIjpbImludHJhbmV0IiwicmVsZWFzZW5vdGVzX3dyaXRlIl19LCJrYXNzYS1tYW5hZ2VtZW50LXNlcnZpY2UiOnsicm9sZXMiOlsicG9zYWNjb3VudF9wYXNzd29yZHJlc2V0IiwiZHJhZnRfbGljZW5zZV93cml0ZSIsImxpY2Vuc2VfcmVhZCIsImtub3dsZWRnZUl0ZW1fcmVhZCIsIm1haWxpbmdfcmVhZCIsIm1wbHVzYXBpX3JlYWQiLCJkYXRhYmFzZV91c2VyX3dyaXRlIiwiZW52aXJvbm1lbnRfd3JpdGUiLCJna3NfYXV0aGNvZGVfcmVhZCIsImVtcGxveWVlX3JlYWQiLCJkYXRhYmFzZV91c2VyX3JlYWQiLCJhcGlhY2NvdW50X3Bhc3N3b3JkcmVzZXQiLCJtcGx1c2FwaV93cml0ZSIsImVudmlyb25tZW50X3JlYWQiLCJrbm93bGVkZ2VJdGVtX3dyaXRlIiwiZGF0YWJhc2VfdXNlcl9wYXNzd29yZF9yZWFkIiwibGljZW5zZV93cml0ZSIsImN1c3RvbWVyX3dyaXRlIiwiZGVhbGVyX3JlYWQiLCJlbXBsb3llZV93cml0ZSIsImRhdGFiYXNlX2NvbmZpZ3VyYXRpb25fd3JpdGUiLCJyZWxhdGlvbnNfcmVhZCIsImRhdGFiYXNlX3VzZXJfcGFzc3dvcmRfbXBsdXNfZW5jcnlwdGVkX3JlYWQiLCJkcmFmdF9saWNlbnNlX3JlYWQiLCJkYXRhYmFzZV9jb25maWd1cmF0aW9uX3JlYWQiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoia21zIGVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiZGVhbGVySWQiOjEsIm5hbWUiOiJFZWxrZSBLbGVpbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImVlbGtlQGJvbHQubmwiLCJsb2NhbGUiOiJlbiIsImdpdmVuX25hbWUiOiJFZWxrZSIsImZhbWlseV9uYW1lIjoiS2xlaW4iLCJlbWFpbCI6ImVlbGtlQGJvbHQubmwiLCJlbXBsb3llZU51bWJlciI6NTR9";
@@ -51,6 +50,15 @@ public class UnitTest1
             // Or generate complete JWT
             // string completeJwt = JwtSignatureGenerator.GenerateCompleteJwt(header, payload, rsa);
             // Console.WriteLine($"Complete JWT: {completeJwt}");
+
+            rsa.ExportRSAPublicKey(); // PKCS#1
+        }
+
+        using (ECDsa dsa = ECDsa.Create())
+        {
+            dsa.ExportPkcs8PrivateKey();
+
+            dsa.ExportSubjectPublicKeyInfo(); // x509
         }
     }        
 }
@@ -66,9 +74,9 @@ public static class JwtReader
         return new JsonWebToken()
         {
             Header = JsonSerializer.Deserialize<JsonWebTokenHeader>(
-                Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, 0, firstDot))),
+                Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, 0, firstDot)))!,
             Payload = JsonSerializer.Deserialize<JsonWebTokenPayload>(
-                Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, firstDot + 1, secondDot - (firstDot + 1)))),
+                Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, firstDot + 1, secondDot - (firstDot + 1))))!,
             Signature = WebEncoders.Base64UrlDecode(jwt, secondDot + 1, jwt.Length - (secondDot + 1))
         };
     }
@@ -95,13 +103,4 @@ public static class RsaKeyLoader
         return LoadFromPem(pemContent);
     }
    
-    /// <summary>
-    /// Load RSA private key from PKCS#8 format
-    /// </summary>
-    public static RSA LoadFromPkcs8(byte[] pkcs8Key)
-    {
-        var rsa = RSA.Create();
-        rsa.ImportPkcs8PrivateKey(pkcs8Key, out _);
-        return rsa;
-    }
 }

IdentityShroud.Core/Contracts/IClientService.cs

@@ -0,0 +1,14 @@
+using IdentityShroud.Core.Model;
+
+namespace IdentityShroud.Core.Contracts;
+
+public interface IClientService
+{
+    Task<Result<Client>> Create(
+        Guid realmId,
+        ClientCreateRequest request, 
+        CancellationToken ct = default);
+
+    Task<Client?> GetByClientId(Guid realmId, string clientId, CancellationToken ct = default);
+    Task<Client?> FindById(Guid realmId, int id, CancellationToken ct = default);
+}

IdentityShroud.Core/Contracts/IClock.cs

@@ -0,0 +1,6 @@
+namespace IdentityShroud.Core.Contracts;
+
+public interface IClock
+{
+    DateTime UtcNow();
+}

IdentityShroud.Core/Contracts/IDataEncryptionService.cs

@@ -0,0 +1,9 @@
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.Core.Contracts;
+
+public interface IDataEncryptionService
+{
+    EncryptedValue Encrypt(ReadOnlySpan<byte> plain);
+    byte[] Decrypt(EncryptedValue input);
+}

IdentityShroud.Core/Contracts/IDekEncryptionService.cs

@@ -0,0 +1,11 @@
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.Core.Contracts;
+
+
+
+public interface IDekEncryptionService
+{
+    EncryptedDek Encrypt(ReadOnlySpan<byte> plain);
+    byte[] Decrypt(EncryptedDek input);
+}

IdentityShroud.Core/Contracts/IEncryptionService.cs

@@ -1,7 +0,0 @@
-namespace IdentityShroud.Core.Contracts;
-
-public interface IEncryptionService
-{
-    byte[] Encrypt(byte[] plain);
-    byte[] Decrypt(byte[] cipher);
-}

IdentityShroud.Core/Contracts/IKeyService.cs

@@ -0,0 +1,12 @@
+using IdentityShroud.Core.Messages;
+using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security.Keys;
+
+namespace IdentityShroud.Core.Contracts;
+
+public interface IKeyService
+{
+    RealmKey CreateKey(KeyPolicy policy);
+
+    JsonWebKey? CreateJsonWebKey(RealmKey realmKey);
+}

IdentityShroud.Core/Contracts/IRealmContext.cs

@@ -0,0 +1,9 @@
+using IdentityShroud.Core.Model;
+
+namespace IdentityShroud.Core.Contracts;
+
+public interface IRealmContext
+{
+    public Realm GetRealm();
+    Task<IList<RealmDek>> GetDeks(CancellationToken ct = default);
+}

IdentityShroud.Core/Contracts/IRealmService.cs

@@ -0,0 +1,15 @@
+using IdentityShroud.Core.Messages.Realm;
+using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Services;
+
+namespace IdentityShroud.Core.Contracts;
+
+public interface IRealmService
+{
+    Task<Realm?> FindById(Guid id, CancellationToken ct = default);
+    Task<Realm?> FindBySlug(string slug, CancellationToken ct = default);
+        
+    Task<Result<RealmCreateResponse>> Create(RealmCreateRequest request, CancellationToken ct = default);
+    Task LoadActiveKeys(Realm realm);
+    Task LoadDeks(Realm realm);
+}

IdentityShroud.Core/Contracts/ISecretProvider.cs

@@ -1,6 +1,14 @@
+using IdentityShroud.Core.Security;
+
 namespace IdentityShroud.Core.Contracts;
 
 public interface ISecretProvider
 {
-    string GetSecretAsync(string name);
+    string GetSecret(string name);
+
+    /// <summary>
+    /// Should return one active key, might return inactive keys.
+    /// </summary>
+    /// <returns></returns>
+    KeyEncryptionKey[] GetKeys(string name);
 }

IdentityShroud.Core/DTO/Client/ClientCreateRequest.cs

@@ -0,0 +1,10 @@
+namespace IdentityShroud.Core.Contracts;
+
+public class ClientCreateRequest
+{
+    public required string ClientId { get; set; }
+    public string? Name { get; set; }
+    public string? Description { get; set; }
+    public string? SignatureAlgorithm { get; set; }
+    public bool? AllowClientCredentialsFlow { get; set; }
+}

IdentityShroud.Core/DTO/JsonWebKey.cs

@@ -1,34 +1,49 @@
 using System.Text.Json.Serialization;
+using IdentityShroud.Core.Helpers;
 
 namespace IdentityShroud.Core.Messages;
 
+// https://www.rfc-editor.org/rfc/rfc7517.html
+
+
 public class JsonWebKey
 {
     [JsonPropertyName("kty")]
     public string KeyType { get; set; } = "RSA";
     
+    // Common values sig(nature) enc(ryption)
     [JsonPropertyName("use")]
-    public string Use { get; set; } = "sig"; // "sig" for signature, "enc" for encryption
+    public string? Use { get; set; } = "sig"; // "sig" for signature, "enc" for encryption
     
-    [JsonPropertyName("alg")]
-    public string Algorithm { get; set; } = "RS256";
+    // Per standard this field is optional, commented out for now as it seems not 
+    // have any good use in an identity server. Anyone validating tokens should use
+    // the algorithm specified in the header of the token.
+    // [JsonPropertyName("alg")]
+    // public string? Algorithm { get; set; } = "RS256";
     
     [JsonPropertyName("kid")]
-    public string KeyId { get; set; }
+    public required string KeyId { get; set; }
     
     // RSA Public Key Components
     [JsonPropertyName("n")]
-    public string Modulus { get; set; }
+    public string? Modulus { get; set; }
     
     [JsonPropertyName("e")]
-    public string Exponent { get; set; }
+    public string? Exponent { get; set; }
+    
+    // ECdsa
+    public string? Curve { get; set; }
+    [JsonConverter(typeof(Base64UrlConverter))]
+    public byte[]? X { get; set; }
+    [JsonConverter(typeof(Base64UrlConverter))]
+    public byte[]? Y { get; set; }
     
     // Optional fields
-    [JsonPropertyName("x5c")]
-    [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
-    public List<string> X509CertificateChain { get; set; }
-    
-    [JsonPropertyName("x5t")]
-    [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
-    public string X509CertificateThumbprint { get; set; }    
+    // [JsonPropertyName("x5c")]
+    // [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+    // public List<string>? X509CertificateChain { get; set; }
+    //
+    // [JsonPropertyName("x5t")]
+    // [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+    // public string? X509CertificateThumbprint { get; set; }    
 }

IdentityShroud.Core/DTO/JsonWebToken.cs

@@ -1,6 +1,6 @@
 using System.Text.Json.Serialization;
 
-namespace IdentityShroud.Core.Messages;
+namespace IdentityShroud.Core.DTO;
 
 public class JsonWebTokenHeader
 {
@@ -9,31 +9,32 @@ public class JsonWebTokenHeader
     [JsonPropertyName("typ")]
     public string Type { get; set; } = "JWT";
     [JsonPropertyName("kid")]
-    public string KeyId { get; set; }
+    public required string KeyId { get; set; }
 
 }
 
+//
 public class JsonWebTokenPayload
 {
     [JsonPropertyName("iss")]
-    public string Issuer { get; set; }
+    public string? Issuer { get; set; }
     [JsonPropertyName("aud")]
-    public string[] Audience { get; set; }
+    public string[]? Audience { get; set; }
     [JsonPropertyName("sub")]
-    public string Subject { get; set; }
+    public string? Subject { get; set; }
     [JsonPropertyName("exp")]
-    public long Expires { get; set; }
+    public long? Expires { get; set; }
     [JsonPropertyName("iat")]
-    public long IssuedAt { get; set; }
+    public long? IssuedAt { get; set; }
     [JsonPropertyName("nbf")]
-    public long NotBefore { get; set; }
+    public long? NotBefore { get; set; }
     [JsonPropertyName("jti")]
-    public Guid JwtId { get; set; } 
+    public Guid? JwtId { get; set; } 
 }
 
 public class JsonWebToken
 {
-    public JsonWebTokenHeader Header { get; set; } = new();
-    public JsonWebTokenPayload Payload { get; set; } = new();
-    public byte[] Signature { get; set; } = [];
+    public required JsonWebTokenHeader Header { get; set; }
+    public required JsonWebTokenPayload Payload { get; set; }
+    public required byte[] Signature { get; set; } = [];
 }

IdentityShroud.Core/Db.cs

@@ -1,5 +1,7 @@
 using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security;
 using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
@@ -16,7 +18,43 @@ public class Db(
     ILoggerFactory? loggerFactory) 
     : DbContext
 {
+    public virtual DbSet<Client> Clients { get; set; }
     public virtual DbSet<Realm> Realms { get; set; }
+    public virtual DbSet<RealmKey> Keys { get; set; }
+    public virtual DbSet<RealmDek> Deks { get; set; }
+
+    protected override void OnModelCreating(ModelBuilder modelBuilder)
+    {
+        var dekIdConverter = new ValueConverter<DekId, Guid>(
+            id => id.Id,
+            guid => new DekId(guid));
+
+        var kekIdConverter = new ValueConverter<KekId, Guid>(
+            id => id.Id,
+            guid => new KekId(guid));
+
+        modelBuilder.Entity<RealmDek>()
+            .Property(d => d.Id)
+            .HasConversion(dekIdConverter);
+
+        modelBuilder.Entity<RealmDek>()
+            .OwnsOne(d => d.KeyData, keyData =>
+            {
+                keyData.Property(k => k.KekId).HasConversion(kekIdConverter);
+            });
+
+        modelBuilder.Entity<RealmKey>()
+            .OwnsOne(k => k.Key, key =>
+            {
+                key.Property(k => k.KekId).HasConversion(kekIdConverter);
+            });
+
+        modelBuilder.Entity<ClientSecret>()
+            .OwnsOne(c => c.Secret, secret =>
+            {
+                secret.Property(s => s.DekId).HasConversion(dekIdConverter);
+            });
+    }
 
     protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
     {

IdentityShroud.Core/Helpers/Base64UrlConverter.cs

@@ -0,0 +1,28 @@
+using System.Buffers;
+using System.Buffers.Text;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+
+namespace IdentityShroud.Core.Helpers;
+
+public class Base64UrlConverter : JsonConverter<byte[]>
+{
+    public override byte[] Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
+    {
+        // GetValueSpan gives you the raw UTF-8 bytes of the JSON string value
+        if (reader.HasValueSequence)
+        {
+            var valueSequence = reader.ValueSequence.ToArray();
+            return Base64Url.DecodeFromUtf8(valueSequence);
+        }
+        return Base64Url.DecodeFromUtf8(reader.ValueSpan);
+    }
+
+    public override void Write(Utf8JsonWriter writer, byte[] value, JsonSerializerOptions options)
+    {
+        int encodedLength = Base64Url.GetEncodedLength(value.Length);
+        Span<byte> buffer = encodedLength <= 256 ? stackalloc byte[encodedLength] : new byte[encodedLength];
+        Base64Url.EncodeToUtf8(value, buffer);
+        writer.WriteStringValue(buffer);
+    }
+}

IdentityShroud.Core/Helpers/SlugHelper.cs

@@ -1,4 +1,3 @@
-using System;
 using System.Globalization;
 using System.Security.Cryptography;
 using System.Text;
@@ -73,9 +72,9 @@ public static class SlugHelper
     
     private static string GenerateHashSuffix(string text)
     {
-        using (var sha256 = SHA256.Create())
+        using (var md5 = MD5.Create())
         {
-            byte[] hash = sha256.ComputeHash(Encoding.UTF8.GetBytes(text));
+            byte[] hash = md5.ComputeHash(Encoding.UTF8.GetBytes(text));
             
             // Take first 4 bytes (will become ~5-6 base64url chars)
             string base64Url = WebEncoders.Base64UrlEncode(hash, 0, 4);

IdentityShroud.Core/IdentityShroud.Core.csproj

@@ -11,7 +11,10 @@
       <PackageReference Include="FluentResults" Version="4.0.0" />
       <PackageReference Include="FluentValidation" Version="12.1.1" />
       <PackageReference Include="jose-jwt" Version="5.2.0" />
+      <PackageReference Include="LanguageExt.Core" Version="4.4.9" />
+      <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.3.9" />
       <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.2" />
+      <PackageReference Include="Microsoft.AspNetCore.WebUtilities" Version="10.0.2" />
       <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.0" />
     </ItemGroup>
     
@@ -19,10 +22,4 @@
         <Using Include="FluentResults" />
     </ItemGroup>
 
-    <ItemGroup>
-      <Reference Include="Microsoft.AspNetCore.WebUtilities">
-        <HintPath>..\..\..\.nuget\packages\microsoft.aspnetcore.webutilities\10.0.2\lib\net10.0\Microsoft.AspNetCore.WebUtilities.dll</HintPath>
-      </Reference>
-    </ItemGroup>
-
 </Project>

IdentityShroud.Core/Model/Client.cs

@@ -1,7 +1,29 @@
+using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations.Schema;
+using Microsoft.EntityFrameworkCore;
+
 namespace IdentityShroud.Core.Model;
 
+[Table("client")]
+[Index(nameof(ClientId), IsUnique = true)]
 public class Client
 {
-    public Guid Id { get; set; }
-    public string Name { get; set; }
+    [Key]
+    public int Id { get; set; }
+    public Guid RealmId { get; set; }
+    [MaxLength(40)]
+    public required string ClientId { get; set; }
+    [MaxLength(80)]
+    public string? Name { get; set; }
+    [MaxLength(2048)]
+    public string? Description { get; set; }
+    
+    [MaxLength(20)]
+    public string? SignatureAlgorithm { get; set; }
+    
+    public bool AllowClientCredentialsFlow { get; set; } = false;
+    
+    public required DateTime CreatedAt { get; set; }
+
+    public List<ClientSecret> Secrets { get; set; } = [];
 }

IdentityShroud.Core/Model/ClientSecret.cs

@@ -0,0 +1,17 @@
+using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations.Schema;
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.Core.Model;
+
+[Table("client_secret")]
+public class ClientSecret
+{
+    [Key]
+    public int Id { get; set; }
+    public Guid ClientId { get; set; }
+    public DateTime CreatedAt { get; set; }
+    public DateTime? RevokedAt { get; set; }
+    public required EncryptedValue Secret { get; set; }
+}

IdentityShroud.Core/Model/Realm.cs

@@ -1,13 +1,12 @@
 using System.ComponentModel.DataAnnotations;
 using System.ComponentModel.DataAnnotations.Schema;
-using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
 
 namespace IdentityShroud.Core.Model;
 
 [Table("realm")]
 public class Realm
 {
-    private byte[] _privateKeyDecrypted = [];
     
     public Guid Id { get; set; }
     /// <summary>
@@ -20,26 +19,22 @@ public class Realm
     public string Name { get; set; } = "";
     public List<Client> Clients { get; init; } = [];
 
-    public byte[] PrivateKeyEncrypted
-    {
-        get;
-        set
-        {
-            field = value;
-            _privateKeyDecrypted = [];
-        }
-    } = [];
+    public List<RealmKey> Keys { get; init; } = [];
 
-    public byte[] GetPrivateKey(IEncryptionService encryptionService)
-    {
-        if (_privateKeyDecrypted.Length == 0 && PrivateKeyEncrypted.Length > 0)
-            _privateKeyDecrypted = encryptionService.Decrypt(PrivateKeyEncrypted);
-        return _privateKeyDecrypted;
+    public List<RealmDek> Deks { get; init; } = [];
+
+    /// <summary>
+    /// Can be overriden per client
+    /// </summary>
+    public string DefaultSignatureAlgorithm { get; set; } = JsonWebAlgorithm.RS256;
 }
 
-    public void SetPrivateKey(IEncryptionService encryptionService, byte[] privateKey)
+[Table("realm_dek")]
+public record RealmDek
 {
-        PrivateKeyEncrypted = encryptionService.Encrypt(privateKey);
-        _privateKeyDecrypted = privateKey;
-    }
+    public required DekId Id { get; init; }
+    public required bool Active { get; set; }
+    public required string Algorithm { get; init; }
+    public required EncryptedDek KeyData { get; init; }
+    public required Guid RealmId { get; init; }
 }

IdentityShroud.Core/Model/RealmKey.cs

@@ -0,0 +1,27 @@
+using System.ComponentModel.DataAnnotations.Schema;
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
+using Microsoft.EntityFrameworkCore;
+
+namespace IdentityShroud.Core.Model;
+
+
+[Table("realm_key")]
+public record RealmKey
+{
+    public required Guid Id { get; init; }
+    public required string KeyType { get; init; }
+
+    
+    public required EncryptedDek Key { get; init; }
+    public required DateTime CreatedAt { get; init; }
+    public DateTime? RevokedAt { get; set; }
+
+    /// <summary>
+    /// Key with highest priority will be used. While there is not really a use case for this I know some users
+    /// are more comfortable replacing keys by using priority then directly deactivating the old key.
+    /// </summary>
+    public int Priority { get; set; } = 10;
+    
+
+}

IdentityShroud.Core/Security/AesGcmHelper.cs

@@ -1,64 +0,0 @@
-using System.Security.Cryptography;
-
-namespace IdentityShroud.Core.Security;
-
-public static class AesGcmHelper
-{
-    
-    public static byte[] EncryptAesGcm(byte[] plaintext, byte[] key)
-    {
-        using var aes = new AesGcm(key);
-        byte[] nonce = RandomNumberGenerator.GetBytes(AesGcm.NonceByteSizes.MaxSize);
-        byte[] ciphertext = new byte[plaintext.Length];
-        byte[] tag = new byte[AesGcm.TagByteSizes.MaxSize];
-
-        aes.Encrypt(nonce, plaintext, ciphertext, tag);
-        // Return concatenated nonce|ciphertext|tag (or store separately)
-        return nonce.Concat(ciphertext).Concat(tag).ToArray();
-    }
-    
-    // --------------------------------------------------------------------
-    // DecryptAesGcm
-    //   • key      – 32‑byte (256‑bit) secret key (same key used for encryption)
-    //   • payload  – byte[] containing nonce‖ciphertext‖tag
-    //   • returns  – the original plaintext bytes
-    // --------------------------------------------------------------------
-    public static byte[] DecryptAesGcm(byte[] payload, byte[] key)
-    {
-        if (payload == null) throw new ArgumentNullException(nameof(payload));
-        if (key == null)     throw new ArgumentNullException(nameof(key));
-        if (key.Length != 32) // 256‑bit key
-            throw new ArgumentException("Key must be 256 bits (32 bytes) for AES‑256‑GCM.", nameof(key));
-
-        // ----------------------------------------------------------------
-        // 1️⃣ Extract the three components.
-        // ----------------------------------------------------------------
-        // AesGcm.NonceByteSizes.MaxSize = 12 bytes (standard GCM nonce length)
-        // AesGcm.TagByteSizes.MaxSize   = 16 bytes (128‑bit authentication tag)
-        int nonceSize = AesGcm.NonceByteSizes.MaxSize; // 12
-        int tagSize   = AesGcm.TagByteSizes.MaxSize;   // 16
-
-        if (payload.Length < nonceSize + tagSize)
-            throw new ArgumentException("Payload is too short to contain nonce, ciphertext, and tag.", nameof(payload));
-
-        ReadOnlySpan<byte> nonce = new(payload, 0, nonceSize);
-        ReadOnlySpan<byte> ciphertext = new(payload, nonceSize, payload.Length - nonceSize - tagSize);
-        ReadOnlySpan<byte> tag = new(payload, payload.Length - tagSize, tagSize);
-        
-
-        byte[] plaintext = new byte[ciphertext.Length];
-
-        using var aes = new AesGcm(key);
-        try
-        {
-            aes.Decrypt(nonce, ciphertext, tag, plaintext);
-        }
-        catch (CryptographicException ex)
-        {
-            // Tag verification failed → tampering or wrong key/nonce.
-            throw new InvalidOperationException("Decryption failed – authentication tag mismatch.", ex);
-        }
-
-        return plaintext;
-    }
-}

IdentityShroud.Core/Security/ConfigurationSecretProvider.cs

@@ -10,8 +10,13 @@ public class ConfigurationSecretProvider(IConfiguration configuration) : ISecret
 {
     private readonly IConfigurationSection secrets = configuration.GetSection("secrets"); 
     
-    public string GetSecretAsync(string name)
+    public string GetSecret(string name)
     {
         return secrets.GetValue<string>(name) ?? "";
     }
+
+    public KeyEncryptionKey[] GetKeys(string name)
+    {
+        return secrets.GetSection(name).Get<KeyEncryptionKey[]>() ?? [];
+    }
 }

IdentityShroud.Core/Security/DekId.cs

@@ -0,0 +1,6 @@
+namespace IdentityShroud.Core.Security;
+
+public record struct DekId(Guid Id)
+{
+    public static DekId NewId() => new(Guid.NewGuid());
+}

IdentityShroud.Core/Security/EncryptedDek.cs

@@ -0,0 +1,6 @@
+using Microsoft.EntityFrameworkCore;
+
+namespace IdentityShroud.Core.Security;
+
+[Owned]
+public record EncryptedDek(KekId KekId, byte[] Value);

IdentityShroud.Core/Security/EncryptedValue.cs

@@ -0,0 +1,8 @@
+using Microsoft.EntityFrameworkCore;
+
+namespace IdentityShroud.Core.Security;
+
+[Owned]
+public record EncryptedValue(DekId DekId, byte[] Value);
+
+

IdentityShroud.Core/Security/Encryption.cs

@@ -0,0 +1,70 @@
+using System.Security.Cryptography;
+
+namespace IdentityShroud.Core.Security;
+
+public static class Encryption
+{
+    private record struct AlgVersion(int Version, int NonceSize, int TagSize);
+
+    private static AlgVersion[] _versions = 
+    [
+        new(0, 0, 0), // version 0 does not realy exist
+        new(1, 12, 16), // version 1
+    ];
+    
+    public static byte[] Encrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> key)
+    {
+        const int versionNumber = 1; 
+        AlgVersion versionParams = _versions[versionNumber];
+
+        int resultSize = 1 + versionParams.NonceSize + versionParams.TagSize + plaintext.Length;
+        // allocate buffer for complete response 
+        var result = new byte[resultSize];
+        
+        result[0] = (byte)versionParams.Version;
+
+        // make the spans that point to the parts of the result where their data is located
+        var nonce = result.AsSpan(1, versionParams.NonceSize); 
+        var tag = result.AsSpan(1 + versionParams.NonceSize, versionParams.TagSize);
+        var cipher = result.AsSpan(1 + versionParams.NonceSize + versionParams.TagSize);
+
+        // use the spans to place the data directly in its place
+        RandomNumberGenerator.Fill(nonce);
+        using var aes = new AesGcm(key, versionParams.TagSize);
+        aes.Encrypt(nonce, plaintext, cipher, tag);
+        return result;
+    }
+    
+    public static byte[] Decrypt(ReadOnlyMemory<byte> input, ReadOnlySpan<byte> key)
+    {
+        var payload = input.Span;
+        int versionNumber = (int)payload[0];
+        if (versionNumber != 1)
+            throw new ArgumentException("Invalid payload");
+        
+        AlgVersion versionParams = _versions[versionNumber];
+        
+        
+        if (payload.Length < 1 + versionParams.NonceSize + versionParams.TagSize)
+            throw new ArgumentException("Payload is too short to contain nonce, ciphertext, and tag.", nameof(payload));
+
+        ReadOnlySpan<byte> nonce = payload.Slice(1, versionParams.NonceSize);
+        ReadOnlySpan<byte> tag = payload.Slice(1 + versionParams.NonceSize, versionParams.TagSize);
+        ReadOnlySpan<byte> cipher = payload.Slice(1 + versionParams.NonceSize + versionParams.TagSize);
+
+        byte[] plaintext = new byte[cipher.Length];
+
+        using var aes = new AesGcm(key, versionParams.TagSize);
+        try
+        {
+            aes.Decrypt(nonce, cipher, tag, plaintext);
+        }
+        catch (CryptographicException ex)
+        {
+            // Tag verification failed → tampering or wrong key/nonce.
+            throw new InvalidOperationException("Decryption failed – authentication tag mismatch.", ex);
+        }
+
+        return plaintext;
+    }
+}

IdentityShroud.Core/Security/JsonWebAlgorithm.cs

@@ -0,0 +1,6 @@
+namespace IdentityShroud.Core.Security;
+
+public static class JsonWebAlgorithm
+{
+    public const string RS256 = "RS256";
+}

IdentityShroud.Core/Security/JwtSignatureGenerator.cs

@@ -4,7 +4,7 @@ using Microsoft.AspNetCore.WebUtilities;
 
 namespace IdentityShroud.Core;
 
-public class JwtSignatureGenerator
+public static class JwtSignatureGenerator
 {
     /// <summary>
     /// Generates a JWT signature using RS256 algorithm

IdentityShroud.Core/Security/KekId.cs

@@ -0,0 +1,41 @@
+using System.ComponentModel;
+using System.Globalization;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+
+namespace IdentityShroud.Core.Security;
+
+[JsonConverter(typeof(KekIdJsonConverter))]
+[TypeConverter(typeof(KekIdTypeConverter))]
+public readonly record struct KekId
+{
+    public Guid Id { get; } 
+
+    public KekId(Guid id)
+    {
+        Id = id;
+    }
+
+    public static KekId NewId()
+    {
+        return new KekId(Guid.NewGuid());
+    }
+}
+
+public class KekIdJsonConverter : JsonConverter<KekId>
+{
+    public override KekId Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
+        => new KekId(reader.GetGuid());
+
+    public override void Write(Utf8JsonWriter writer, KekId value, JsonSerializerOptions options)
+        => writer.WriteStringValue(value.Id);
+}
+
+public class KekIdTypeConverter : TypeConverter
+{
+    public override bool CanConvertFrom(ITypeDescriptorContext? context, Type sourceType)
+        => sourceType == typeof(string) || base.CanConvertFrom(context, sourceType);
+
+    public override object? ConvertFrom(ITypeDescriptorContext? context, CultureInfo? culture, object value)
+        => value is string s ? new KekId(Guid.Parse(s)) : base.ConvertFrom(context, culture, value);
+}

IdentityShroud.Core/Security/KeyEncryptionKey.cs

@@ -0,0 +1,10 @@
+namespace IdentityShroud.Core.Security;
+
+/// <summary>
+/// Contains a KEK and associated relevant data. This structure
+/// </summary>
+/// <param name="Id"></param>
+/// <param name="Active"></param>
+/// <param name="Algorithm"></param>
+/// <param name="Key"></param>
+public record KeyEncryptionKey(KekId Id, bool Active, string Algorithm, byte[] Key);

IdentityShroud.Core/Security/Keys/IKeyProvider.cs

@@ -0,0 +1,19 @@
+using IdentityShroud.Core.Messages;
+
+namespace IdentityShroud.Core.Security.Keys;
+
+public abstract class KeyPolicy
+{
+    public abstract string KeyType { get; }
+}
+
+
+public interface IKeyProvider
+{
+    byte[] CreateKey(KeyPolicy policy);
+
+    void SetJwkParameters(byte[] key, JsonWebKey jwk);
+}
+
+
+

IdentityShroud.Core/Security/Keys/IKeyProviderFactory.cs

@@ -0,0 +1,7 @@
+namespace IdentityShroud.Core.Security.Keys;
+
+
+public interface IKeyProviderFactory
+{
+    public IKeyProvider CreateProvider(string keyType);
+}

IdentityShroud.Core/Security/Keys/KeyProviderFactory.cs

@@ -0,0 +1,17 @@
+using IdentityShroud.Core.Security.Keys.Rsa;
+
+namespace IdentityShroud.Core.Security.Keys;
+
+public class KeyProviderFactory : IKeyProviderFactory
+{
+    public IKeyProvider CreateProvider(string keyType)
+    {
+        switch (keyType)
+        {
+            case "RSA":
+                return new RsaProvider();
+            default:
+                throw new NotImplementedException();
+        }
+    }
+}

IdentityShroud.Core/Security/Keys/Rsa/RsaProvider.cs

@@ -0,0 +1,35 @@
+using System.Buffers.Text;
+using System.Security.Cryptography;
+using IdentityShroud.Core.Messages;
+
+namespace IdentityShroud.Core.Security.Keys.Rsa;
+
+public class RsaKeyPolicy : KeyPolicy
+{
+    public override string KeyType => "RSA";
+    public int KeySize { get; } = 2048;
+}
+
+public class RsaProvider : IKeyProvider
+{
+    public byte[] CreateKey(KeyPolicy policy)
+    {
+        if (policy is RsaKeyPolicy p)
+        {
+            using var rsa = RSA.Create(p.KeySize);
+            return rsa.ExportPkcs8PrivateKey();
+        }
+
+        throw new ArgumentException("Incorrect policy type", nameof(policy));
+    }
+
+    public void SetJwkParameters(byte[] key, JsonWebKey jwk)
+    {
+        using var rsa = RSA.Create();
+        rsa.ImportPkcs8PrivateKey(key, out _);
+        var parameters = rsa.ExportParameters(includePrivateParameters: false);
+
+        jwk.Exponent = Base64Url.EncodeToString(parameters.Exponent);
+        jwk.Modulus = Base64Url.EncodeToString(parameters.Modulus);
+    }
+}

IdentityShroud.Core/Security/RsaHelper.cs

@@ -1,7 +0,0 @@
-using System.Security.Cryptography;
-
-namespace IdentityShroud.Core.Security;
-
-public static class RsaHelper
-{
-}

IdentityShroud.Core/Services/ClientService.cs

@@ -0,0 +1,65 @@
+using System.Security.Cryptography;
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Model;
+using Microsoft.EntityFrameworkCore;
+
+namespace IdentityShroud.Core.Services;
+
+public class ClientService(
+    Db db,
+    IDataEncryptionService cryptor,
+    IClock clock) : IClientService
+{
+    public async Task<Result<Client>> Create(Guid realmId, ClientCreateRequest request, CancellationToken ct = default)
+    {
+        Client client = new()
+        {
+            RealmId = realmId,
+            ClientId = request.ClientId,
+            Name = request.Name,
+            Description = request.Description,
+            SignatureAlgorithm = request.SignatureAlgorithm,
+            AllowClientCredentialsFlow = request.AllowClientCredentialsFlow ?? false,
+            CreatedAt = clock.UtcNow(),
+        };
+        
+        if (client.AllowClientCredentialsFlow)
+        {
+            client.Secrets.Add(CreateSecret());
+        }
+
+        await db.AddAsync(client, ct);
+        await db.SaveChangesAsync(ct);
+
+        return client;
+    }
+
+    public async Task<Client?> GetByClientId(
+        Guid realmId,
+        string clientId, 
+        CancellationToken ct = default)
+    {
+        return await db.Clients.FirstOrDefaultAsync(c => c.ClientId == clientId && c.RealmId == realmId, ct);
+    }
+
+    public async Task<Client?> FindById(
+        Guid realmId,
+        int id, 
+        CancellationToken ct = default)
+    {
+        return await db.Clients.FirstOrDefaultAsync(c => c.Id == id && c.RealmId == realmId, ct);
+    }
+
+    private ClientSecret CreateSecret()
+    {
+        Span<byte> secret = stackalloc byte[24];
+        RandomNumberGenerator.Fill(secret);
+
+        return new ClientSecret()
+        {
+            CreatedAt = clock.UtcNow(),
+            Secret = cryptor.Encrypt(secret.ToArray()),
+        };
+
+    }
+}

IdentityShroud.Core/Services/ClockService.cs

@@ -0,0 +1,11 @@
+using IdentityShroud.Core.Contracts;
+
+namespace IdentityShroud.Core.Services;
+
+public class ClockService : IClock
+{
+    public DateTime UtcNow()
+    {
+        return DateTime.UtcNow;
+    }
+}

IdentityShroud.Core/Services/DataEncryptionService.cs

@@ -0,0 +1,41 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.Core.Services;
+
+public class DataEncryptionService(
+    IRealmContext realmContext,
+    IDekEncryptionService dekCryptor) : IDataEncryptionService
+{
+    
+    // Note this array is expected to have one item in it most of the during key rotation it will have two
+    // until it is ensured the old key can safely be removed. More then two will work but is not really expected.
+    private IList<RealmDek>? _deks = null;
+
+    private IList<RealmDek> GetDeks()
+    {
+        if (_deks is null)
+            _deks = realmContext.GetDeks().Result;
+
+        return _deks;
+    }
+
+    private RealmDek GetActiveDek() => GetDeks().Single(d => d.Active);
+    private RealmDek GetKey(DekId id) => GetDeks().Single(d => d.Id == id);
+    
+    public byte[] Decrypt(EncryptedValue input)
+    {
+        var dek = GetKey(input.DekId);
+        var key = dekCryptor.Decrypt(dek.KeyData);
+        return Encryption.Decrypt(input.Value, key);
+    }
+
+    public EncryptedValue Encrypt(ReadOnlySpan<byte> plain)
+    {
+        var dek = GetActiveDek();
+        var key = dekCryptor.Decrypt(dek.KeyData);
+        byte[] cipher = Encryption.Encrypt(plain, key);
+        return new (dek.Id, cipher);
+    }
+}

IdentityShroud.Core/Services/DekEncryptionService.cs

@@ -0,0 +1,38 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.Core.Services;
+
+/// <summary>
+/// 
+/// </summary>
+public class DekEncryptionService : IDekEncryptionService
+{
+    // Note this array is expected to have one item in it most of the during key rotation it will have two
+    // until it is ensured the old key can safely be removed. More then two will work but is not really expected.
+    private readonly KeyEncryptionKey[] _encryptionKeys;
+
+    private KeyEncryptionKey ActiveKey => _encryptionKeys.Single(k => k.Active);
+    private KeyEncryptionKey GetKey(KekId keyId) => _encryptionKeys.Single(k => k.Id == keyId);
+
+    public DekEncryptionService(ISecretProvider secretProvider)
+    {
+        _encryptionKeys = secretProvider.GetKeys("master");
+        // if (_encryptionKey.Length != 32) // 256‑bit key
+        //     throw new Exception("Key must be 256 bits (32 bytes) for AES‑256‑GCM.");
+    }
+
+    public EncryptedDek Encrypt(ReadOnlySpan<byte> plaintext)
+    {
+        var encryptionKey = ActiveKey;
+        byte[] cipher = Encryption.Encrypt(plaintext, encryptionKey.Key);
+        return new (encryptionKey.Id, cipher);
+    }
+
+    public byte[] Decrypt(EncryptedDek input)
+    {
+        var encryptionKey = GetKey(input.KekId);
+
+        return Encryption.Decrypt(input.Value, encryptionKey.Key);
+    }
+}

IdentityShroud.Core/Services/IRealmService.cs

@@ -1,8 +0,0 @@
-using IdentityShroud.Core.Messages.Realm;
-
-namespace IdentityShroud.Core.Services;
-
-public interface IRealmService
-{
-    Task<Result<RealmCreateResponse>> Create(RealmCreateRequest request, CancellationToken ct = default);
-}

IdentityShroud.Core/Services/KeyService.cs

@@ -0,0 +1,46 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Messages;
+using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security.Keys;
+
+namespace IdentityShroud.Core.Services;
+
+public class KeyService(
+    IDekEncryptionService cryptor,
+    IKeyProviderFactory keyProviderFactory,
+    IClock clock) : IKeyService
+{
+    public RealmKey CreateKey(KeyPolicy policy)
+    {
+        IKeyProvider provider = keyProviderFactory.CreateProvider(policy.KeyType);
+        var plainKey = provider.CreateKey(policy);
+
+        return CreateKey(policy.KeyType, plainKey);
+    }
+
+    public JsonWebKey? CreateJsonWebKey(RealmKey realmKey)
+    {
+        JsonWebKey jwk = new()
+        {
+            KeyId = realmKey.Id.ToString(),
+            KeyType = realmKey.KeyType,
+            Use = "sig",
+        };
+        
+        IKeyProvider provider = keyProviderFactory.CreateProvider(realmKey.KeyType);
+        provider.SetJwkParameters(
+            cryptor.Decrypt(realmKey.Key),
+            jwk);
+
+        return jwk;
+    }
+
+    private RealmKey CreateKey(string keyType, byte[] plainKey) =>
+        new RealmKey()
+            {
+                Id = Guid.NewGuid(),
+                KeyType = keyType,
+                Key = cryptor.Encrypt(plainKey),
+                CreatedAt = clock.UtcNow(),
+            };
+}

IdentityShroud.Core/Services/MasterEncryptionService.cs

@@ -1,23 +0,0 @@
-using IdentityShroud.Core.Contracts;
-using IdentityShroud.Core.Security;
-
-namespace IdentityShroud.Core.Services;
-
-/// <summary>
-/// 
-/// </summary>
-/// <param name="encryptionKey">Encryption key as base64, must be 32 bytes</param>
-public class EncryptionService(string keyBase64) : IEncryptionService
-{
-    private readonly byte[] encryptionKey = Convert.FromBase64String(keyBase64);
-
-    public byte[] Encrypt(byte[] plain)
-    {
-        return AesGcmHelper.EncryptAesGcm(plain, encryptionKey);
-    }
-
-    public byte[] Decrypt(byte[] cipher)
-    {
-        return AesGcmHelper.DecryptAesGcm(cipher, encryptionKey);
-    }
-}

IdentityShroud.Core/Services/RealmContext.cs

@@ -0,0 +1,26 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Model;
+using Microsoft.AspNetCore.Http;
+
+namespace IdentityShroud.Core.Services;
+
+public class RealmContext(
+    IHttpContextAccessor accessor,
+    IRealmService realmService) : IRealmContext
+{
+    public Realm GetRealm()
+    {
+        return (Realm)accessor.HttpContext.Items["RealmEntity"];
+    }
+
+    public async Task<IList<RealmDek>> GetDeks(CancellationToken ct = default)
+    {
+        Realm realm = GetRealm();
+        if (realm.Deks.Count == 0)
+        {
+            await realmService.LoadDeks(realm);
+        }
+
+        return realm.Deks;
+    }
+}

IdentityShroud.Core/Services/RealmService.cs

@@ -1,8 +1,10 @@
-using System.Security.Cryptography;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Helpers;
 using IdentityShroud.Core.Messages.Realm;
 using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security.Keys;
+using IdentityShroud.Core.Security.Keys.Rsa;
+using Microsoft.EntityFrameworkCore;
 
 namespace IdentityShroud.Core.Services;
 
@@ -10,8 +12,20 @@ public record RealmCreateResponse(Guid Id, string Slug, string Name);
 
 public class RealmService(
     Db db,
-    IEncryptionService encryptionService) : IRealmService
+    IKeyService keyService) : IRealmService
 {
+    public async Task<Realm?> FindById(Guid id, CancellationToken ct = default)
+    {
+        return await db.Realms
+            .SingleOrDefaultAsync(r => r.Id == id, ct);
+    }
+
+    public async Task<Realm?> FindBySlug(string slug, CancellationToken ct = default)
+    {
+        return await db.Realms
+            .SingleOrDefaultAsync(r => r.Slug == slug, ct);
+    }
+
     public async Task<Result<RealmCreateResponse>> Create(RealmCreateRequest request, CancellationToken ct = default)
     {
         Realm realm = new()
@@ -21,8 +35,7 @@ public class RealmService(
             Name = request.Name,
         };
         
-        using RSA rsa = RSA.Create(2048);
-        realm.SetPrivateKey(encryptionService, rsa.ExportPkcs8PrivateKey());
+        realm.Keys.Add(keyService.CreateKey(GetKeyPolicy(realm)));
 
         db.Add(realm);
         await db.SaveChangesAsync(ct);
@@ -30,4 +43,27 @@ public class RealmService(
         return new RealmCreateResponse(
             realm.Id, realm.Slug, realm.Name);
     }
+
+    /// <summary>
+    /// Place holder for getting policies from the realm and falling back to sane defaults when no policies have been set.
+    /// </summary>
+    /// <param name="_"></param>
+    /// <returns></returns>
+    private KeyPolicy GetKeyPolicy(Realm _) => new RsaKeyPolicy();
+    
+
+    public async Task LoadActiveKeys(Realm realm)
+    {
+        await db.Entry(realm).Collection(r => r.Keys)
+            .Query()
+            .Where(k => k.RevokedAt == null)
+            .LoadAsync();
+    }
+
+    public async Task LoadDeks(Realm realm)
+    {
+        await db.Entry(realm).Collection(r => r.Deks)
+            .Query()
+            .LoadAsync();
+    }
 }

IdentityShroud.TestUtils.Tests/Asserts/JsonObjectAssertTests.cs

@@ -0,0 +1,70 @@
+using System.Text.Json.Nodes;
+using IdentityShroud.TestUtils.Asserts;
+using Xunit.Sdk;
+
+namespace IdentityShroud.TestUtils.Tests.Asserts;
+
+public class JsonObjectAssertTests
+{
+    [Theory]
+    [InlineData("foo", new string[] { "foo" })]
+    [InlineData("foo.bar", new string[] { "foo", "bar" })]
+    [InlineData("foo[1].bar", new string[] { "foo", "1", "bar" })]
+    public void ParsePath(string path, string[] expected)
+    {
+        var result = JsonObjectAssert.ParsePath(path);
+        Assert.Equal(expected, result);
+    }
+    
+    [Fact]
+    public void NavigateToPath_Success()
+    {
+        JsonObject foo = new();
+        foo["bar"] = 1;
+        JsonObject obj = new();
+        obj["foo"] = foo;
+        
+        JsonNode? node = JsonObjectAssert.NavigateToPath(obj, ["foo", "bar"]);
+        Assert.NotNull(node);
+    }
+    
+    [Fact]
+    public void NavigateToPath_PathDoesNotExist()
+    {
+        JsonObject obj = new();
+        Assert.Throws<XunitException>(
+            () => JsonObjectAssert.NavigateToPath(obj, ["test"]),
+            ex => ex.Message.StartsWith("Path 'test' does not exist") ? null : ex.Message);
+    }
+
+    [Fact]
+    public void NavigateToPath_MemberOfNullObject()
+    {
+        JsonObject obj = new();
+        obj["foo"] = null;
+        
+        Assert.Throws<XunitException>(
+            () => JsonObjectAssert.NavigateToPath(obj, ["foo", "bar"]),
+            ex => ex.Message.StartsWith("Path 'foo.bar' does not exist") ? null : ex.Message);
+    }
+
+    [Fact]
+    public void Equal_WrongType()
+    {
+        JsonObject obj = new();
+        obj["test"] = new JsonObject();
+        
+        Assert.Throws<XunitException>(
+            () => JsonObjectAssert.Equal("str", obj, ["test"]),
+            ex => ex.Message.StartsWith("Type mismatch") ? null : ex.Message);
+    }
+    
+    [Fact]
+    public void Equal_Match()
+    {
+        JsonObject obj = new();
+        obj["test"] = "str";
+
+        JsonObjectAssert.Equal("str", obj, ["test"]);
+    }
+}

IdentityShroud.TestUtils.Tests/IdentityShroud.TestUtils.Tests.csproj

@@ -0,0 +1,26 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <Nullable>enable</Nullable>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="coverlet.collector" Version="6.0.4"/>
+        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1"/>
+        <PackageReference Include="NSubstitute" Version="5.3.0" />
+        <PackageReference Include="xunit.runner.visualstudio" Version="3.1.4"/>
+        <PackageReference Include="xunit.v3" Version="3.2.2" />
+    </ItemGroup>
+
+    <ItemGroup>
+        <Using Include="Xunit"/>
+        <Using Include="NSubstitute"/>
+    </ItemGroup>
+
+    <ItemGroup>
+      <ProjectReference Include="..\IdentityShroud.TestUtils\IdentityShroud.TestUtils.csproj" />
+    </ItemGroup>
+    
+</Project>

IdentityShroud.TestUtils/Asserts/JsonObjectAssert.cs

@@ -0,0 +1,363 @@
+using System.Text.Json.Nodes;
+using System.Text.RegularExpressions;
+
+namespace IdentityShroud.TestUtils.Asserts;
+
+public static class JsonObjectAssert
+{
+    /// <summary>
+    /// Parses a path string that may contain array indices (e.g., "items[0].name") into individual segments.
+    /// </summary>
+    /// <param name="path">The path string with optional array indices</param>
+    /// <returns>Array of path segments where array indices are separate segments</returns>
+    public static string[] ParsePath(string path)
+    {
+        var segments = new List<string>();
+        var parts = path.Split('.');
+
+        foreach (var part in parts)
+        {
+            // Check if the part contains array indexing like "items[0]"
+            var match = Regex.Match(part, @"^(.+?)\[(\d+)\]$");
+            if (match.Success)
+            {
+                // Add the property name
+                segments.Add(match.Groups[1].Value);
+                // Add the array index
+                segments.Add(match.Groups[2].Value);
+            }
+            else
+            {
+                segments.Add(part);
+            }
+        }
+
+        return segments.ToArray();
+    }
+
+    /// <summary>
+    /// Navigates to a JsonNode at the specified path and returns it.
+    /// Throws XunitException if the path doesn't exist or is invalid.
+    /// </summary>
+    /// <param name="jsonObject">The root JsonObject to navigate from</param>
+    /// <param name="pathArray">The path segments to navigate</param>
+    /// <returns>The JsonNode at the specified path (can be null if the value is null)</returns>
+    public static JsonNode? NavigateToPath(JsonObject jsonObject, string[] pathArray)
+    {
+        if (pathArray.Length == 0)
+            throw new ArgumentException("Path cannot be empty");
+
+        JsonNode? current = jsonObject;
+        string currentPath = "";
+
+        foreach (var segment in pathArray)
+        {
+            currentPath = string.IsNullOrEmpty(currentPath) ? segment : $"{currentPath}.{segment}";
+
+            if (current == null)
+                throw new Xunit.Sdk.XunitException(
+                    $"Path '{currentPath}' does not exist - parent node is null");
+
+            if (current is JsonObject obj)
+            {
+                if (!obj.ContainsKey(segment))
+                    throw new Xunit.Sdk.XunitException(
+                        $"Path '{currentPath}' does not exist - property '{segment}' not found");
+
+                current = obj[segment];
+            }
+            else if (current is JsonArray arr && int.TryParse(segment, out int index))
+            {
+                if (index < 0 || index >= arr.Count)
+                    throw new Xunit.Sdk.XunitException(
+                        $"Path '{currentPath}' does not exist - array index {index} out of bounds (array length: {arr.Count})");
+
+                current = arr[index];
+            }
+            else
+            {
+                throw new Xunit.Sdk.XunitException(
+                    $"Path '{currentPath}' is invalid - cannot navigate through non-object/non-array node at '{segment}'");
+            }
+        }
+
+        return current;
+    }
+
+    /// <summary>
+    /// Asserts that a JsonObject contains the expected value at the specified path.
+    /// Validates that the path exists, field types match, and values are equal.
+    /// </summary>
+    /// <typeparam name="T">The expected type of the value</typeparam>
+    /// <param name="expected">The expected value</param>
+    /// <param name="jsonObject">The JsonObject to validate</param>
+    /// <param name="path">The path to the field as an enumerable of property names</param>
+    public static void Equal<T>(T expected, JsonObject jsonObject, IEnumerable<string> path)
+    {
+        var pathArray = path.ToArray();
+        var current = NavigateToPath(jsonObject, pathArray);
+
+        if (current == null)
+        {
+            if (expected != null)
+                throw new Xunit.Sdk.XunitException(
+                    $"Expected value '{expected}' at path '{string.Join(".", pathArray)}', but found null");
+            return;
+        }
+
+        // Type and value validation
+        try
+        {
+            T? actualValue = current.GetValue<T>();
+            Assert.Equal(expected, actualValue);
+        }
+        catch (InvalidOperationException ex)
+        {
+            throw new Xunit.Sdk.XunitException(
+                $"Type mismatch at path '{string.Join(".", pathArray)}': cannot convert JsonNode to {typeof(T).Name}. {ex.Message}");
+        }
+        catch (FormatException ex)
+        {
+            throw new Xunit.Sdk.XunitException(
+                $"Format error at path '{string.Join(".", pathArray)}': cannot convert value to {typeof(T).Name}. {ex.Message}");
+        }
+    }
+
+    /// <summary>
+    /// Asserts that a JsonObject contains the expected value at the specified path.
+    /// Validates that the path exists, field types match, and values are equal.
+    /// </summary>
+    /// <typeparam name="T">The expected type of the value</typeparam>
+    /// <param name="expected">The expected value</param>
+    /// <param name="jsonObject">The JsonObject to validate</param>
+    /// <param name="path">The path to the field as dot-separated string with optional array indices (e.g., "user.addresses[0].city")</param>
+    public static void Equal<T>(T expected, JsonObject jsonObject, string path)
+    {
+        Equal(expected, jsonObject, ParsePath(path));
+    }
+
+    /// <summary>
+    /// Asserts that a path exists in the JsonObject without validating the value.
+    /// </summary>
+    /// <param name="jsonObject">The JsonObject to validate</param>
+    /// <param name="path">The path to check for existence</param>
+    public static void PathExists(JsonObject jsonObject, IEnumerable<string> path)
+    {
+        var pathArray = path.ToArray();
+        NavigateToPath(jsonObject, pathArray);
+        // If NavigateToPath doesn't throw, the path exists
+    }
+
+    /// <summary>
+    /// Asserts that a path exists in the JsonObject without validating the value.
+    /// </summary>
+    /// <param name="jsonObject">The JsonObject to validate</param>
+    /// <param name="path">The path to check for existence as dot-separated string with optional array indices</param>
+    public static void PathExists(JsonObject jsonObject, string path)
+    {
+        PathExists(jsonObject, ParsePath(path));
+    }
+
+    /// <summary>
+    /// Asserts that a JsonArray at the specified path has the expected count.
+    /// Validates that the path exists, is a JsonArray, and has the expected number of elements.
+    /// </summary>
+    /// <param name="expectedCount">The expected number of elements in the array</param>
+    /// <param name="jsonObject">The JsonObject to validate</param>
+    /// <param name="path">The path to the array as an enumerable of property names</param>
+    public static void Count(int expectedCount, JsonObject jsonObject, IEnumerable<string> path)
+    {
+        var pathArray = path.ToArray();
+        var current = NavigateToPath(jsonObject, pathArray);
+        var pathString = string.Join(".", pathArray);
+
+        if (current == null)
+            throw new Xunit.Sdk.XunitException(
+                $"Path '{pathString}' contains null - cannot verify count on null value");
+
+        if (current is not JsonArray array)
+            throw new Xunit.Sdk.XunitException(
+                $"Path '{pathString}' does not contain a JsonArray - found {current.GetType().Name} instead");
+
+        if (array.Count != expectedCount)
+            throw new Xunit.Sdk.XunitException(
+                $"Expected array at path '{pathString}' to have {expectedCount} element(s), but found {array.Count}");
+    }
+
+    /// <summary>
+    /// Asserts that a JsonArray at the specified path has the expected count.
+    /// Validates that the path exists, is a JsonArray, and has the expected number of elements.
+    /// </summary>
+    /// <param name="expectedCount">The expected number of elements in the array</param>
+    /// <param name="jsonObject">The JsonObject to validate</param>
+    /// <param name="path">The path to the array as dot-separated string with optional array indices (e.g., "user.addresses")</param>
+    public static void Count(int expectedCount, JsonObject jsonObject, string path)
+    {
+        Count(expectedCount, jsonObject, ParsePath(path));
+    }
+
+    /// <summary>
+    /// Gets a JsonArray at the specified path for performing custom assertions on its elements.
+    /// Validates that the path exists and is a JsonArray.
+    /// </summary>
+    /// <param name="jsonObject">The JsonObject to navigate</param>
+    /// <param name="path">The path to the array as an enumerable of property names</param>
+    /// <returns>The JsonArray at the specified path</returns>
+    public static JsonArray GetArray(JsonObject jsonObject, IEnumerable<string> path)
+    {
+        var pathArray = path.ToArray();
+        var current = NavigateToPath(jsonObject, pathArray);
+        var pathString = string.Join(".", pathArray);
+
+        if (current == null)
+            throw new Xunit.Sdk.XunitException(
+                $"Path '{pathString}' contains null - expected a JsonArray");
+
+        if (current is not JsonArray array)
+            throw new Xunit.Sdk.XunitException(
+                $"Path '{pathString}' does not contain a JsonArray - found {current.GetType().Name} instead");
+
+        return array;
+    }
+
+    /// <summary>
+    /// Gets a JsonArray at the specified path for performing custom assertions on its elements.
+    /// Validates that the path exists and is a JsonArray.
+    /// </summary>
+    /// <param name="jsonObject">The JsonObject to navigate</param>
+    /// <param name="path">The path to the array as dot-separated string with optional array indices (e.g., "user.addresses")</param>
+    /// <returns>The JsonArray at the specified path</returns>
+    public static JsonArray GetArray(JsonObject jsonObject, string path)
+    {
+        return GetArray(jsonObject, ParsePath(path));
+    }
+
+    /// <summary>
+    /// Asserts that all elements in a JsonArray at the specified path satisfy the given predicate.
+    /// </summary>
+    /// <param name="jsonObject">The JsonObject to validate</param>
+    /// <param name="path">The path to the array</param>
+    /// <param name="predicate">The predicate to test each element against</param>
+    public static void All(JsonObject jsonObject, IEnumerable<string> path, Func<JsonNode?, bool> predicate)
+    {
+        var array = GetArray(jsonObject, path);
+        var pathString = string.Join(".", path);
+
+        for (int i = 0; i < array.Count; i++)
+        {
+            if (!predicate(array[i]))
+                throw new Xunit.Sdk.XunitException(
+                    $"Predicate failed for element at index {i} in array at path '{pathString}'");
+        }
+    }
+
+    /// <summary>
+    /// Asserts that all elements in a JsonArray at the specified path satisfy the given predicate.
+    /// </summary>
+    /// <param name="jsonObject">The JsonObject to validate</param>
+    /// <param name="path">The path to the array as dot-separated string</param>
+    /// <param name="predicate">The predicate to test each element against</param>
+    public static void All(JsonObject jsonObject, string path, Func<JsonNode?, bool> predicate)
+    {
+        All(jsonObject, ParsePath(path), predicate);
+    }
+
+    /// <summary>
+    /// Asserts that at least one element in a JsonArray at the specified path satisfies the given predicate.
+    /// </summary>
+    /// <param name="jsonObject">The JsonObject to validate</param>
+    /// <param name="path">The path to the array</param>
+    /// <param name="predicate">The predicate to test each element against</param>
+    public static void Any(JsonObject jsonObject, IEnumerable<string> path, Func<JsonNode?, bool> predicate)
+    {
+        var array = GetArray(jsonObject, path);
+        var pathString = string.Join(".", path);
+
+        foreach (var element in array)
+        {
+            if (predicate(element))
+                return;
+        }
+
+        throw new Xunit.Sdk.XunitException(
+            $"No element in array at path '{pathString}' satisfies the predicate");
+    }
+
+    /// <summary>
+    /// Asserts that at least one element in a JsonArray at the specified path satisfies the given predicate.
+    /// </summary>
+    /// <param name="jsonObject">The JsonObject to validate</param>
+    /// <param name="path">The path to the array as dot-separated string</param>
+    /// <param name="predicate">The predicate to test each element against</param>
+    public static void Any(JsonObject jsonObject, string path, Func<JsonNode?, bool> predicate)
+    {
+        Any(jsonObject, ParsePath(path), predicate);
+    }
+
+    /// <summary>
+    /// Performs an action on each element in a JsonArray at the specified path.
+    /// Useful for running custom assertions on each element.
+    /// </summary>
+    /// <param name="jsonObject">The JsonObject to validate</param>
+    /// <param name="path">The path to the array</param>
+    /// <param name="assertAction">The action to perform on each element</param>
+    public static void ForEach(JsonObject jsonObject, IEnumerable<string> path, Action<JsonNode?, int> assertAction)
+    {
+        var array = GetArray(jsonObject, path);
+
+        for (int i = 0; i < array.Count; i++)
+        {
+            assertAction(array[i], i);
+        }
+    }
+
+    /// <summary>
+    /// Performs an action on each element in a JsonArray at the specified path.
+    /// Useful for running custom assertions on each element.
+    /// </summary>
+    /// <param name="jsonObject">The JsonObject to validate</param>
+    /// <param name="path">The path to the array as dot-separated string</param>
+    /// <param name="assertAction">The action to perform on each element (element, index)</param>
+    public static void ForEach(JsonObject jsonObject, string path, Action<JsonNode?, int> assertAction)
+    {
+        ForEach(jsonObject, ParsePath(path), assertAction);
+    }
+
+    /// <summary>
+    /// Asserts that a JsonArray at the specified path contains an element with a specific value at a property path.
+    /// </summary>
+    /// <typeparam name="T">The expected type of the value</typeparam>
+    /// <param name="jsonObject">The JsonObject to validate</param>
+    /// <param name="arrayPath">The path to the array</param>
+    /// <param name="propertyPath">The property path within each array element to check</param>
+    /// <param name="expectedValue">The expected value</param>
+    public static void Contains<T>(JsonObject jsonObject, string arrayPath, string propertyPath, T expectedValue)
+    {
+        var array = GetArray(jsonObject, arrayPath);
+        var propertySegments = ParsePath(propertyPath);
+
+        foreach (var element in array)
+        {
+            if (element is JsonObject elementObj)
+            {
+                try
+                {
+                    var current = NavigateToPath(elementObj, propertySegments);
+                    if (current != null)
+                    {
+                        var actualValue = current.GetValue<T>();
+                        if (EqualityComparer<T>.Default.Equals(actualValue, expectedValue))
+                            return;
+                    }
+                }
+                catch
+                {
+                    // Continue checking other elements
+                }
+            }
+        }
+
+        throw new Xunit.Sdk.XunitException(
+            $"Array at path '{arrayPath}' does not contain an element with {propertyPath} = {expectedValue}");
+    }
+}

IdentityShroud.TestUtils/IdentityShroud.TestUtils.csproj

@@ -0,0 +1,25 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <Nullable>enable</Nullable>
+        <IsTestProject>false</IsTestProject>
+    </PropertyGroup>
+
+    <ItemGroup>
+      <PackageReference Include="FluentResults" Version="4.0.0" />
+      <PackageReference Include="xunit.v3.assert" Version="3.2.2" />
+      <PackageReference Include="NSubstitute" Version="5.3.0" />
+    </ItemGroup>
+
+    <ItemGroup>
+      <ProjectReference Include="..\IdentityShroud.Core\IdentityShroud.Core.csproj" />
+    </ItemGroup>
+    
+    <ItemGroup>
+        <Using Include="Xunit"/>
+        <Using Include="NSubstitute"/>
+    </ItemGroup>
+
+</Project>

IdentityShroud.TestUtils/Substitutes/NullDataEncryptionService.cs

@@ -0,0 +1,18 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.TestUtils.Substitutes;
+
+public class NullDataEncryptionService : IDataEncryptionService
+{
+    public DekId KeyId { get; } = DekId.NewId(); 
+    public EncryptedValue Encrypt(ReadOnlySpan<byte> plain)
+    {
+        return new(KeyId, plain.ToArray());
+    }
+
+    public byte[] Decrypt(EncryptedValue input)
+    {
+        return input.Value;
+    }
+}

IdentityShroud.TestUtils/Substitutes/NullDekEncryptionService.cs

@@ -0,0 +1,18 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.TestUtils.Substitutes;
+
+public class NullDekEncryptionService : IDekEncryptionService
+{
+    public KekId KeyId { get; } = KekId.NewId(); 
+    public EncryptedDek Encrypt(ReadOnlySpan<byte> plain)
+    {
+        return new(KeyId, plain.ToArray());
+    }
+
+    public byte[] Decrypt(EncryptedDek input)
+    {
+        return input.Value;
+    }
+}

IdentityShroud.sln

@@ -12,6 +12,12 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "IdentityShroud.Migrations",
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "IdentityShroud.Api.Tests", "IdentityShroud.Api.Tests\IdentityShroud.Api.Tests.csproj", "{4758FE2E-A437-44F0-B58E-09E52D67D288}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "IdentityShroud.TestUtils", "IdentityShroud.TestUtils\IdentityShroud.TestUtils.csproj", "{A8554BCC-C9B6-4D96-90AD-FE80E95441F4}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "IdentityShroud.TestUtils.Tests", "IdentityShroud.TestUtils.Tests\IdentityShroud.TestUtils.Tests.csproj", "{35D33207-27A8-43E9-A8CA-A158A1E4448C}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Tests", "Tests", "{980900AA-E052-498B-A41A-4F33A8678828}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -38,5 +44,19 @@ Global
 		{4758FE2E-A437-44F0-B58E-09E52D67D288}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{4758FE2E-A437-44F0-B58E-09E52D67D288}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{4758FE2E-A437-44F0-B58E-09E52D67D288}.Release|Any CPU.Build.0 = Release|Any CPU
+		{A8554BCC-C9B6-4D96-90AD-FE80E95441F4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{A8554BCC-C9B6-4D96-90AD-FE80E95441F4}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{A8554BCC-C9B6-4D96-90AD-FE80E95441F4}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{A8554BCC-C9B6-4D96-90AD-FE80E95441F4}.Release|Any CPU.Build.0 = Release|Any CPU
+		{35D33207-27A8-43E9-A8CA-A158A1E4448C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{35D33207-27A8-43E9-A8CA-A158A1E4448C}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{35D33207-27A8-43E9-A8CA-A158A1E4448C}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{35D33207-27A8-43E9-A8CA-A158A1E4448C}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(NestedProjects) = preSolution
+		{4758FE2E-A437-44F0-B58E-09E52D67D288} = {980900AA-E052-498B-A41A-4F33A8678828}
+		{DC887623-8680-4D3B-B23A-D54F7DA91891} = {980900AA-E052-498B-A41A-4F33A8678828}
+		{35D33207-27A8-43E9-A8CA-A158A1E4448C} = {980900AA-E052-498B-A41A-4F33A8678828}
+		{A8554BCC-C9B6-4D96-90AD-FE80E95441F4} = {980900AA-E052-498B-A41A-4F33A8678828}
 	EndGlobalSection
 EndGlobal

IdentityShroud.sln.DotSettings.user

@@ -1,16 +1,48 @@
 <wpf:ResourceDictionary xml:space="preserve" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:ss="urn:shemas-jetbrains-com:settings-storage-xaml" xmlns:wpf="http://schemas.microsoft.com/winfx/2006/xaml/presentation">
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AAesGcm_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F26fbd7ed219da834e9eaf78ad486d552132eb3c92bbfccff8c27249cdf5f6722_003FAesGcm_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AAesGcm_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F2baadb96535b9acc4cb6c54e5379b87513f15ea119f8b153ed795a99ea3d340_003FAesGcm_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ACallInfo_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F402b2077f38742cb9b381ab9e79e493229c00_003F81_003F75c3679f_003FCallInfo_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AConfigurationSection_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F55e3307e9c416bdbce02cdd9eabe8ac72fe3b3d981f3b2220e31ff9c916653c_003FConfigurationSection_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ADebugger_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Ff9d2f95d72fa884d8b6ddefc717c56da3657fbb2d5fb683656c3589eb6587_003FDebugger_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ADeveloperExceptionPageMiddlewareImpl_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F2b5a64a615692cae2c8f378e99676581abe4bc355bb3844bfc6c6db3d576853_003FDeveloperExceptionPageMiddlewareImpl_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AECDsa_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fb69681dc22e362c8b157b358e58abc4b44cb12b573c82fa37c483ad8807c8f_003FECDsa_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AGeneratedRouteBuilderExtensions_002Eg_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F698a85dfa04f73158f8da37069798c22c467dfc_003FGeneratedRouteBuilderExtensions_002Eg_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AGeneratedRouteBuilderExtensions_002Eg_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F9f95c1d38311d5248a1d1324797b98c2e56789a_003FGeneratedRouteBuilderExtensions_002Eg_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AHealthCheckEndpointRouteBuilderExtensions_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F6d0f079e13da4e98881aa3e6e169c6d34f08_003F0e_003Fc2b30661_003FHealthCheckEndpointRouteBuilderExtensions_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AIAsyncDisposable_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F7d59f4f94af72f8d3797655412cdc64435acc6454985685e415ee5fe817f_003FIAsyncDisposable_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AKeySizes_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fe6cebf5d2d92b49eb99f568415b3cd457a252cacf81d426ca4f3e94ff429daf7_003FKeySizes_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AList_00601_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003Fd2753e160c1949ef9afa6a794019cfe8d908_003Fce_003Fba21ad0a_003FList_00601_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ANamingConventionsExtensions_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Feacd26cff49d864d97bf44d3424fd383a26620b1d0c43fb1d6f115da85c655_003FNamingConventionsExtensions_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AOkOfT_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fe2a19de442f561af862af2dcad0852b7e62707a5cf194d266d1656f92bbb6d2_003FOkOfT_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003APostgreSqlBuilder_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fcdd0beaf7beaf8366c0862f34fe40da30911084d957625ab31577851ee8cae7_003FPostgreSqlBuilder_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003APostgreSqlContainer_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fc82112acf224de1d157da0309437b227be6c1ef877865c23872f49eaf9d73c_003FPostgreSqlContainer_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AReadOnlyMemory_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fc19b2538fdfabf70658aed8979dd83e9ca11e27f5b3df68950e8ecb4d879e_003FReadOnlyMemory_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AResultsOfT_002EGenerated_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fff2e2c5ca93c7786ef8425ca6caf751702328924211687ce72e74fd1265e8_003FResultsOfT_002EGenerated_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ARouteGroupBuilder_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fd42b8f8feda3bfb3dc17f133a52ce45931ed5066c46a4d834c8ed46e0a6_003FRouteGroupBuilder_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AThrowHelper_002ESerialization_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F8433b9271c0f176fb5ceb7b1c3d62e1318fe8e62b4e5d7e882952dc543fec_003FThrowHelper_002ESerialization_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ATypedResults_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fcea118513a410f660e578fe32bed95cf86457dd135e4b4632ca91eb4f7b_003FTypedResults_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AWebEncoders_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fce6b69dd397f614758bc5821136ec8af3fa22563dd657769e231f51be1fbbc_003FWebEncoders_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/dotCover/Editor/HighlightingSourceSnapshotLocation/@EntryValue">/home/eelke/.cache/JetBrains/Rider2025.3/resharper-host/temp/Rider/vAny/CoverageData/_IdentityShroud.-1277985570/Snapshot/snapshot.utdcvr</s:String>
+	
 	<s:String x:Key="/Default/Environment/Hierarchy/Build/BuildTool/DotNetCliExePath/@EntryValue">/home/eelke/.dotnet/dotnet</s:String>
 	<s:String x:Key="/Default/Environment/Hierarchy/Build/BuildTool/CustomBuildToolPath/@EntryValue">/home/eelke/.dotnet/sdk/10.0.102/MSBuild.dll</s:String>
-	<s:String x:Key="/Default/Environment/UnitTesting/UnitTestSessionStore/Sessions/=7d190ab0_002D4f9d_002D4f9f_002Dad83_002Da57b539f3bbd/@EntryIndexedValue">&lt;SessionState ContinuousTestingMode="0" IsActive="True" Name="All tests from Solution" xmlns="urn:schemas-jetbrains-com:jetbrains-ut-session"&gt;
+	<s:String x:Key="/Default/Environment/UnitTesting/UnitTestSessionStore/Sessions/=ead9ca22_002Dfc70_002D4ddf_002Db4c7_002D534498815537/@EntryIndexedValue">&lt;SessionState ContinuousTestingMode="0" IsActive="True" Name="All tests from Solution" xmlns="urn:schemas-jetbrains-com:jetbrains-ut-session"&gt;
   &lt;Solution /&gt;
 &lt;/SessionState&gt;</s:String>
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
 	</wpf:ResourceDictionary>

README.md

@@ -0,0 +1,4 @@
+# IdentityShroud
+
+IdentityShroud is a .NET project for identity management and protection.
+