These days, it's really hard to make people trust any library that they can't see the source of, especially those that manage "sensitive stuff" like authentication.
I'm not at all sure it's legal but it has been trivial to view decompiled source code for any .NET class with tools like Reflector for years. If you need to see how it's done, you will see it.
