Releases: Cratis/AuthProxy
Release list
Release v2.4.0
Adds a dedicated Aspire hosting integration library so any Aspire AppHost can add and configure AuthProxy with a fluent, idiomatic API — either as a container resource (external consumers) or layered on top of a ProjectResource (in-repo development).
Added
-
Source/Aspireclass library (Aspire.Hosting9.5.2) withAuthProxyResource : ContainerResourcepointing atcratis/authproxyand a full set of fluent extension methods onIResourceBuilder<T> where T : IResourceWithEnvironment— works on both container and project resources// Container-based (external consumers) builder.AddAuthProxy("authproxy", tag: "1.2.3") .WithHttpEndpoint(port: 8080) .WithBackend("main", apiResource) .WithFrontend("main", webResource) .WithOidcProvider("Microsoft", OidcProviderType.Microsoft, authority, clientId, secret) .WithHostTenantResolution() .WithTenantVerification(platformApi, "/api/tenants/{tenantId}") .WithSelectionTenantResolution(platformApi, "/api/tenants/selectable") .WithInvite(publicKeyPem, studioApi, "/internal/invites/exchange", issuer: "https://studio.example.com") .WithInviteClaimForwarding("organization_id", toClaimType: "organization") .WithLobbyFrontend(lobbyResource); // Project-based (in-repo dev — same extension methods apply) builder.AddProject("authproxy") .WithBackend("main", testApp) .WithFrontend("main", web);
Available methods:
AddAuthProxy,WithBackend,WithFrontend,WithOidcProvider,WithOAuthProvider,WithHostTenantResolution,WithSubHostTenantResolution,WithClaimTenantResolution,WithRouteTenantResolution,WithSpecifiedTenantResolution,WithDefaultTenantResolution,WithSelectionTenantResolution,WithTenantVerification,WithInvite,WithInviteClaimForwarding,WithLobbyFrontend,WithLobbyBackend -
OidcProviderTypeenum (Custom,Microsoft,Google,GitHub,Apple) in the Aspire library — standalone, no dependency on the AuthProxy web project -
Documentation/aspire/index.md— how-to guide covering container vs project resource setup, allWith*extension methods, theOidcProviderTypeenum, tenant selection, invites & lobby, identity details resolution, resource-based endpoint references, and cross-links to the existing configuration reference -
publish-nugetjob in.github/workflows/publish.ymlusing OIDC trusted publishing (NuGet/login@v1) — packs and pushes onlySource/Aspire/Aspire.csprojasCratis.AuthProxy.Aspireto NuGet.org; runs independently of the Docker pipeline
Changed
-
Composition/AppHost.csupdated to useWithBackend/WithFrontendinstead of bareWithReference, and now wires up the frontend (web) service as well -
Source/Aspire/Aspire.csprojupdated with full NuGet package metadata (PackageId,Title,Description,Authors,PackageLicenseExpression,RepositoryUrl,PackageTags,IsPackable) -
WithSelectionTenantResolutionupdated to accept an optionaltenantsEndpointparameter that maps toTenantResolutions[n].Options.TenantsEndpoint, and a new resource-based overload that accepts anIResourceBuilder<IResourceWithEndpoints>+ route so Aspire resolves the base URL automatically -
WithTenantVerificationgains a resource-based overload — pass an Aspire service resource and a route template instead of a full URL -
WithInvitegains a resource-based overload — pass the exchange service resource and route instead of a hardcoded exchange URL -
WithBackendgains an optionalresolveIdentityDetailsparameter (bool?) that maps toServices[name].ResolveIdentityDetails, controlling whether AuthProxy calls/.cratis/meon that service's backend to enrich the identity cookie
Release v2.3.1
Release v2.3.0
Phase 2 of the invite flow had no handling for when an authenticated user's subject is already registered. Any non-success response from the exchange endpoint was silently swallowed and the pipeline continued.
Added
InviteExchangeResultenum (Success,DuplicateSubject,Failed) to distinguish HTTP 409 from other exchange failures (#issue)SubjectAlreadyExistsUrlproperty onInviteconfig — when set, redirects on duplicate subject instead of serving the built-in page (#issue)invitation-subject-already-exists.htmlwell-known error page (HTTP 409) for the duplicate-subject condition (#issue)WellKnownPageNames.InvitationSubjectAlreadyExistsconstant (#issue)
Changed
ExchangeInvitereturn type changed frombooltoInviteExchangeResult; HTTP 409 from the exchange endpoint now maps toDuplicateSubject(#issue)- Phase 2 handler short-circuits on
DuplicateSubject: redirects toSubjectAlreadyExistsUrlif configured, otherwise servesinvitation-subject-already-exists.htmlwith HTTP 409 —nextis not called (#issue) - Docs updated:
invites.md,error-pages.md,well-known-pages.md(#issue)
Release v2.2.0
Added
TenantResolutionResultrecord to carry tenant identity, strategy, and SubHost parent host through the system without stringing values.TenantAuthenticationStatehelper that stamps tenant metadata into OAuth/OIDCAuthenticationPropertiesat challenge time and reconstructs the correct SubHost redirect URI in theOnTicketReceivedcallback.RedirectToLobbyWhenTenantUnresolvedconfiguration option onInvite(defaults tofalse), making the lobby redirect opt-in rather than unconditional.- Unit specs for
TenantAuthenticationStatecovering challenge property creation and post-authentication redirect resolution. - End-to-end scenario
when_subhost_login_is_challengedasserting tenant metadata is correctly stamped into authentication state. - Spec for
TenancyMiddlewareasserting the lobby redirect only fires when the flag is enabled.
Changed
ITenantResolverextended with aTryResolveoverload returning the fullTenantResolutionResult.- All challenge paths (
IngressExtensions,SelectProviderMiddleware,InviteMiddleware) now useTenantAuthenticationState.CreateChallengePropertiesto stamp tenant state. AuthenticationServiceCollectionExtensionsregistersOnTicketReceivedhandlers for both OIDC and OAuth providers to reconstruct the SubHost return URL from state on callback.
Release v2.1.9
Release v2.1.8
Release v2.1.7
Release v2.1.6
Release v2.1.5
Summary
- Extract
IdentityMiddlewareandInviteRedirectMiddlewarefromInviteMiddleware, separating concerns: invite handling, identity resolution, and lobby redirect are now discrete pipeline steps communicating viacontext.Items - Pipeline order:
TenancyMiddleware → InviteMiddleware → IdentityMiddleware → InviteRedirectMiddleware → YARP - Restructure spec files into hierarchical
when_*/and_*folder layout - Add
WebApplicationFactory-based end-to-end scenario specs covering the full invite flow, tenant not found, access denied, and page not found
Test plan
- 265 specs pass (0 failures)
- 0 build warnings, 0 build errors
- Invite flow: wrong token → 401 (invalid page), expired → 401 (expired page), valid + authenticated → 302 to lobby with correct cookies
- Multiple providers → 200 with select-provider page and providers cookie
- Tenant not found → 404 with tenant-not-found page
- Access denied → 403 with access-denied page
- Unknown path → 404
🤖 Generated with Claude Code
Release v2.1.4
Changed
- Tenant resolution now uses tenant ID strings end-to-end instead of requiring GUID parsing.
- Added
SubHosttenant resolution strategy with typedParentHostoptions. - Added optional strategy-level verification URL override support for tenant verification back-channel calls.
- Updated tenancy, middleware, invite, identity propagation, and verifier contracts to use string tenant IDs consistently.
Fixed
- Tenant-issued invite matching now compares tenant IDs as strings instead of requiring GUID format.
- Updated and expanded specs to cover SubHost resolution, strategy verification override flow, and string tenant ID behavior.
- Updated tenancy and configuration documentation to describe string tenant IDs and SubHost verification options.