Release v2.4.0

Adds a dedicated Aspire hosting integration library so any Aspire AppHost can add and configure AuthProxy with a fluent, idiomatic API — either as a container resource (external consumers) or layered on top of a ProjectResource (in-repo development).

Added

• Source/Aspire class library (Aspire.Hosting 9.5.2) with AuthProxyResource : ContainerResource pointing at cratis/authproxy and a full set of fluent extension methods on IResourceBuilder<T> where T : IResourceWithEnvironment — works on both container and project resources

  // Container-based (external consumers)
  builder.AddAuthProxy("authproxy", tag: "1.2.3")
      .WithHttpEndpoint(port: 8080)
      .WithBackend("main", apiResource)
      .WithFrontend("main", webResource)
      .WithOidcProvider("Microsoft", OidcProviderType.Microsoft, authority, clientId, secret)
      .WithHostTenantResolution()
      .WithTenantVerification(platformApi, "/api/tenants/{tenantId}")
      .WithSelectionTenantResolution(platformApi, "/api/tenants/selectable")
      .WithInvite(publicKeyPem, studioApi, "/internal/invites/exchange", issuer: "https://studio.example.com")
      .WithInviteClaimForwarding("organization_id", toClaimType: "organization")
      .WithLobbyFrontend(lobbyResource);
  
  // Project-based (in-repo dev — same extension methods apply)
  builder.AddProject("authproxy")
      .WithBackend("main", testApp)
      .WithFrontend("main", web);

  Available methods: AddAuthProxy, WithBackend, WithFrontend, WithOidcProvider, WithOAuthProvider, WithHostTenantResolution, WithSubHostTenantResolution, WithClaimTenantResolution, WithRouteTenantResolution, WithSpecifiedTenantResolution, WithDefaultTenantResolution, WithSelectionTenantResolution, WithTenantVerification, WithInvite, WithInviteClaimForwarding, WithLobbyFrontend, WithLobbyBackend

• OidcProviderType enum (Custom, Microsoft, Google, GitHub, Apple) in the Aspire library — standalone, no dependency on the AuthProxy web project

• Documentation/aspire/index.md — how-to guide covering container vs project resource setup, all With* extension methods, the OidcProviderType enum, tenant selection, invites & lobby, identity details resolution, resource-based endpoint references, and cross-links to the existing configuration reference

• publish-nuget job in .github/workflows/publish.yml using OIDC trusted publishing (NuGet/login@v1) — packs and pushes only Source/Aspire/Aspire.csproj as Cratis.AuthProxy.Aspire to NuGet.org; runs independently of the Docker pipeline

Changed

• Composition/AppHost.cs updated to use WithBackend / WithFrontend instead of bare WithReference, and now wires up the frontend (web) service as well

• Source/Aspire/Aspire.csproj updated with full NuGet package metadata (PackageId, Title, Description, Authors, PackageLicenseExpression, RepositoryUrl, PackageTags, IsPackable)

• WithSelectionTenantResolution updated to accept an optional tenantsEndpoint parameter that maps to TenantResolutions[n].Options.TenantsEndpoint, and a new resource-based overload that accepts an IResourceBuilder<IResourceWithEndpoints> + route so Aspire resolves the base URL automatically

• WithTenantVerification gains a resource-based overload — pass an Aspire service resource and a route template instead of a full URL

• WithInvite gains a resource-based overload — pass the exchange service resource and route instead of a hardcoded exchange URL

• WithBackend gains an optional resolveIdentityDetails parameter (bool?) that maps to Services[name].ResolveIdentityDetails, controlling whether AuthProxy calls /.cratis/me on that service's backend to enrich the identity cookie

Release v2.3.1

No release notes

Release v2.3.0

Phase 2 of the invite flow had no handling for when an authenticated user's subject is already registered. Any non-success response from the exchange endpoint was silently swallowed and the pipeline continued.

Added

• InviteExchangeResult enum (Success, DuplicateSubject, Failed) to distinguish HTTP 409 from other exchange failures (#issue)
• SubjectAlreadyExistsUrl property on Invite config — when set, redirects on duplicate subject instead of serving the built-in page (#issue)
• invitation-subject-already-exists.html well-known error page (HTTP 409) for the duplicate-subject condition (#issue)
• WellKnownPageNames.InvitationSubjectAlreadyExists constant (#issue)

Changed

• ExchangeInvite return type changed from bool to InviteExchangeResult; HTTP 409 from the exchange endpoint now maps to DuplicateSubject (#issue)
• Phase 2 handler short-circuits on DuplicateSubject: redirects to SubjectAlreadyExistsUrl if configured, otherwise serves invitation-subject-already-exists.html with HTTP 409 — next is not called (#issue)
• Docs updated: invites.md, error-pages.md, well-known-pages.md (#issue)

Release v2.2.0

Added

• TenantResolutionResult record to carry tenant identity, strategy, and SubHost parent host through the system without stringing values.
• TenantAuthenticationState helper that stamps tenant metadata into OAuth/OIDC AuthenticationProperties at challenge time and reconstructs the correct SubHost redirect URI in the OnTicketReceived callback.
• RedirectToLobbyWhenTenantUnresolved configuration option on Invite (defaults to false), making the lobby redirect opt-in rather than unconditional.
• Unit specs for TenantAuthenticationState covering challenge property creation and post-authentication redirect resolution.
• End-to-end scenario when_subhost_login_is_challenged asserting tenant metadata is correctly stamped into authentication state.
• Spec for TenancyMiddleware asserting the lobby redirect only fires when the flag is enabled.

Changed

• ITenantResolver extended with a TryResolve overload returning the full TenantResolutionResult.
• All challenge paths (IngressExtensions, SelectProviderMiddleware, InviteMiddleware) now use TenantAuthenticationState.CreateChallengeProperties to stamp tenant state.
• AuthenticationServiceCollectionExtensions registers OnTicketReceived handlers for both OIDC and OAuth providers to reconstruct the SubHost return URL from state on callback.

Release v2.1.9

No release notes

Release v2.1.8

No release notes

Release v2.1.7

No release notes

Release v2.1.6

No release notes

Release v2.1.5

Summary

• Extract IdentityMiddleware and InviteRedirectMiddleware from InviteMiddleware, separating concerns: invite handling, identity resolution, and lobby redirect are now discrete pipeline steps communicating via context.Items
• Pipeline order: TenancyMiddleware → InviteMiddleware → IdentityMiddleware → InviteRedirectMiddleware → YARP
• Restructure spec files into hierarchical when_*/and_* folder layout
• Add WebApplicationFactory-based end-to-end scenario specs covering the full invite flow, tenant not found, access denied, and page not found

Test plan

• 265 specs pass (0 failures)
• 0 build warnings, 0 build errors
• Invite flow: wrong token → 401 (invalid page), expired → 401 (expired page), valid + authenticated → 302 to lobby with correct cookies
• Multiple providers → 200 with select-provider page and providers cookie
• Tenant not found → 404 with tenant-not-found page
• Access denied → 403 with access-denied page
• Unknown path → 404

🤖 Generated with Claude Code

Release v2.1.4

Changed

• Tenant resolution now uses tenant ID strings end-to-end instead of requiring GUID parsing.
• Added SubHost tenant resolution strategy with typed ParentHost options.
• Added optional strategy-level verification URL override support for tenant verification back-channel calls.
• Updated tenancy, middleware, invite, identity propagation, and verifier contracts to use string tenant IDs consistently.

Fixed

• Tenant-issued invite matching now compares tenant IDs as strings instead of requiring GUID format.
• Updated and expanded specs to cover SubHost resolution, strategy verification override flow, and string tenant ID behavior.
• Updated tenancy and configuration documentation to describe string tenant IDs and SubHost verification options.