Appearance
ProAuth 2.2.0
This release focuses on proactive operational controls and modern deployment/security patterns. Highlights include license health visibility, first-party BFF + OIDC client libraries for SPA security, Kubernetes Gateway API support in Helm charts, and new defenses against brute force and automated attacks.
Core
CoreEnhanced License Monitoring and Validation
ProAuth now performs periodic background license validation at runtime, emitting earlier and more actionable warnings when subscription or software upgrade periods approach expiration. The validation mechanism is designed to coordinate efficiently in containerized/high-availability deployments, and administrators can query detailed product/license information (including version history, licensed features, and expiration dates) via the Management API. License status logging has also been shortened and clarified for improved startup and background-check diagnostics. (#2774)
Docs Links:
New ProAuth BFF and OIDC Client Libraries for Secure SPA Architectures
ProAuth now ships official BFF and OIDC Client NuGet packages to enable the Backend-For-Frontend (BFF) pattern for SPAs, keeping access/refresh tokens server-side and using secure HTTP-only cookies in the browser to reduce token exposure risk.
Key capabilities include secure API proxying with YARP-based middleware, flexible token storage providers (including Redis and Dapr) for distributed deployments, advanced OIDC features (token exchange, introspection, and automatic server-side refresh), and support for server-side ticket stores to keep authentication cookies small and efficient. (#2839)
Docs Links:
ACTION REQUIRED
If you run the ProAuth Admin App in multi-instance mode, you must configure a corresponding distributed lock Dapr component to ensure correct coordination between instances. When using the default Redis setup, the Helm chart creates this component; for custom configurations, you must provide the appropriate distributed lock Dapr component explicitly. (#2839)
If you operate in a Redis High Availability (HA) environment, ensure your configuration includes the required failover flag, the Redis Sentinel endpoint, and the Redis Sentinel master name. Consult the product documentation for configuration examples. (#2839)
ProAuth CLI Data Initializer Enhancements
The CLI data initializer now caches API responses to significantly improve import performance for complex entity relationship graphs, emits actionable warnings (instead of terminating) when YAML contains invalid or missing entity references, and unifies relationship synchronization across bidirectional many-to-many mappings for consistent behavior across entity types. (#2841)
Docs Links:
Infrastructure
InfrastructureKubernetes Gateway API Support
The official Helm charts for ProAuth and the Admin App now support the Kubernetes Gateway API as a modern alternative to traditional Ingress resources.
This includes HTTPRoute-based routing, the ability to attach to multiple Gateways across namespaces, configurable request/connection timeouts via Helm values, and a dedicated gatewayApi configuration block in values.yaml aligned with current Kubernetes networking standards. (#2865)
Docs Links:
Security
SecurityBrute Force Protection for UserStore Login and 2FA Verification
ProAuth now supports configurable brute force protection for UserStore password logins and second-factor (2FA) verification. Administrators can enable progressive throttling (exponential backoff delays) and temporary lockout with automatic unlock, configured per UserStore identity provider instance and per TwoFactor instance to match security and usability requirements. (#2866)
Docs Links:
Enhanced Bot Protection with CAPTCHA for Login and 2FA
ProAuth now supports CAPTCHA challenges for login and 2FA verification to reduce automated credential stuffing and verification-code guessing.
This update integrates with Cloudflare Turnstile, hCaptcha, and Friendly Captcha (privacy-first options, including an EU-based provider) and supports both always-on enforcement and conditional activation (e.g., “After Failures” mode). CAPTCHA works alongside throttling and account locking for layered defense, and can be enabled independently for password login and second-factor verification via the Management API or Admin UI. (#2867)
Docs Links: