From 1c24c3e25359db8b3fe8d31a7602db78b0d3a631 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mehmet=20Can=20Karag=C3=B6z?= <m.cankaragoz@outlook.com>
Date: Sun, 22 Mar 2026 20:40:57 +0300
Subject: [PATCH 01/10] Interactive Login Enhancement

---
 .../Components/Layout/MainLayout.razor        |  68 +++++-
 .../Components/Layout/MainLayout.razor.cs     | 129 ++++++++++-
 .../Components/Pages/Home.razor               | 160 ++++++++------
 .../Components/Pages/Home.razor.cs            | 125 +++++++++--
 .../Components/_Imports.razor                 |   1 +
 .../Controllers/HubLoginController.cs         |   2 +-
 .../Program.cs                                |   7 +-
 .../wwwroot/app.css                           |  11 +-
 .../Components/Pages/Login.razor              |   2 +-
 .../Components/Pages/Login.razor.cs           |  16 +-
 .../Contracts/Login/LoginRequest.cs           |   3 +-
 .../Contracts/Login/LoginResult.cs            |   8 +
 .../Contracts/Login/TryLoginResult.cs         |  13 ++
 .../Contracts/Pkce/TryPkceLoginRequest.cs     |  11 +
 .../Contracts/Pkce/TryPkceLoginResult.cs      |  13 ++
 .../Domain/{Pkce => Auth}/AuthArtifact.cs     |   0
 .../Domain/{Pkce => Auth}/AuthArtifactType.cs |   1 +
 .../Domain/Auth/LoginPreviewArtifact.cs       |  53 +++++
 .../Domain/Hub/HubFlowArtifact.cs             |   8 +
 .../Domain/Hub/HubFlowState.cs                |   2 +
 .../Domain/Pkce/HubLoginArtifact.cs           |  30 +--
 .../Security/AuthenticationSecurityState.cs   |  13 +-
 .../Options/UAuthLoginOptions.cs              |   5 +-
 .../Abstractions/IDeviceResolver.cs           |   2 +-
 .../Auth/ClientProfileReader.cs               |  14 +-
 .../Auth/Context/AuthFlowContextFactory.cs    |   6 +-
 .../Auth/IClientProfileReader.cs              |   2 +-
 .../AspNetCore/UAuthAuthenticationHandler.cs  |   2 +-
 .../Abstractions/ILoginEndpointHandler.cs     |   1 +
 .../Abstractions/IPkceEndpointHandler.cs      |   2 +
 .../Endpoints/LoginEndpointHandler.cs         | 202 +++++++++++++++---
 .../Endpoints/PkceEndpointHandler.cs          | 130 ++++++++++-
 .../Endpoints/UAuthEndpointRegistrar.cs       |   6 +
 .../Endpoints/ValidateEndpointHandler.cs      |   6 +-
 .../Extensions/DeviceExtensions.cs            |   4 +-
 .../HttpContextRequestExtensions.cs           |  34 +++
 .../HttpContextReturnUrlExtensions.cs         |  22 +-
 .../Extensions/ServiceCollectionExtensions.cs |   4 +-
 .../Flows/Login/ILoginOrchestrator.cs         |   5 +
 .../Flows/Login/LoginExecutionMode.cs         |   7 +
 .../Flows/Login/LoginExecutionOptions.cs      |   8 +
 .../Flows/Login/LoginOrchestrator.cs          |  66 +++---
 .../Flows/Login/LoginPreviewFingerprint.cs    |  16 ++
 .../ITransportCredentialResolver.cs           |   2 +-
 .../AspNetCore/TransportCredentialResolver.cs |  96 +++------
 ...lver.cs => IValidateCredentialResolver.cs} |   4 +-
 ...olver.cs => ValidateCredentialResolver.cs} |  19 +-
 .../Infrastructure/Device/DeviceResolver.cs   |  18 +-
 .../Infrastructure/Hub/HubFlowReader.cs       |   2 +
 .../Services/IUAuthFlowService.cs             |   7 +
 .../Services/UAuthFlowService.cs              |  21 +-
 .../Components/UAuthLoginForm.razor           |   8 +-
 .../Components/UAuthLoginForm.razor.cs        | 128 ++++++++++-
 .../Infrastructure/UAuthRequestClient.cs      |  22 ++
 .../TScripts/uauth.js                         |  49 +++++
 .../wwwroot/uauth.min.js                      |   2 +-
 .../Contracts/PkceClientState.cs              |   7 -
 .../Contracts/UAuthSubmitMode.cs              |   8 +
 .../Infrastructure/IUAuthRequestClient.cs     |   3 +
 .../Options/UAuthClientEndpointOptions.cs     |   2 +
 .../Services/Abstractions/IFlowClient.cs      |   3 +
 .../Services/UAuthFlowClient.cs               | 131 ++++++++++--
 .../Credentials/ChangePasswordTests.cs        |   2 -
 .../Fake/FakeFlowClient.cs                    |  13 +-
 .../Helpers/TestAuthRuntime.cs                |   1 -
 .../Server/LoginOrchestratorTests.cs          |  18 --
 .../Server/RedirectTests.cs                   |   4 +-
 .../Sessions/SessionTests.cs                  |   3 -
 .../UserIdentifierApplicationServiceTests.cs  |   2 -
 69 files changed, 1442 insertions(+), 353 deletions(-)
 create mode 100644 src/CodeBeam.UltimateAuth.Core/Contracts/Login/TryLoginResult.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/TryPkceLoginRequest.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/TryPkceLoginResult.cs
 rename src/CodeBeam.UltimateAuth.Core/Domain/{Pkce => Auth}/AuthArtifact.cs (100%)
 rename src/CodeBeam.UltimateAuth.Core/Domain/{Pkce => Auth}/AuthArtifactType.cs (92%)
 create mode 100644 src/CodeBeam.UltimateAuth.Core/Domain/Auth/LoginPreviewArtifact.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Server/Extensions/HttpContext/HttpContextRequestExtensions.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginExecutionMode.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginExecutionOptions.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginPreviewFingerprint.cs
 rename src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/{IFlowCredentialResolver.cs => IValidateCredentialResolver.cs} (71%)
 rename src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/{FlowCredentialResolver.cs => ValidateCredentialResolver.cs} (72%)
 delete mode 100644 src/client/CodeBeam.UltimateAuth.Client/Contracts/PkceClientState.cs
 create mode 100644 src/client/CodeBeam.UltimateAuth.Client/Contracts/UAuthSubmitMode.cs

diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Layout/MainLayout.razor b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Layout/MainLayout.razor
index d257eb7a..8b7693b0 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Layout/MainLayout.razor
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Layout/MainLayout.razor
@@ -1,11 +1,65 @@
-@using CodeBeam.UltimateAuth.Core.Abstractions
-@using CodeBeam.UltimateAuth.Server.Infrastructure
-@inherits LayoutComponentBase
+@inherits LayoutComponentBase
+@inject IUAuthClient UAuthClient
+@inject ISnackbar Snackbar
+@inject NavigationManager Nav
 
-@Body
+<MudLayout>
+    <MudAppBar Class="uauth-blur" Color="Color.Transparent" Dense="true" Elevation="0">
+        <UAuthLogo />
+        <MudText Class="ml-2 cursor-pointer" Style="user-select: none" @onclick="@(() => Nav.NavigateTo("/home", true))"><b>UltimateAuth</b></MudText>
+        <MudDivider Class="ml-3 mr-1" Vertical="true" />
+        <MudText Class="ml-2" Style="line-height: 14px" Typo="Typo.subtitle2">UAuthHub Sample</MudText>
 
-<div id="blazor-error-ui" data-nosnippet>
+        <MudSpacer />
+
+        <MudIconButton Icon="@(DarkModeManager.IsDarkMode? Icons.Material.Filled.LightMode : Icons.Material.Filled.DarkMode)" OnClick="@(() => DarkModeManager.ToggleAsync())" />
+
+        <UAuthStateView>
+            <Authorized Context="state">
+                <MudMenu PopoverClass="mud-theme-primary uauth-menu-popover" AnchorOrigin="Origin.BottomRight" TransformOrigin="Origin.TopRight">
+                    <ActivatorContent>
+                        <div @onclick="@(() => context.ToggleAsync())">
+                            <MudBadge Overlap="true" Dot="true" Color="@GetBadgeColor()">
+                                <MudAvatar Class="cursor-pointer mud-ripple" Variant="Variant.Filled" Color="Color.Primary">
+                                    <MudText Typo="Typo.subtitle2">@((state.Identity?.DisplayName ?? "?").Trim() is var n ? (n.Length >= 2 ? n[..2] : n[..1]) : "?")</MudText>
+                                </MudAvatar>
+                            </MudBadge>
+                        </div>
+                    </ActivatorContent>
+
+                    <ChildContent>
+                        <MudText Class="px-4 py-2"><b>@state.Identity?.DisplayName</b></MudText>
+                        <MudText Class="px-4" Typo="Typo.subtitle2">@string.Join(", ", state.Claims.Roles)</MudText>
+
+                        <MudDivider />
+
+                        <MudMenuItem Icon="@Icons.Material.Filled.Refresh" IconColor="Color.Secondary" Label="Refresh Session" OnClick="@Refresh" />
+                        <MudMenuItem Icon="@Icons.Material.Filled.VerifiedUser" IconColor="Color.Secondary" Label="Validate Session" OnClick="@Validate" />
+                        <MudMenuItem Icon="@Icons.Material.Filled.Logout" IconColor="Color.Secondary" Label="Logout" OnClick="@Logout" />
+
+                        @if (state.Identity?.SessionState is not null && state.Identity.SessionState != SessionState.Active)
+                        {
+                            <MudDivider />
+                            <MudMenuItem Icon="@Icons.Material.Filled.Login" Label="Reauthenticate" OnClick="@GoToLoginWithReturn" />
+                        }
+                    </ChildContent>
+                </MudMenu>
+            </Authorized>
+
+            <NotAuthorized>
+                <MudChip T="string" Style="width: fit-content" Text="Sign In" Color="Color.Primary" Variant="Variant.Filled" Class="cursor-pointer" OnClick="@HandleSignInClick" />
+            </NotAuthorized>
+        </UAuthStateView>
+    </MudAppBar>
+
+    <MudMainContent>
+        @Body
+    </MudMainContent>
+</MudLayout>
+
+
+<div id="blazor-error-ui">
     An unhandled error has occurred.
-    <a href="." class="reload">Reload</a>
-    <span class="dismiss">🗙</span>
+    <a href="" class="reload">Reload</a>
+    <a class="dismiss">🗙</a>
 </div>
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Layout/MainLayout.razor.cs b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Layout/MainLayout.razor.cs
index d9123d59..7242adbd 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Layout/MainLayout.razor.cs
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Layout/MainLayout.razor.cs
@@ -1,7 +1,130 @@
-namespace CodeBeam.UltimateAuth.Sample.UAuthHub.Components.Layout
+using CodeBeam.UltimateAuth.Client;
+using CodeBeam.UltimateAuth.Client.Errors;
+using CodeBeam.UltimateAuth.Core.Contracts;
+using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Core.Errors;
+using CodeBeam.UltimateAuth.Sample.UAuthHub.Infrastructure;
+using Microsoft.AspNetCore.Components;
+using MudBlazor;
+
+namespace CodeBeam.UltimateAuth.Sample.UAuthHub.Components.Layout;
+
+public partial class MainLayout
 {
-    public partial class MainLayout
+    [CascadingParameter]
+    public UAuthState UAuth { get; set; } = default!;
+
+    [CascadingParameter]
+    public DarkModeManager DarkModeManager { get; set; } = default!;
+
+    private async Task Refresh()
     {
-        
+        await UAuthClient.Flows.RefreshAsync();
+    }
+
+    private async Task Logout()
+    {
+        await UAuthClient.Flows.LogoutAsync();
+    }
+
+    private Color GetBadgeColor()
+    {
+        if (UAuth is null || !UAuth.IsAuthenticated)
+            return Color.Error;
+
+        if (UAuth.IsStale)
+            return Color.Warning;
+
+        var state = UAuth.Identity?.SessionState;
+
+        if (state is null || state == SessionState.Active)
+            return Color.Success;
+
+        if (state == SessionState.Invalid)
+            return Color.Error;
+
+        return Color.Warning;
+    }
+
+    private void HandleSignInClick()
+    {
+        var uri = Nav.ToAbsoluteUri(Nav.Uri);
+
+        if (uri.AbsolutePath.EndsWith("/login", StringComparison.OrdinalIgnoreCase))
+        {
+            Nav.NavigateTo("/login?focus=1", replace: true, forceLoad: true);
+            return;
+        }
+
+        GoToLoginWithReturn();
+    }
+
+    private async Task Validate()
+    {
+        try
+        {
+            var result = await UAuthClient.Flows.ValidateAsync();
+
+            if (result.IsValid)
+            {
+                if (result.Snapshot?.Identity.UserStatus == UserStatus.SelfSuspended)
+                {
+                    Snackbar.Add("Your account is suspended by you.", Severity.Warning);
+                    return;
+                }
+                Snackbar.Add($"Session active • Tenant: {result.Snapshot?.Identity?.Tenant.Value} • User: {result.Snapshot?.Identity?.PrimaryUserName}", Severity.Success);
+            }
+            else
+            {
+                switch (result.State)
+                {
+                    case SessionState.Expired:
+                        Snackbar.Add("Session expired. Please sign in again.", Severity.Warning);
+                        break;
+
+                    case SessionState.DeviceMismatch:
+                        Snackbar.Add("Session invalid for this device.", Severity.Error);
+                        break;
+
+                    default:
+                        Snackbar.Add($"Session state: {result.State}", Severity.Error);
+                        break;
+                }
+            }
+        }
+        catch (UAuthTransportException)
+        {
+            Snackbar.Add("Network error.", Severity.Error);
+        }
+        catch (UAuthProtocolException)
+        {
+            Snackbar.Add("Invalid response.", Severity.Error);
+        }
+        catch (UAuthException ex)
+        {
+            Snackbar.Add($"UAuth error: {ex.Message}", Severity.Error);
+        }
+        catch (Exception ex)
+        {
+            Snackbar.Add($"Unexpected error: {ex.Message}", Severity.Error);
+        }
+    }
+
+    private void GoToLoginWithReturn()
+    {
+        var uri = Nav.ToAbsoluteUri(Nav.Uri);
+
+        if (uri.AbsolutePath.EndsWith("/login", StringComparison.OrdinalIgnoreCase))
+        {
+            Nav.NavigateTo("/login", replace: true);
+            return;
+        }
+
+        var current = Nav.ToBaseRelativePath(uri.ToString());
+        if (string.IsNullOrWhiteSpace(current))
+            current = "home";
+
+        var returnUrl = Uri.EscapeDataString("/" + current.TrimStart('/'));
+        Nav.NavigateTo($"/login?returnUrl={returnUrl}", replace: true);
     }
 }
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
index 219617bf..056cc78a 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
@@ -1,82 +1,122 @@
 @page "/"
 @page "/login"
-@using CodeBeam.UltimateAuth.Client
-@using CodeBeam.UltimateAuth.Client.Authentication
-@using CodeBeam.UltimateAuth.Client.Diagnostics
+@attribute [UAuthLoginPage]
+@inherits UAuthFlowPageBase
+
+@implements IDisposable
 @using CodeBeam.UltimateAuth.Client.Infrastructure
+@using CodeBeam.UltimateAuth.Client.Runtime
 @using CodeBeam.UltimateAuth.Core.Abstractions
 @using CodeBeam.UltimateAuth.Core.Contracts
-@using CodeBeam.UltimateAuth.Core.Domain
-@using CodeBeam.UltimateAuth.Core.Runtime
-@using CodeBeam.UltimateAuth.Server.Abstractions
-@using CodeBeam.UltimateAuth.Server.Infrastructure
-@using CodeBeam.UltimateAuth.Server.Services
 @using CodeBeam.UltimateAuth.Server.Stores
-@inject IUAuthStateManager StateManager
+@inject IUAuthClient UAuthClient
+@inject IAuthStore AuthStore
 @inject IHubFlowReader HubFlowReader
 @inject IHubCredentialResolver HubCredentialResolver
-@inject IAuthStore AuthStore
 @inject IClientStorage BrowserStorage
-@inject IUAuthFlowService Flow
 @inject ISnackbar Snackbar
-@inject IFlowCredentialResolver CredentialResolver
-@inject IUAuthClient UAuthClient
-@inject NavigationManager Nav
-@inject IUAuthProductInfoProvider ProductInfo
-@inject AuthenticationStateProvider AuthStateProvider
-@inject UAuthClientDiagnostics Diagnostics
+@inject IUAuthClientProductInfoProvider ClientProductInfoProvider
+@inject IDeviceIdProvider DeviceIdProvider
+@inject IDialogService DialogService
+
+@if (_state == null || !_state.IsActive)
+{
+    <MudPage Class="d-flex align-center justify-center" FullScreen="FullScreen.FullWithoutAppbar" Column="1" Row="1">
+        <MudPaper Class="pa-8" Elevation="4" Style="max-width: 520px; width: 100%;">
+            <MudStack Spacing="3" AlignItems="AlignItems.Center">
+                <UAuthLogo Size="72" />
+
+                <MudText Typo="Typo.h5"><b>Access Denied</b></MudText>
 
+                <MudText Typo="Typo.body2" Align="Align.Center">
+                    This page cannot be accessed directly.
+                    UAuthHub login flows can only be initiated by an authorized client application.
+                </MudText>
 
-<div class="uauth-page d-flex align-center justify-center">
-    <MudStack Class="uauth-stack">
-        @if (_state == null || !_state.IsActive)
-        {
-            <MudPage Class="d-flex align-center justify-center" FullScreen="FullScreen.FullWithoutAppbar" Column="1" Row="1">
-                <MudPaper Class="pa-8" Elevation="4" Style="max-width: 520px; width: 100%;">
-                    <MudStack Spacing="3" AlignItems="AlignItems.Center">
-                        <UAuthLogo Size="72" />
+                <MudDivider Class="my-2" />
 
-                        <MudText Typo="Typo.h5"><b>Access Denied</b></MudText>
+                <MudText Typo="Typo.caption" Color="Color.Secondary">
+                    UltimateAuth protects this resource based on your session and permissions.
+                </MudText>
+            </MudStack>
+        </MudPaper>
+    </MudPage>
+    return;
+}
 
-                        <MudText Typo="Typo.body2" Align="Align.Center">
-                            This page cannot be accessed directly.
-                            UAuthHub login flows can only be initiated by an authorized client application.
-                        </MudText>
+<MudPage FullScreen="FullScreen.FullWithoutAppbar" Column="1" Row="1">
+    <MudContainer Class="d-flex align-center justify-center" MaxWidth="MaxWidth.Medium" Gutters="false">
+        <MudGrid Spacing="0">
+            <MudItem Class="order-1 order-sm-0" xs="12" sm="6">
+                <MudPaper Class="mud-theme-primary uauth-login-paper pa-8 d-flex flex-column align-center justify-center" Elevation="3">
+                    <MudStack Class="my-4">
+                        <div class="uauth-brand-glow uauth-logo-slide d-flex justify-center">
+                            <UAuthLogo Size="90" ShieldColor="#f6f5ae" KeyColor="var(--mud-palette-primary)" />
+                        </div>
+                        <MudText Style="font-weight: 700" Typo="Typo.h4" Align="Align.Center">UAuthHub</MudText>
+                        <MudText Align="Align.Center">The centralized AuthServer for your application.</MudText>
+                    </MudStack>
 
-                        <MudDivider Class="my-2" />
+                    <MudDivider />
 
-                        <MudText Typo="Typo.caption" Color="Color.Secondary">
-                            UltimateAuth protects this resource based on your session and permissions.
-                        </MudText>
+                    <MudStack Class="mt-4" Wrap="Wrap.Wrap" Spacing="0">
+                        <MudText Typo="Typo.subtitle2" Align="Align.Center"><b>@_productInfo?.ProductName</b> v @_productInfo?.Version</MudText>
+                        <MudText Typo="Typo.subtitle2" Align="Align.Center">Client Profile: @_productInfo?.ClientProfile.ToString()</MudText>
+                        <MudText Typo="Typo.subtitle2" Align="Align.Center">@_productInfo?.FrameworkDescription</MudText>
                     </MudStack>
                 </MudPaper>
-            </MudPage>
-            return;
-        }
-        <UAuthLoginForm Identifier="@_username" Secret="@_password" LoginType="UAuthLoginType.Pkce">
-            <MudStack>
-                <MudText Typo="Typo.h4">Welcome to UltimateAuth!</MudText>
-                <MudTextField @bind-Value="@_username" Variant="Variant.Outlined" Label="Username" Immediate="true" HelperText="Default: Admin" />
-                <MudPasswordField @bind-Value="@_password" Variant="Variant.Outlined" Label="Password" Immediate="true" HelperText="Default: Password!" />
-                <MudButton Variant="Variant.Filled" Color="Color.Primary" ButtonType="ButtonType.Submit">Login</MudButton>
-            </MudStack>
-        </UAuthLoginForm>
+            </MudItem>
 
-        <MudStack Class="mud-width-full">
-            <MudButton Variant="Variant.Filled" Color="Color.Info" OnClick="ProgrammaticPkceLogin">Programmatic Pkce Login</MudButton>
-        </MudStack>
+            <MudItem Class="order-0 order-sm-1" xs="12" sm="6">
+                <MudPaper Class="uauth-login-paper pa-8" Elevation="3">
+                    <UAuthLoginForm Identifier="@_username" Secret="@_password" LoginType="UAuthLoginType.Pkce" SubmitMode="UAuthSubmitMode.TryAndCommit" OnTryResult="HandleLoginResult">
+                        <MudStack Class="mud-width-full">
+                            <MudStack Row="true" AlignItems="AlignItems.Center">
+                                <UAuthLogo Size="48" ShieldColor="var(--mud-palette-primary)" KeyColor="white" />
+                                <MudText Typo="Typo.h5">
+                                    <MudText Style="font-weight: 700" Inline="true" Typo="Typo.h5" Color="Color.Primary">Sign <MudText Inline="true" Style="font-weight: 700" Typo="Typo.h5" Color="Color.Secondary">In</MudText></MudText>
+                                </MudText>
+                            </MudStack>
+                            <MudTextField @ref="@_usernameField" @bind-Value="@_username" Variant="Variant.Outlined" Label="Username" Required="true" Immediate="true" HelperText="@(_remainingAttempts != null ? $"Remaining Attempts: {_remainingAttempts}" : null)" />
+                            <MudPasswordField @bind-Value="@_password" Variant="Variant.Outlined" Label="Password" Required="true" Immediate="true" />
+                            <MudButton Variant="Variant.Filled" Color="Color.Primary" Disabled="@_isLocked" ButtonType="ButtonType.Submit">Login</MudButton>
+                            @if (_isLocked)
+                            {
+                                <MudAlert NoIcon="true" Severity="Severity.Error" Variant="Variant.Filled">
+                                    <MudStack Row="true" AlignItems="AlignItems.Center" Justify="Justify.SpaceBetween">
+                                        <MudStack Spacing="0">
+                                            <MudText Typo="Typo.subtitle2">Your account is locked.</MudText>
+                                            <MudText Typo="Typo.subtitle2">Try again in </MudText>
+                                        </MudStack>
+                                        <MudProgressCircular Class="mud-theme-error" Value="@_progressPercent" Max="100" Size="Size.Large">
+                                            @_remaining.Minutes.ToString("00"):@_remaining.Seconds.ToString("00")
+                                        </MudProgressCircular>
+                                    </MudStack>
+                                </MudAlert>
+                            }
+                        </MudStack>
+                    </UAuthLoginForm>
+                    <MudAlert Severity="Severity.Info" Variant="Variant.Text" Dense="true">
+                        Default sample users:
+                        <b>admin/admin</b> (Admin),
+                        <b>user/user</b> (Standard User)
+                    </MudAlert>
 
-        <MudStack Spacing="0">
-            <MudText><b>@ProductInfo.Get().ProductName</b> v @ProductInfo.Get().Version</MudText>
-        </MudStack>
+                    <MudDivider Class="my-8" />
 
-        <MudStack Spacing="0">
-            <MudText>Hub SessionId: @_state?.HubSessionId</MudText>
-            <MudText>Client Profile: @_state?.ClientProfile</MudText>
-            <MudText>Return Url: @_state?.ReturnUrl</MudText>
-            <MudText>Flow Type: @_state?.FlowType</MudText>
-            <MudText>IsActive: @_state?.IsActive</MudText>
-        </MudStack>
-    </MudStack>
-</div>
+                    <MudStack Class="mud-width-full">
+                        <MudButton Variant="Variant.Filled" Color="Color.Primary" OnClick="ProgrammaticPkceLogin">Programmatic Login</MudButton>
+                        <MudText Style="color: var(--mud-palette-text-secondary)" Typo="Typo.subtitle2" Align="Align.Center">Login programmatically as admin/admin.</MudText>
+                    </MudStack>
 
+                    <MudDivider Class="my-2" />
+
+                    <MudStack>
+                        @* <MudText Align="Align.Center" Typo="Typo.subtitle2"><MudLink Class="cursor-pointer" OnClick="OpenResetDialog">Forgot Password</MudLink></MudText> *@
+                        <MudText Align="Align.Center" Typo="Typo.subtitle2">Don't have an account? <MudLink Class="cursor-pointer" Href="/register">SignUp</MudLink></MudText>
+                    </MudStack>
+                </MudPaper>
+            </MudItem>
+        </MudGrid>
+    </MudContainer>
+</MudPage>
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
index dc0f988e..eeb77706 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
@@ -1,4 +1,5 @@
 using CodeBeam.UltimateAuth.Client.Contracts;
+using CodeBeam.UltimateAuth.Client.Runtime;
 using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Server.Stores;
@@ -18,6 +19,24 @@ public partial class Home
 
     private HubFlowState? _state;
 
+    private UAuthClientProductInfo? _productInfo;
+    private MudTextField<string> _usernameField = default!;
+
+    private CancellationTokenSource? _lockoutCts;
+    private PeriodicTimer? _lockoutTimer;
+    private DateTimeOffset? _lockoutUntil;
+    private TimeSpan _remaining;
+    private bool _isLocked;
+    private DateTimeOffset? _lockoutStartedAt;
+    private TimeSpan _lockoutDuration;
+    private double _progressPercent;
+    private int? _remainingAttempts = null;
+
+    protected override async Task OnInitializedAsync()
+    {
+        _productInfo = ClientProductInfoProvider.Get();
+    }
+
     protected override async Task OnParametersSetAsync()
     {
         if (string.IsNullOrWhiteSpace(HubKey))
@@ -32,40 +51,74 @@ protected override async Task OnParametersSetAsync()
 
     protected override async Task OnAfterRenderAsync(bool firstRender)
     {
-        if (!firstRender)
+        if (string.IsNullOrWhiteSpace(HubKey))
             return;
 
-        var currentError = await BrowserStorage.GetAsync(StorageScope.Session, "uauth:last_error");
-
-        if (!string.IsNullOrWhiteSpace(currentError))
+        if (_state is null || !_state.Exists)
         {
-            Snackbar.Add(ResolveErrorMessage(currentError), Severity.Error);
-            await BrowserStorage.RemoveAsync(StorageScope.Session, "uauth:last_error");
+            await StartNewPkceAsync();
+            return;
         }
 
-        var uri = Nav.ToAbsoluteUri(Nav.Uri);
-        var query = QueryHelpers.ParseQuery(uri.Query);
-
-        if (query.TryGetValue("__uauth_error", out var error))
-        {
-            await BrowserStorage.SetAsync(StorageScope.Session, "uauth:last_error", error.ToString());
-        }
-        
-        if (string.IsNullOrWhiteSpace(HubKey))
+        if (_state.IsExpired)
         {
+            await StartNewPkceAsync();
             return;
         }
 
-        if (_state is null || !_state.Exists)
-            return;
-
-        if (_state?.IsActive != true)
+        if (_state.Error != null)
         {
+            Snackbar.Add(ResolveErrorMessage(_state.Error), Severity.Error);
+
+            await Task.Delay(200); // UX
             await StartNewPkceAsync();
-            return;
         }
     }
 
+    //protected override async Task OnAfterRenderAsync(bool firstRender)
+    //{
+    //    if (!firstRender)
+    //        return;
+
+    //    var currentError = await BrowserStorage.GetAsync(StorageScope.Session, "uauth:last_error");
+
+    //    if (!string.IsNullOrWhiteSpace(currentError))
+    //    {
+    //        Snackbar.Add(ResolveErrorMessage(currentError), Severity.Error);
+    //        await BrowserStorage.RemoveAsync(StorageScope.Session, "uauth:last_error");
+    //    }
+
+    //    var uri = Nav.ToAbsoluteUri(Nav.Uri);
+    //    var query = QueryHelpers.ParseQuery(uri.Query);
+
+    //    if (query.TryGetValue("__uauth_error", out var error))
+    //    {
+    //        await BrowserStorage.SetAsync(StorageScope.Session, "uauth:last_error", error.ToString());
+    //    }
+
+    //    if (string.IsNullOrWhiteSpace(HubKey))
+    //    {
+    //        return;
+    //    }
+
+    //    if (_state is null || !_state.Exists)
+    //        return;
+
+    //    if (_state?.IsActive != true)
+    //    {
+    //        await StartNewPkceAsync();
+    //        return;
+    //    }
+
+    //    if (_state?.Error != null)
+    //    {
+    //        Snackbar.Add("Error.", Severity.Error);
+
+    //        await Task.Delay(300); // UX
+    //        await StartNewPkceAsync();
+    //    }
+    //}
+
     // For testing & debugging
     private async Task ProgrammaticPkceLogin()
     {
@@ -79,15 +132,41 @@ private async Task ProgrammaticPkceLogin()
 
         var credentials = await HubCredentialResolver.ResolveAsync(hubSessionId);
 
-        var request = new PkceLoginRequest
+        //var request = new PkceLoginRequest
+        //{
+        //    Identifier = "admin",
+        //    Secret = "admin",
+        //    AuthorizationCode = credentials?.AuthorizationCode ?? string.Empty,
+        //    CodeVerifier = credentials?.CodeVerifier ?? string.Empty,
+        //    ReturnUrl = _state?.ReturnUrl ?? string.Empty
+        //};
+
+        var request = new TryPkceLoginRequest
         {
             Identifier = "admin",
             Secret = "admin",
             AuthorizationCode = credentials?.AuthorizationCode ?? string.Empty,
             CodeVerifier = credentials?.CodeVerifier ?? string.Empty,
-            ReturnUrl = _state?.ReturnUrl ?? string.Empty
+            ReturnUrl = _state?.ReturnUrl ?? string.Empty,
+            HubSessionId = _state?.HubSessionId.Value ?? hubSessionId.Value,
         };
-        await UAuthClient.Flows.CompletePkceLoginAsync(request);
+
+        await UAuthClient.Flows.TryCompletePkceLoginAsync(request);
+    }
+
+    private void HandleLoginResult(TryLoginResult result)
+    {
+        if (!result.Success)
+        {
+            Snackbar.Add("Login failed", Severity.Error);
+
+            if (result.RemainingAttempts is not null)
+            {
+                // UI update
+            }
+
+            return;
+        }
     }
 
     private async Task StartNewPkceAsync()
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/_Imports.razor b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/_Imports.razor
index aada4df3..f530884f 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/_Imports.razor
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/_Imports.razor
@@ -10,6 +10,7 @@
 @using CodeBeam.UltimateAuth.Sample.UAuthHub
 @using CodeBeam.UltimateAuth.Sample.UAuthHub.Components
 @using CodeBeam.UltimateAuth.Sample.UAuthHub.Components.Layout
+@using CodeBeam.UltimateAuth.Core.Domain
 @using CodeBeam.UltimateAuth.Client
 @using CodeBeam.UltimateAuth.Client.Blazor
 
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Controllers/HubLoginController.cs b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Controllers/HubLoginController.cs
index 71cb29b3..6b6f486d 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Controllers/HubLoginController.cs
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Controllers/HubLoginController.cs
@@ -42,7 +42,7 @@ public async Task<IActionResult> BeginLogin(
             hubSessionId: hubSessionId,
             flowType: HubFlowType.Login,
             clientProfile: client_profile,
-            tenant: TenantKeys.System,
+            tenant: TenantKeys.System, // TODO: Think about multi tenant scenarios
             returnUrl: return_url,
             payload: payload,
             expiresAt: _clock.UtcNow.Add(_options.Hub.FlowLifetime));
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs
index d5c689a8..a745644f 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs
@@ -6,7 +6,6 @@
 using CodeBeam.UltimateAuth.InMemory;
 using CodeBeam.UltimateAuth.Sample.UAuthHub.Components;
 using CodeBeam.UltimateAuth.Sample.UAuthHub.Infrastructure;
-using CodeBeam.UltimateAuth.Security.Argon2;
 using CodeBeam.UltimateAuth.Server.Extensions;
 using MudBlazor.Services;
 using MudExtensions.Services;
@@ -16,7 +15,11 @@
 
 // Add services to the container.
 builder.Services.AddRazorComponents()
-    .AddInteractiveServerComponents();
+    .AddInteractiveServerComponents()
+    .AddCircuitOptions(options =>
+    {
+        options.DetailedErrors = true;
+    });
 
 builder.Services.AddControllers();
 
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/wwwroot/app.css b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/wwwroot/app.css
index 671b6199..9d58cb9c 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/wwwroot/app.css
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/wwwroot/app.css
@@ -13,7 +13,7 @@ a, .btn-link {
 }
 
 .btn:focus, .btn:active:focus, .btn-link.nav-link:focus, .form-control:focus, .form-check-input:focus {
-  box-shadow: 0 0 0 0.1rem white, 0 0 0 0.25rem #258cfb;
+    box-shadow: 0 0 0 0.1rem white, 0 0 0 0.25rem #258cfb;
 }
 
 .content {
@@ -50,15 +50,6 @@ h1:focus {
     border-color: #929292;
 }
 
-.form-floating > .form-control-plaintext::placeholder, .form-floating > .form-control::placeholder {
-    color: var(--bs-secondary-color);
-    text-align: end;
-}
-
-.form-floating > .form-control-plaintext:focus::placeholder, .form-floating > .form-control:focus::placeholder {
-    text-align: start;
-}
-
 .uauth-stack {
     min-height: 60vh;
     max-height: calc(100vh - var(--mud-appbar-height));
diff --git a/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor b/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor
index 7687854b..49452e66 100644
--- a/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor
+++ b/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor
@@ -73,7 +73,7 @@
 
             <MudItem Class="order-0 order-sm-1" xs="12" sm="6">
                 <MudPaper Class="uauth-login-paper pa-8" Elevation="3">
-                    <UAuthLoginForm Identifier="@_username" Secret="@_password" ReturnUrl="@(ReturnUrl ?? "/home")">
+                    <UAuthLoginForm Identifier="@_username" Secret="@_password" SubmitMode="UAuthSubmitMode.TryAndCommit" OnTryResult="HandleTry" ReturnUrl="@(ReturnUrl ?? "/home")">
                         <MudStack Class="mud-width-full">
                             <MudStack Row="true" AlignItems="AlignItems.Center">
                                 <UAuthLogo Size="48" ShieldColor="var(--mud-palette-primary)" KeyColor="white" />
diff --git a/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor.cs b/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor.cs
index 29f37744..02257ae8 100644
--- a/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor.cs
+++ b/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor.cs
@@ -52,7 +52,6 @@ private void HandleLoginPayload(AuthFlowPayload payload)
         }
 
         _remainingAttempts = payload.RemainingAttempts;
-
         ShowLoginError(payload.Reason, payload.RemainingAttempts);
     }
 
@@ -158,6 +157,21 @@ private void UpdateRemaining()
         }
     }
 
+    private void HandleTry(TryLoginResult result)
+    {
+        if (!result.Success)
+        {
+            if (result.Reason == AuthFailureReason.LockedOut && result.LockoutUntilUtc is { } until)
+            {
+                _lockoutUntil = until;
+                StartCountdown();
+            }
+
+            _remainingAttempts = result.RemainingAttempts;
+            ShowLoginError(result.Reason, result.RemainingAttempts);
+        }
+    }
+
     private async Task OpenResetDialog()
     {
         await DialogService.ShowAsync<ResetDialog>("Reset Credentials", GetDialogParameters(), GetDialogOptions());
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Login/LoginRequest.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Login/LoginRequest.cs
index c85b9b92..fc9a56d8 100644
--- a/src/CodeBeam.UltimateAuth.Core/Contracts/Login/LoginRequest.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Contracts/Login/LoginRequest.cs
@@ -5,11 +5,9 @@ namespace CodeBeam.UltimateAuth.Core.Contracts;
 
 public sealed record LoginRequest
 {
-    public TenantKey Tenant { get; init; }
     public string Identifier { get; init; } = default!;
     public string Secret { get; init; } = default!;
     public CredentialType Factor { get; init; } = CredentialType.Password;
-    public DateTimeOffset? At { get; init; }
     public IReadOnlyDictionary<string, string>? Metadata { get; init; }
 
     /// <summary>
@@ -17,4 +15,5 @@ public sealed record LoginRequest
     /// Server policy may still ignore this.
     /// </summary>
     public bool RequestTokens { get; init; } = true;
+    public string? PreviewReceipt { get; init; }
 }
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Login/LoginResult.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Login/LoginResult.cs
index f9d3b280..f445bf58 100644
--- a/src/CodeBeam.UltimateAuth.Core/Contracts/Login/LoginResult.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Contracts/Login/LoginResult.cs
@@ -36,6 +36,14 @@ public static LoginResult Success(AuthSessionId sessionId, AuthTokens? tokens =
             RefreshToken = tokens?.RefreshToken
         };
 
+    public static LoginResult SuccessPreview()
+    {
+        return new LoginResult
+        {
+            Status = LoginStatus.Success
+        };
+    }
+
     public static LoginResult Continue(LoginContinuation continuation)
         => new()
         {
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Login/TryLoginResult.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Login/TryLoginResult.cs
new file mode 100644
index 00000000..9b95455a
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Core/Contracts/Login/TryLoginResult.cs
@@ -0,0 +1,13 @@
+using CodeBeam.UltimateAuth.Core.Domain;
+
+namespace CodeBeam.UltimateAuth.Core.Contracts;
+
+public sealed record TryLoginResult
+{
+    public bool Success { get; init; }
+    public AuthFailureReason? Reason { get; init; }
+    public int? RemainingAttempts { get; init; }
+    public DateTimeOffset? LockoutUntilUtc { get; init; }
+    public bool RequiresMfa { get; init; }
+    public string? PreviewReceipt { get; init; }
+}
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/TryPkceLoginRequest.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/TryPkceLoginRequest.cs
new file mode 100644
index 00000000..6ed6b462
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/TryPkceLoginRequest.cs
@@ -0,0 +1,11 @@
+namespace CodeBeam.UltimateAuth.Core.Contracts;
+
+public sealed class TryPkceLoginRequest
+{
+    public string AuthorizationCode { get; init; } = string.Empty;
+    public string CodeVerifier { get; init; } = string.Empty;
+    public string? Identifier { get; init; }
+    public string? Secret { get; init; }
+    public string? ReturnUrl { get; init; }
+    public string? HubSessionId { get; init; }
+}
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/TryPkceLoginResult.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/TryPkceLoginResult.cs
new file mode 100644
index 00000000..16cfd9f3
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/TryPkceLoginResult.cs
@@ -0,0 +1,13 @@
+using CodeBeam.UltimateAuth.Core.Domain;
+
+namespace CodeBeam.UltimateAuth.Core.Contracts;
+
+public sealed class TryPkceLoginResult
+{
+    public bool Success { get; init; }
+    public AuthFailureReason? Reason { get; init; }
+    public int? RemainingAttempts { get; init; }
+    public DateTimeOffset? LockoutUntilUtc { get; init; }
+    public bool RequiresMfa { get; init; }
+    public bool RetryWithNewPkce { get; init; }
+}
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Pkce/AuthArtifact.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Auth/AuthArtifact.cs
similarity index 100%
rename from src/CodeBeam.UltimateAuth.Core/Domain/Pkce/AuthArtifact.cs
rename to src/CodeBeam.UltimateAuth.Core/Domain/Auth/AuthArtifact.cs
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Pkce/AuthArtifactType.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Auth/AuthArtifactType.cs
similarity index 92%
rename from src/CodeBeam.UltimateAuth.Core/Domain/Pkce/AuthArtifactType.cs
rename to src/CodeBeam.UltimateAuth.Core/Domain/Auth/AuthArtifactType.cs
index 70512e67..85157ad7 100644
--- a/src/CodeBeam.UltimateAuth.Core/Domain/Pkce/AuthArtifactType.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Domain/Auth/AuthArtifactType.cs
@@ -4,6 +4,7 @@ public enum AuthArtifactType
 {
     PkceAuthorizationCode,
     HubFlow,
+    LoginPreview,
     HubLogin,
     MfaChallenge,
     PasswordReset,
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Auth/LoginPreviewArtifact.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Auth/LoginPreviewArtifact.cs
new file mode 100644
index 00000000..78d69a80
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Core/Domain/Auth/LoginPreviewArtifact.cs
@@ -0,0 +1,53 @@
+using CodeBeam.UltimateAuth.Core.MultiTenancy;
+using CodeBeam.UltimateAuth.Core.Options;
+
+namespace CodeBeam.UltimateAuth.Core.Domain;
+
+public sealed class LoginPreviewArtifact : AuthArtifact
+{
+    public TenantKey Tenant { get; }
+    public UserKey UserKey { get; }
+    public CredentialType Factor { get; }
+    public string DeviceId { get; }
+    public string Identifier { get; }
+    public UAuthClientProfile ClientProfile { get; }
+    public string Fingerprint { get; }
+
+    public LoginPreviewArtifact(
+        TenantKey tenant,
+        UserKey userKey,
+        CredentialType factor,
+        string deviceId,
+        string identifier,
+        UAuthClientProfile clientProfile,
+        string fingerprint,
+        DateTimeOffset expiresAt)
+        : base(AuthArtifactType.LoginPreview, expiresAt)
+    {
+        Tenant = tenant;
+        UserKey = userKey;
+        Factor = factor;
+        DeviceId = deviceId;
+        Identifier = identifier;
+        ClientProfile = clientProfile;
+        Fingerprint = fingerprint;
+    }
+
+    public bool Matches(
+        TenantKey tenant,
+        UserKey userKey,
+        CredentialType factor,
+        string deviceId,
+        string identifier,
+        UAuthClientProfile clientProfile,
+        string fingerprint)
+    {
+        return Tenant == tenant
+            && UserKey == userKey
+            && Factor == factor
+            && string.Equals(DeviceId, deviceId, StringComparison.Ordinal)
+            && string.Equals(Identifier, identifier, StringComparison.Ordinal)
+            && ClientProfile == clientProfile
+            && string.Equals(Fingerprint, fingerprint, StringComparison.Ordinal);
+    }
+}
\ No newline at end of file
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowArtifact.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowArtifact.cs
index f85e5c9a..6a7d9388 100644
--- a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowArtifact.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowArtifact.cs
@@ -14,6 +14,8 @@ public sealed class HubFlowArtifact : AuthArtifact
 
     public HubFlowPayload Payload { get; }
 
+    public string? Error { get; private set; }
+
     public HubFlowArtifact(
         HubSessionId hubSessionId,
         HubFlowType flowType,
@@ -31,4 +33,10 @@ public HubFlowArtifact(
         ReturnUrl = returnUrl;
         Payload = payload;
     }
+
+    public void SetError(string error)
+    {
+        Error = error;
+        RegisterAttempt();
+    }
 }
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowState.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowState.cs
index b45b995e..4720b975 100644
--- a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowState.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowState.cs
@@ -8,6 +8,8 @@ public sealed class HubFlowState
     public HubFlowType FlowType { get; init; }
     public UAuthClientProfile ClientProfile { get; init; }
     public string? ReturnUrl { get; init; }
+    public string? Error { get; init; }
+    public int AttemptCount { get; init; }
 
     public bool IsActive { get; init; }
     public bool IsExpired { get; init; }
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Pkce/HubLoginArtifact.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Pkce/HubLoginArtifact.cs
index be3f758b..c6ceb415 100644
--- a/src/CodeBeam.UltimateAuth.Core/Domain/Pkce/HubLoginArtifact.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Domain/Pkce/HubLoginArtifact.cs
@@ -1,17 +1,17 @@
-namespace CodeBeam.UltimateAuth.Core.Domain;
+//namespace CodeBeam.UltimateAuth.Core.Domain;
 
-public sealed class HubLoginArtifact : AuthArtifact
-{
-    public string AuthorizationCode { get; }
-    public string CodeVerifier { get; }
+//public sealed class HubLoginArtifact : AuthArtifact
+//{
+//    public string AuthorizationCode { get; }
+//    public string CodeVerifier { get; }
 
-    public HubLoginArtifact(
-        string authorizationCode,
-        string codeVerifier,
-        DateTimeOffset expiresAt)
-        : base(AuthArtifactType.HubLogin, expiresAt)
-    {
-        AuthorizationCode = authorizationCode;
-        CodeVerifier = codeVerifier;
-    }
-}
+//    public HubLoginArtifact(
+//        string authorizationCode,
+//        string codeVerifier,
+//        DateTimeOffset expiresAt)
+//        : base(AuthArtifactType.HubLogin, expiresAt)
+//    {
+//        AuthorizationCode = authorizationCode;
+//        CodeVerifier = codeVerifier;
+//    }
+//}
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Security/AuthenticationSecurityState.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Security/AuthenticationSecurityState.cs
index b3cf195e..d30489d9 100644
--- a/src/CodeBeam.UltimateAuth.Core/Domain/Security/AuthenticationSecurityState.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Domain/Security/AuthenticationSecurityState.cs
@@ -158,9 +158,18 @@ public AuthenticationSecurityState RegisterFailure(DateTimeOffset now, int thres
         if (threshold < 0)
             throw new UAuthValidationException(nameof(threshold));
 
-        var nextCount = FailedAttempts + 1;
+        var effectiveFailedAttempts = FailedAttempts;
+        var effectiveLockedUntil = LockedUntil;
 
-        DateTimeOffset? nextLockedUntil = LockedUntil;
+        if (effectiveLockedUntil.HasValue && now >= effectiveLockedUntil.Value)
+        {
+            effectiveFailedAttempts = 0;
+            effectiveLockedUntil = null;
+        }
+
+        var nextCount = effectiveFailedAttempts + 1;
+
+        DateTimeOffset? nextLockedUntil = effectiveLockedUntil;
 
         if (threshold > 0 && nextCount >= threshold)
         {
diff --git a/src/CodeBeam.UltimateAuth.Core/Options/UAuthLoginOptions.cs b/src/CodeBeam.UltimateAuth.Core/Options/UAuthLoginOptions.cs
index f0c18bf8..4677358e 100644
--- a/src/CodeBeam.UltimateAuth.Core/Options/UAuthLoginOptions.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Options/UAuthLoginOptions.cs
@@ -41,12 +41,15 @@ public sealed class UAuthLoginOptions
     /// </remarks>
     public bool ExtendLockOnFailure { get; set; } = false;
 
+    public TimeSpan TryLoginDuration { get; set; } = TimeSpan.FromSeconds(180);
+
     internal UAuthLoginOptions Clone() => new()
     {
         MaxFailedAttempts = MaxFailedAttempts,
         LockoutDuration = LockoutDuration,
         IncludeFailureDetails = IncludeFailureDetails,
         FailureWindow = FailureWindow,
-        ExtendLockOnFailure = ExtendLockOnFailure
+        ExtendLockOnFailure = ExtendLockOnFailure,
+        TryLoginDuration = TryLoginDuration
     };
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Abstractions/IDeviceResolver.cs b/src/CodeBeam.UltimateAuth.Server/Abstractions/IDeviceResolver.cs
index 8be92d7a..595c51a9 100644
--- a/src/CodeBeam.UltimateAuth.Server/Abstractions/IDeviceResolver.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Abstractions/IDeviceResolver.cs
@@ -8,5 +8,5 @@ namespace CodeBeam.UltimateAuth.Server.Abstractions;
 /// </summary>
 public interface IDeviceResolver
 {
-    DeviceInfo Resolve(HttpContext context);
+    Task<DeviceInfo> ResolveAsync(HttpContext context);
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Auth/ClientProfileReader.cs b/src/CodeBeam.UltimateAuth.Server/Auth/ClientProfileReader.cs
index 067810f4..92fe58c1 100644
--- a/src/CodeBeam.UltimateAuth.Server/Auth/ClientProfileReader.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Auth/ClientProfileReader.cs
@@ -1,24 +1,32 @@
 using CodeBeam.UltimateAuth.Core.Defaults;
 using CodeBeam.UltimateAuth.Core.Options;
+using CodeBeam.UltimateAuth.Server.Extensions;
 using Microsoft.AspNetCore.Http;
 
 namespace CodeBeam.UltimateAuth.Server.Auth;
 
 internal sealed class ClientProfileReader : IClientProfileReader
 {
-    public UAuthClientProfile Read(HttpContext context)
+    public async Task<UAuthClientProfile> ReadAsync(HttpContext context)
     {
         if (context.Request.Headers.TryGetValue(UAuthConstants.Headers.ClientProfile, out var headerValue) && TryParse(headerValue, out var headerProfile))
         {
             return headerProfile;
         }
 
-        if (context.Request.HasFormContentType && context.Request.Form.TryGetValue(UAuthConstants.Form.ClientProfile, out var formValue) &&
-            TryParse(formValue, out var formProfile))
+        var form = await context.GetCachedFormAsync();
+
+        if (form is not null && form.TryGetValue(UAuthConstants.Form.ClientProfile, out var formValue) && TryParse(formValue, out var formProfile))
         {
             return formProfile;
         }
 
+        //if (context.Request.HasFormContentType && context.Request.Form.TryGetValue(UAuthConstants.Form.ClientProfile, out var formValue) &&
+        //    TryParse(formValue, out var formProfile))
+        //{
+        //    return formProfile;
+        //}
+
         return UAuthClientProfile.NotSpecified;
     }
 
diff --git a/src/CodeBeam.UltimateAuth.Server/Auth/Context/AuthFlowContextFactory.cs b/src/CodeBeam.UltimateAuth.Server/Auth/Context/AuthFlowContextFactory.cs
index fdefb918..6cb5db77 100644
--- a/src/CodeBeam.UltimateAuth.Server/Auth/Context/AuthFlowContextFactory.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Auth/Context/AuthFlowContextFactory.cs
@@ -47,7 +47,7 @@ public async ValueTask<AuthFlowContext> CreateAsync(HttpContext ctx, AuthFlowTyp
         var sessionCtx = ctx.GetSessionContext();
         var user = ctx.GetUserContext();
 
-        var clientProfile = _clientProfileReader.Read(ctx);
+        var clientProfile = await _clientProfileReader.ReadAsync(ctx);
         var originalOptions = _serverOptionsProvider.GetOriginal(ctx);
         var effectiveOptions = _serverOptionsProvider.GetEffective(ctx, flowType, clientProfile);
 
@@ -61,9 +61,9 @@ public async ValueTask<AuthFlowContext> CreateAsync(HttpContext ctx, AuthFlowTyp
         var effectiveMode = effectiveOptions.Mode;
         var primaryTokenKind = _primaryTokenResolver.Resolve(effectiveMode);
         var response = _authResponseResolver.Resolve(effectiveMode, flowType, clientProfile, effectiveOptions);
-        var deviceInfo = _deviceResolver.Resolve(ctx);
+        var deviceInfo = await _deviceResolver.ResolveAsync(ctx);
         var deviceContext = _deviceContextFactory.Create(deviceInfo);
-        var returnUrl = ctx.GetReturnUrl();
+        var returnUrl = await ctx.GetReturnUrlAsync();
         var returnUrlInfo = ReturnUrlParser.Parse(returnUrl);
 
         SessionSecurityContext? sessionSecurityContext = null;
diff --git a/src/CodeBeam.UltimateAuth.Server/Auth/IClientProfileReader.cs b/src/CodeBeam.UltimateAuth.Server/Auth/IClientProfileReader.cs
index e64d3d7a..1d54a7de 100644
--- a/src/CodeBeam.UltimateAuth.Server/Auth/IClientProfileReader.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Auth/IClientProfileReader.cs
@@ -5,5 +5,5 @@ namespace CodeBeam.UltimateAuth.Server.Auth;
 
 public interface IClientProfileReader
 {
-    UAuthClientProfile Read(HttpContext context);
+    Task<UAuthClientProfile> ReadAsync(HttpContext context);
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Authentication/AspNetCore/UAuthAuthenticationHandler.cs b/src/CodeBeam.UltimateAuth.Server/Authentication/AspNetCore/UAuthAuthenticationHandler.cs
index bb5fded8..96fff082 100644
--- a/src/CodeBeam.UltimateAuth.Server/Authentication/AspNetCore/UAuthAuthenticationHandler.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Authentication/AspNetCore/UAuthAuthenticationHandler.cs
@@ -45,7 +45,7 @@ public UAuthAuthenticationHandler(
 
     protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
     {
-        var credential = _transportCredentialResolver.Resolve(Context);
+        var credential = await _transportCredentialResolver.ResolveAsync(Context);
 
         if (credential is null)
             return AuthenticateResult.NoResult();
diff --git a/src/CodeBeam.UltimateAuth.Server/Endpoints/Abstractions/ILoginEndpointHandler.cs b/src/CodeBeam.UltimateAuth.Server/Endpoints/Abstractions/ILoginEndpointHandler.cs
index 72b3df38..a275b413 100644
--- a/src/CodeBeam.UltimateAuth.Server/Endpoints/Abstractions/ILoginEndpointHandler.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Endpoints/Abstractions/ILoginEndpointHandler.cs
@@ -5,4 +5,5 @@ namespace CodeBeam.UltimateAuth.Server.Endpoints;
 public interface ILoginEndpointHandler
 {
     Task<IResult> LoginAsync(HttpContext ctx);
+    Task<IResult> TryLoginAsync(HttpContext ctx);
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Endpoints/Abstractions/IPkceEndpointHandler.cs b/src/CodeBeam.UltimateAuth.Server/Endpoints/Abstractions/IPkceEndpointHandler.cs
index 547dcf9b..bc5cd909 100644
--- a/src/CodeBeam.UltimateAuth.Server/Endpoints/Abstractions/IPkceEndpointHandler.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Endpoints/Abstractions/IPkceEndpointHandler.cs
@@ -17,4 +17,6 @@ public interface IPkceEndpointHandler
     /// then issues a session or token.
     /// </summary>
     Task<IResult> CompleteAsync(HttpContext ctx);
+
+    Task<IResult> TryCompleteAsync(HttpContext ctx);
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Endpoints/LoginEndpointHandler.cs b/src/CodeBeam.UltimateAuth.Server/Endpoints/LoginEndpointHandler.cs
index e3b0f3e6..5d6b0885 100644
--- a/src/CodeBeam.UltimateAuth.Server/Endpoints/LoginEndpointHandler.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Endpoints/LoginEndpointHandler.cs
@@ -3,65 +3,108 @@
 using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Server.Abstractions;
 using CodeBeam.UltimateAuth.Server.Auth;
+using CodeBeam.UltimateAuth.Server.Extensions;
+using CodeBeam.UltimateAuth.Server.Flows;
 using CodeBeam.UltimateAuth.Server.Infrastructure;
+using CodeBeam.UltimateAuth.Server.Options;
 using CodeBeam.UltimateAuth.Server.Services;
+using CodeBeam.UltimateAuth.Server.Stores;
+using CodeBeam.UltimateAuth.Users;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Options;
 
 namespace CodeBeam.UltimateAuth.Server.Endpoints;
 
-public sealed class LoginEndpointHandler : ILoginEndpointHandler
+internal sealed class LoginEndpointHandler : ILoginEndpointHandler
 {
     private readonly IAuthFlowContextAccessor _authFlow;
-    private readonly IUAuthFlowService _flowService;
-    private readonly IClock _clock;
+    private readonly IUAuthInternalFlowService _internalFlowService;
     private readonly ICredentialResponseWriter _credentialResponseWriter;
     private readonly IAuthRedirectResolver _redirectResolver;
+    private readonly IAuthStore _authStore;
+    private readonly ILoginIdentifierResolver _loginIdentifierResolver;
+    private readonly UAuthServerOptions _options;
+    private readonly IClock _clock;
 
     public LoginEndpointHandler(
         IAuthFlowContextAccessor authFlow,
-        IUAuthFlowService flowService,
-        IClock clock,
+        IUAuthInternalFlowService internalFlowService,
         ICredentialResponseWriter credentialResponseWriter,
-        IAuthRedirectResolver redirectResolver)
+        IAuthRedirectResolver redirectResolver,
+        IAuthStore authStore,
+        ILoginIdentifierResolver loginIdentifierResolver,
+        IOptions<UAuthServerOptions> options,
+        IClock clock)
     {
         _authFlow = authFlow;
-        _flowService = flowService;
-        _clock = clock;
+        _internalFlowService = internalFlowService;
         _credentialResponseWriter = credentialResponseWriter;
         _redirectResolver = redirectResolver;
+        _authStore = authStore;
+        _loginIdentifierResolver = loginIdentifierResolver;
+        _options = options.Value;
+        _clock = clock;
     }
 
     public async Task<IResult> LoginAsync(HttpContext ctx)
     {
         var authFlow = _authFlow.Current;
+        var request = await ReadLoginRequestAsync(ctx);
 
-        if (!ctx.Request.HasFormContentType)
-            return Results.BadRequest("Invalid content type.");
-
-        var form = await ctx.Request.ReadFormAsync();
+        if (request is null || string.IsNullOrWhiteSpace(request.Identifier) || string.IsNullOrWhiteSpace(request.Secret))
+        {
+            var failure = _redirectResolver.ResolveFailure(authFlow, ctx, AuthFailureReason.InvalidCredentials);
+            return failure.Enabled ? Results.Redirect(failure.TargetUrl!) : Results.Unauthorized();
+        }
 
-        var identifier = form["Identifier"].ToString();
-        var secret = form["Secret"].ToString();
+        var suppressFailureAttempt = false;
 
-        if (string.IsNullOrWhiteSpace(identifier) || string.IsNullOrWhiteSpace(secret))
+        if (!string.IsNullOrWhiteSpace(request.PreviewReceipt) && authFlow.Device.DeviceId is DeviceId deviceId)
         {
-            var decisionFailureInvalid = _redirectResolver.ResolveFailure(authFlow, ctx, AuthFailureReason.InvalidCredentials);
-
-            return decisionFailureInvalid.Enabled
-                ? Results.Redirect(decisionFailureInvalid.TargetUrl!)
-                : Results.Unauthorized();
+            var key = new AuthArtifactKey(request.PreviewReceipt);
+            var artifact = await _authStore.GetAsync(key, ctx.RequestAborted) as LoginPreviewArtifact;
+
+            if (artifact is not null)
+            {
+                var fingerprint = LoginPreviewFingerprint.Create(
+                    authFlow.Tenant,
+                    request.Identifier,
+                    CredentialType.Password,
+                    request.Secret,
+                    deviceId);
+
+                if (artifact.Matches(
+                    authFlow.Tenant,
+                    artifact.UserKey,
+                    CredentialType.Password,
+                    deviceId.Value,
+                    request.Identifier,
+                    authFlow.ClientProfile,
+                    fingerprint))
+                {
+                    suppressFailureAttempt = true;
+                    await _authStore.ConsumeAsync(key, ctx.RequestAborted);
+                }
+            }
         }
 
         var flowRequest = new LoginRequest
         {
-            Identifier = identifier,
-            Secret = secret,
-            Tenant = authFlow.Tenant,
-            At = _clock.UtcNow,
-            RequestTokens = authFlow.AllowsTokenIssuance
+            Identifier = request.Identifier,
+            Secret = request.Secret,
+            Factor = CredentialType.Password,
+            PreviewReceipt = request.PreviewReceipt,
+            RequestTokens = authFlow.AllowsTokenIssuance,
+            Metadata = request.Metadata,
         };
 
-        var result = await _flowService.LoginAsync(authFlow, flowRequest, ctx.RequestAborted);
+        var result = await _internalFlowService.LoginAsync(authFlow, flowRequest,
+            new LoginExecutionOptions
+            {
+                Mode = LoginExecutionMode.Commit,
+                SuppressFailureAttempt = suppressFailureAttempt,
+                SuppressSuccessReset = false
+            }, ctx.RequestAborted);
 
         if (!result.IsSuccess)
         {
@@ -93,4 +136,111 @@ public async Task<IResult> LoginAsync(HttpContext ctx)
             ? Results.Redirect(decision.TargetUrl!)
             : Results.Ok();
     }
+
+    public async Task<IResult> TryLoginAsync(HttpContext ctx)
+    {
+        var authFlow = _authFlow.Current;
+
+        if (!ctx.Request.HasFormContentType && !ctx.Request.HasJsonContentType())
+            return Results.BadRequest("Invalid content type.");
+
+        var request = await ReadLoginRequestAsync(ctx);
+        if (request is null)
+            return Results.BadRequest("Invalid payload.");
+
+        if (string.IsNullOrWhiteSpace(request.Identifier) || string.IsNullOrWhiteSpace(request.Secret))
+        {
+            return Results.Ok(new TryLoginResult
+            {
+                Success = false,
+                Reason = AuthFailureReason.InvalidCredentials
+            });
+        }
+
+        request = new LoginRequest
+        {
+            Identifier = request.Identifier,
+            Secret = request.Secret,
+            Factor = CredentialType.Password,
+            PreviewReceipt = request.PreviewReceipt,
+            RequestTokens = authFlow.AllowsTokenIssuance,
+            Metadata = request.Metadata
+        };
+
+        var result = await _internalFlowService.LoginAsync(
+            authFlow,
+            request,
+            new LoginExecutionOptions
+            {
+                Mode = LoginExecutionMode.Preview,
+                SuppressFailureAttempt = false,
+                SuppressSuccessReset = true
+            },
+            ctx.RequestAborted);
+
+        string? previewReceipt = null;
+
+        if (result.IsSuccess && authFlow.Device.DeviceId is DeviceId deviceId)
+        {
+            var fingerprint = LoginPreviewFingerprint.Create(
+                authFlow.Tenant,
+                request.Identifier,
+                request.Factor,
+                request.Secret,
+                deviceId);
+
+            var receipt = AuthArtifactKey.New();
+            previewReceipt = receipt.Value;
+
+            var resolution = await _loginIdentifierResolver.ResolveAsync(authFlow.Tenant, request.Identifier, ctx.RequestAborted);
+
+            if (resolution?.UserKey is { } userKey)
+            {
+                var artifact = new LoginPreviewArtifact(
+                    authFlow.Tenant,
+                    userKey,
+                    request.Factor,
+                    deviceId.Value,
+                    request.Identifier,
+                    authFlow.ClientProfile,
+                    fingerprint,
+                    _clock.UtcNow.Add(_options.Login.TryLoginDuration));
+
+                await _authStore.StoreAsync(receipt, artifact, ctx.RequestAborted);
+            }
+        }
+
+        return Results.Ok(new TryLoginResult
+        {
+            Success = result.IsSuccess,
+            Reason = result.FailureReason,
+            RemainingAttempts = result.RemainingAttempts,
+            LockoutUntilUtc = result.LockoutUntilUtc,
+            RequiresMfa = result.RequiresMfa,
+            PreviewReceipt = previewReceipt
+        });
+    }
+
+    private async Task<LoginRequest?> ReadLoginRequestAsync(HttpContext ctx)
+    {
+        if (ctx.Request.HasJsonContentType())
+        {
+            return await ctx.Request.ReadFromJsonAsync<LoginRequest>(cancellationToken: ctx.RequestAborted);
+        }
+
+        if (ctx.Request.HasFormContentType)
+        {
+            var form = await ctx.GetCachedFormAsync();
+
+            return new LoginRequest
+            {
+                Identifier = form?["Identifier"].FirstOrDefault() ?? string.Empty,
+                Secret = form?["Secret"].FirstOrDefault() ?? string.Empty,
+                PreviewReceipt = form?["PreviewReceipt"].FirstOrDefault(),
+                // TODO: Other properties?
+            };
+        }
+
+        return null;
+    }
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs b/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
index 419fbc16..faa6a686 100644
--- a/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
@@ -17,6 +17,7 @@ internal sealed class PkceEndpointHandler : IPkceEndpointHandler
 {
     private readonly IAuthFlowContextAccessor _authContext;
     private readonly IUAuthFlowService _flow;
+    private readonly IUAuthInternalFlowService _internalFlowService;
     private readonly IAuthStore _authStore;
     private readonly IPkceAuthorizationValidator _validator;
     private readonly IClock _clock;
@@ -27,6 +28,7 @@ internal sealed class PkceEndpointHandler : IPkceEndpointHandler
     public PkceEndpointHandler(
         IAuthFlowContextAccessor authContext,
         IUAuthFlowService flow,
+        IUAuthInternalFlowService internalFlowService,
         IAuthStore authStore,
         IPkceAuthorizationValidator validator,
         IClock clock,
@@ -36,6 +38,7 @@ public PkceEndpointHandler(
     {
         _authContext = authContext;
         _flow = flow;
+        _internalFlowService = internalFlowService;
         _authStore = authStore;
         _validator = validator;
         _clock = clock;
@@ -90,6 +93,84 @@ public async Task<IResult> AuthorizeAsync(HttpContext ctx)
         });
     }
 
+    public async Task<IResult> TryCompleteAsync(HttpContext ctx)
+    {
+        var authContext = _authContext.Current;
+
+        if (authContext.FlowType != AuthFlowType.Login)
+            return Results.BadRequest("PKCE is only supported for login flow.");
+
+        var request = await ReadPkceTryCompleteRequestAsync(ctx);
+        if (request is null)
+            return Results.BadRequest("Invalid PKCE completion payload.");
+
+        if (string.IsNullOrWhiteSpace(request.AuthorizationCode) || string.IsNullOrWhiteSpace(request.CodeVerifier))
+            return Results.BadRequest("authorization_code and code_verifier are required.");
+
+        var artifactKey = new AuthArtifactKey(request.AuthorizationCode);
+        var artifact = await _authStore.GetAsync(artifactKey, ctx.RequestAborted) as PkceAuthorizationArtifact;
+
+        if (artifact is null)
+        {
+            return Results.Ok(new TryPkceLoginResult
+            {
+                Success = false,
+                RetryWithNewPkce = true
+            });
+        }
+
+        var validation = _validator.Validate(
+            artifact,
+            request.CodeVerifier,
+            new PkceContextSnapshot(
+                clientProfile: authContext.ClientProfile,
+                tenant: authContext.Tenant,
+                redirectUri: null,
+                deviceId: artifact.Context.DeviceId),
+            _clock.UtcNow);
+
+        if (!validation.Success)
+        {
+            return Results.Ok(new TryPkceLoginResult
+            {
+                Success = false,
+                RetryWithNewPkce = true
+            });
+        }
+
+        var loginRequest = new LoginRequest
+        {
+            Identifier = request.Identifier,
+            Secret = request.Secret,
+            RequestTokens = authContext.AllowsTokenIssuance
+        };
+
+        var execution = new AuthExecutionContext
+        {
+            EffectiveClientProfile = artifact.Context.ClientProfile,
+            Device = DeviceContext.Create(DeviceId.Create(artifact.Context.DeviceId))
+        };
+
+        var preview = await _internalFlowService.LoginAsync(authContext, execution, loginRequest,
+             new LoginExecutionOptions
+             {
+                 Mode = LoginExecutionMode.Preview,
+                 SuppressFailureAttempt = false,
+                 SuppressSuccessReset = true
+             }, ctx.RequestAborted);
+
+        return Results.Ok(new TryPkceLoginResult
+        {
+            Success = preview.IsSuccess,
+            Reason = preview.FailureReason,
+            RemainingAttempts = preview.RemainingAttempts,
+            LockoutUntilUtc = preview.LockoutUntilUtc,
+            RequiresMfa = preview.FailureReason == AuthFailureReason.RequiresMfa,
+            RetryWithNewPkce = false
+        });
+    }
+
+    // TODO: Handle PKCE complete here as same as login try flow
     public async Task<IResult> CompleteAsync(HttpContext ctx)
     {
         var authContext = _authContext.Current;
@@ -128,8 +209,6 @@ public async Task<IResult> CompleteAsync(HttpContext ctx)
         {
             Identifier = request.Identifier,
             Secret = request.Secret,
-            Tenant = authContext.Tenant,
-            At = _clock.UtcNow,
             RequestTokens = authContext.AllowsTokenIssuance
         };
 
@@ -225,6 +304,36 @@ public async Task<IResult> CompleteAsync(HttpContext ctx)
         return null;
     }
 
+    private static async Task<TryPkceLoginRequest?> ReadPkceTryCompleteRequestAsync(HttpContext ctx)
+    {
+        if (ctx.Request.HasJsonContentType())
+        {
+            return await ctx.Request.ReadFromJsonAsync<TryPkceLoginRequest>(cancellationToken: ctx.RequestAborted);
+        }
+
+        if (ctx.Request.HasFormContentType)
+        {
+            var form = await ctx.Request.ReadFormAsync(ctx.RequestAborted);
+
+            var authorizationCode = form["authorization_code"].ToString();
+            var codeVerifier = form["code_verifier"].ToString();
+            var identifier = form["Identifier"].ToString();
+            var secret = form["Secret"].ToString();
+            var returnUrl = form["return_url"].ToString();
+
+            return new TryPkceLoginRequest
+            {
+                AuthorizationCode = authorizationCode,
+                CodeVerifier = codeVerifier,
+                Identifier = identifier,
+                Secret = secret,
+                ReturnUrl = returnUrl
+            };
+        }
+
+        return null;
+    }
+
     private async Task<IResult> RedirectToLoginWithErrorAsync(HttpContext ctx, AuthFlowContext auth, string error)
     {
         var basePath = auth.OriginalOptions.Hub.LoginPath ?? "/login";
@@ -237,15 +346,20 @@ private async Task<IResult> RedirectToLoginWithErrorAsync(HttpContext ctx, AuthF
 
             if (artifact is HubFlowArtifact hub)
             {
-                hub.MarkCompleted();
-                await _authStore.StoreAsync(key, hub, ctx.RequestAborted);
+                //hub.MarkCompleted();
+                //await _authStore.StoreAsync(key, hub, ctx.RequestAborted);
+
+                hub.SetError("invalid");
+                await _authStore.StoreAsync(key, hub);
+
+                return Results.Redirect($"{basePath}?hub={Uri.EscapeDataString(hubKey)}");
             }
 
-            return Results.Redirect(
-                $"{basePath}?hub={Uri.EscapeDataString(hubKey)}&__uauth_error={Uri.EscapeDataString(error)}");
+            //return Results.Redirect($"{basePath}?hub={Uri.EscapeDataString(hubKey)}&__uauth_error={Uri.EscapeDataString(error)}");
+            
         }
 
-        return Results.Redirect(
-            $"{basePath}?__uauth_error={Uri.EscapeDataString(error)}");
+        //return Results.Redirect($"{basePath}?__uauth_error={Uri.EscapeDataString(error)}");
+        return Results.Redirect(basePath);
     }
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Endpoints/UAuthEndpointRegistrar.cs b/src/CodeBeam.UltimateAuth.Server/Endpoints/UAuthEndpointRegistrar.cs
index 4387daee..fa1d0120 100644
--- a/src/CodeBeam.UltimateAuth.Server/Endpoints/UAuthEndpointRegistrar.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Endpoints/UAuthEndpointRegistrar.cs
@@ -47,6 +47,9 @@ public void MapEndpoints(RouteGroupBuilder rootGroup, UAuthServerOptions options
             group.MapPost("/login", async ([FromServices] ILoginEndpointHandler h, HttpContext ctx)
                 => await h.LoginAsync(ctx)).WithMetadata(new AuthFlowMetadata(AuthFlowType.Login));
 
+            group.MapPost("/try-login", async ([FromServices] ILoginEndpointHandler h, HttpContext ctx)
+                => await h.TryLoginAsync(ctx)).WithMetadata(new AuthFlowMetadata(AuthFlowType.Login));
+
             group.MapPost("/validate", async ([FromServices] IValidateEndpointHandler h, HttpContext ctx)
                 => await h.ValidateAsync(ctx)).WithMetadata(new AuthFlowMetadata(AuthFlowType.ValidateSession));
 
@@ -95,6 +98,9 @@ public void MapEndpoints(RouteGroupBuilder rootGroup, UAuthServerOptions options
 
             pkce.MapPost("/complete", async ([FromServices] IPkceEndpointHandler h, HttpContext ctx)
                     => await h.CompleteAsync(ctx)).WithMetadata(new AuthFlowMetadata(AuthFlowType.Login));
+
+            pkce.MapPost("/try-complete", async ([FromServices] IPkceEndpointHandler h, HttpContext ctx)
+                    => await h.TryCompleteAsync(ctx)).WithMetadata(new AuthFlowMetadata(AuthFlowType.Login));
         }
 
         //if (options.Endpoints.Token != false)
diff --git a/src/CodeBeam.UltimateAuth.Server/Endpoints/ValidateEndpointHandler.cs b/src/CodeBeam.UltimateAuth.Server/Endpoints/ValidateEndpointHandler.cs
index 808c8717..9473ee3a 100644
--- a/src/CodeBeam.UltimateAuth.Server/Endpoints/ValidateEndpointHandler.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Endpoints/ValidateEndpointHandler.cs
@@ -11,14 +11,14 @@ namespace CodeBeam.UltimateAuth.Server.Endpoints;
 internal sealed class ValidateEndpointHandler : IValidateEndpointHandler
 {
     private readonly IAuthFlowContextAccessor _authContext;
-    private readonly IFlowCredentialResolver _credentialResolver;
+    private readonly IValidateCredentialResolver _credentialResolver;
     private readonly ISessionValidator _sessionValidator;
     private readonly IAuthStateSnapshotFactory _snapshotFactory;
     private readonly IClock _clock;
 
     public ValidateEndpointHandler(
         IAuthFlowContextAccessor authContext,
-        IFlowCredentialResolver credentialResolver,
+        IValidateCredentialResolver credentialResolver,
         ISessionValidator sessionValidator,
         IAuthStateSnapshotFactory snapshotFactory,
         IClock clock)
@@ -33,7 +33,7 @@ public ValidateEndpointHandler(
     public async Task<IResult> ValidateAsync(HttpContext context, CancellationToken ct = default)
     {
         var auth = _authContext.Current;
-        var credential = _credentialResolver.Resolve(context, auth.Response);
+        var credential = await _credentialResolver.ResolveAsync(context, auth.Response);
 
         if (credential is null)
         {
diff --git a/src/CodeBeam.UltimateAuth.Server/Extensions/DeviceExtensions.cs b/src/CodeBeam.UltimateAuth.Server/Extensions/DeviceExtensions.cs
index de1bd560..5a5ec37a 100644
--- a/src/CodeBeam.UltimateAuth.Server/Extensions/DeviceExtensions.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Extensions/DeviceExtensions.cs
@@ -7,9 +7,9 @@ namespace CodeBeam.UltimateAuth.Server.Extensions;
 
 public static class DeviceExtensions
 {
-    public static DeviceInfo GetDevice(this HttpContext context)
+    public static async Task<DeviceInfo> GetDeviceAsync(this HttpContext context)
     {
         var resolver = context.RequestServices.GetRequiredService<IDeviceResolver>();
-        return resolver.Resolve(context);
+        return await resolver.ResolveAsync(context);
     }
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Extensions/HttpContext/HttpContextRequestExtensions.cs b/src/CodeBeam.UltimateAuth.Server/Extensions/HttpContext/HttpContextRequestExtensions.cs
new file mode 100644
index 00000000..480e882b
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Server/Extensions/HttpContext/HttpContextRequestExtensions.cs
@@ -0,0 +1,34 @@
+using Microsoft.AspNetCore.Http;
+
+namespace CodeBeam.UltimateAuth.Server.Extensions;
+
+internal static class HttpContextRequestExtensions
+{
+    private const string FormCacheKey = "__uauth_form";
+
+    public static async Task<IFormCollection?> GetCachedFormAsync(this HttpContext ctx)
+    {
+        if (!ctx.Request.HasFormContentType)
+            return null;
+
+        if (ctx.Items.TryGetValue(FormCacheKey, out var existing) && existing is IFormCollection cached)
+            return cached;
+
+        try
+        {
+            ctx.Request.EnableBuffering();
+            var form = await ctx.Request.ReadFormAsync();
+            ctx.Request.Body.Position = 0;
+            ctx.Items[FormCacheKey] = form;
+            return form;
+        }
+        catch (IOException)
+        {
+            return null;
+        }
+        catch
+        {
+            throw new InvalidOperationException();
+        }
+    }
+}
diff --git a/src/CodeBeam.UltimateAuth.Server/Extensions/HttpContext/HttpContextReturnUrlExtensions.cs b/src/CodeBeam.UltimateAuth.Server/Extensions/HttpContext/HttpContextReturnUrlExtensions.cs
index 890cdf28..3ca9c43a 100644
--- a/src/CodeBeam.UltimateAuth.Server/Extensions/HttpContext/HttpContextReturnUrlExtensions.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Extensions/HttpContext/HttpContextReturnUrlExtensions.cs
@@ -5,16 +5,28 @@ namespace CodeBeam.UltimateAuth.Server.Extensions;
 
 internal static class HttpContextReturnUrlExtensions
 {
-    public static string? GetReturnUrl(this HttpContext ctx)
+    public static async Task<string?> GetReturnUrlAsync(this HttpContext ctx)
     {
-        if (ctx.Request.HasFormContentType && ctx.Request.Form.TryGetValue(UAuthConstants.Form.ReturnUrl, out var form))
+        if (ctx.Request.Query.TryGetValue(UAuthConstants.Query.ReturnUrl, out var query))
         {
-            return form.ToString();
+            return query.ToString();
         }
 
-        if (ctx.Request.Query.TryGetValue(UAuthConstants.Query.ReturnUrl, out var query))
+        if (ctx.Request.HasFormContentType)
         {
-            return query.ToString();
+            try
+            {
+                var form = await ctx.GetCachedFormAsync();
+
+                if (form?.TryGetValue(UAuthConstants.Form.ReturnUrl, out var formValue) == true)
+                {
+                    return formValue.ToString();
+                }
+            }
+            catch (IOException)
+            {
+                return null;
+            }
         }
 
         return null;
diff --git a/src/CodeBeam.UltimateAuth.Server/Extensions/ServiceCollectionExtensions.cs b/src/CodeBeam.UltimateAuth.Server/Extensions/ServiceCollectionExtensions.cs
index 4778a004..0cd486ab 100644
--- a/src/CodeBeam.UltimateAuth.Server/Extensions/ServiceCollectionExtensions.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Extensions/ServiceCollectionExtensions.cs
@@ -168,6 +168,7 @@ private static IServiceCollection AddUltimateAuthServerInternal(this IServiceCol
 
         services.TryAddScoped<ISessionApplicationService, SessionApplicationService>();
         services.TryAddScoped<IUAuthFlowService, UAuthFlowService>();
+        services.TryAddScoped<IUAuthInternalFlowService, UAuthFlowService>();
         services.TryAddScoped<IRefreshFlowService, RefreshFlowService>();
 
         services.TryAddSingleton<IClock, CodeBeam.UltimateAuth.Server.Infrastructure.SystemClock>();
@@ -183,6 +184,7 @@ private static IServiceCollection AddUltimateAuthServerInternal(this IServiceCol
 
         services.TryAddScoped<ISessionOrchestrator, UAuthSessionOrchestrator>();
         services.TryAddScoped<ILoginOrchestrator, LoginOrchestrator>();
+        services.TryAddScoped<IInternalLoginOrchestrator, LoginOrchestrator>();
         services.TryAddScoped<IAccessOrchestrator, UAuthAccessOrchestrator>();
         services.TryAddScoped<ILoginAuthority, LoginAuthority>();
         services.TryAddScoped<IAuthAuthority, AuthAuthority>();
@@ -203,7 +205,7 @@ private static IServiceCollection AddUltimateAuthServerInternal(this IServiceCol
         services.TryAddScoped<ITenantResolver, UAuthTenantResolver>();
         services.TryAddScoped<IRefreshTokenResolver, RefreshTokenResolver>();
         services.TryAddScoped<IDeviceResolver, DeviceResolver>();
-        services.TryAddScoped<IFlowCredentialResolver, FlowCredentialResolver>();
+        services.TryAddScoped<IValidateCredentialResolver, ValidateCredentialResolver>();
         services.TryAddScoped<ITransportCredentialResolver, TransportCredentialResolver>();
         services.TryAddScoped<IPrimaryCredentialResolver, PrimaryCredentialResolver>();
         services.TryAddSingleton<AuthResponseOptionsModeTemplateResolver>();
diff --git a/src/CodeBeam.UltimateAuth.Server/Flows/Login/ILoginOrchestrator.cs b/src/CodeBeam.UltimateAuth.Server/Flows/Login/ILoginOrchestrator.cs
index 6fac9ccc..c2274f14 100644
--- a/src/CodeBeam.UltimateAuth.Server/Flows/Login/ILoginOrchestrator.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Flows/Login/ILoginOrchestrator.cs
@@ -13,3 +13,8 @@ public interface ILoginOrchestrator
 {
     Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest request, CancellationToken ct = default);
 }
+
+internal interface IInternalLoginOrchestrator
+{
+    Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest request, LoginExecutionOptions loginExecution, CancellationToken ct = default);
+}
diff --git a/src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginExecutionMode.cs b/src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginExecutionMode.cs
new file mode 100644
index 00000000..56892530
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginExecutionMode.cs
@@ -0,0 +1,7 @@
+namespace CodeBeam.UltimateAuth.Server.Flows;
+
+internal enum LoginExecutionMode
+{
+    Preview = 0,
+    Commit = 1
+}
diff --git a/src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginExecutionOptions.cs b/src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginExecutionOptions.cs
new file mode 100644
index 00000000..aeb960f4
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginExecutionOptions.cs
@@ -0,0 +1,8 @@
+namespace CodeBeam.UltimateAuth.Server.Flows;
+
+internal sealed record LoginExecutionOptions
+{
+    public LoginExecutionMode Mode { get; init; } = LoginExecutionMode.Commit;
+    public bool SuppressFailureAttempt { get; init; }
+    public bool SuppressSuccessReset { get; init; }
+}
diff --git a/src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginOrchestrator.cs b/src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginOrchestrator.cs
index c34d264b..18734ab8 100644
--- a/src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginOrchestrator.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginOrchestrator.cs
@@ -18,7 +18,7 @@
 
 namespace CodeBeam.UltimateAuth.Server.Flows;
 
-internal sealed class LoginOrchestrator : ILoginOrchestrator
+internal sealed class LoginOrchestrator : ILoginOrchestrator, IInternalLoginOrchestrator
 {
     private readonly ILoginIdentifierResolver _identifierResolver;
     private readonly IEnumerable<ICredentialProvider> _credentialProviders; // authentication
@@ -31,6 +31,7 @@ internal sealed class LoginOrchestrator : ILoginOrchestrator
     private readonly IAuthenticationSecurityManager _authenticationSecurityManager; // runtime risk
     private readonly UAuthEventDispatcher _events;
     private readonly UAuthServerOptions _options;
+    private readonly IClock _clock;
 
     public LoginOrchestrator(
         ILoginIdentifierResolver identifierResolver,
@@ -43,7 +44,8 @@ public LoginOrchestrator(
         ISessionStoreFactory storeFactory,
         IAuthenticationSecurityManager authenticationSecurityManager,
         UAuthEventDispatcher events,
-        IOptions<UAuthServerOptions> options)
+        IOptions<UAuthServerOptions> options,
+        IClock clock)
     {
         _identifierResolver = identifierResolver;
         _credentialProviders = credentialProviders;
@@ -56,17 +58,21 @@ public LoginOrchestrator(
         _authenticationSecurityManager = authenticationSecurityManager;
         _events = events;
         _options = options.Value;
+        _clock = clock;
     }
 
-    public async Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest request, CancellationToken ct = default)
+    public Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest request, CancellationToken ct = default)
+        => LoginAsync(flow, request, new LoginExecutionOptions { Mode = LoginExecutionMode.Commit }, ct);
+
+    public async Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest request, LoginExecutionOptions loginExecution, CancellationToken ct = default)
     {
         ct.ThrowIfCancellationRequested();
 
         if (flow.Device.DeviceId is not DeviceId deviceId)
             throw new UAuthConflictException("Device id could not resolved.");
 
-        var now = request.At ?? DateTimeOffset.UtcNow;
-        var resolution = await _identifierResolver.ResolveAsync(request.Tenant, request.Identifier, ct);
+        var now = _clock.UtcNow;
+        var resolution = await _identifierResolver.ResolveAsync(flow.Tenant, request.Identifier, ct);
         var userKey = resolution?.UserKey;
 
         bool userExists = false;
@@ -77,19 +83,18 @@ public async Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest req
 
         if (userKey is not null)
         {
-            var user = await _users.GetAsync(request.Tenant, userKey.Value, ct);
+            var user = await _users.GetAsync(flow.Tenant, userKey.Value, ct);
             if (user is not null && user.CanAuthenticate && !user.IsDeleted)
             {
                 userExists = true;
-
-                accountState = await _authenticationSecurityManager.GetOrCreateAccountAsync(request.Tenant, userKey.Value, ct);
+                accountState = await _authenticationSecurityManager.GetOrCreateAccountAsync(flow.Tenant, userKey.Value, ct);
 
                 if (accountState.IsLocked(now))
                 {
                     return LoginResult.Failed(AuthFailureReason.LockedOut, accountState.LockedUntil, remainingAttempts: 0);
                 }
 
-                factorState = await _authenticationSecurityManager.GetOrCreateFactorAsync(request.Tenant, userKey.Value, request.Factor, ct);
+                factorState = await _authenticationSecurityManager.GetOrCreateFactorAsync(flow.Tenant, userKey.Value, request.Factor, ct);
 
                 if (factorState.IsLocked(now))
                 {
@@ -98,7 +103,7 @@ public async Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest req
 
                 foreach (var provider in _credentialProviders)
                 {
-                    var credentials = await provider.GetByUserAsync(request.Tenant, userKey.Value, ct);
+                    var credentials = await provider.GetByUserAsync(flow.Tenant, userKey.Value, ct);
 
                     foreach (var credential in credentials)
                     {
@@ -119,7 +124,7 @@ public async Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest req
         }
 
         // TODO: Add create-time uniqueness guard for chain id for concurrency
-        var sessionStore = _storeFactory.Create(request.Tenant);
+        var sessionStore = _storeFactory.Create(flow.Tenant);
         SessionChainId? chainId = null;
 
         if (userKey is not null)
@@ -133,7 +138,7 @@ public async Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest req
         // TODO: Add accountState here, currently it only checks factor state
         var decisionContext = new LoginDecisionContext
         {
-            Tenant = request.Tenant,
+            Tenant = flow.Tenant,
             Identifier = request.Identifier,
             CredentialsValid = credentialsValid,
             UserExists = userExists,
@@ -144,32 +149,36 @@ public async Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest req
 
         var decision = _authority.Decide(decisionContext);
 
-        var max = _options.Login.MaxFailedAttempts;
-
         if (decision.Kind == LoginDecisionKind.Deny)
         {
             if (userKey is not null && userExists && factorState is not null)
             {
-                var securityVersion = factorState.SecurityVersion;
-                factorState = factorState.RegisterFailure(now, _options.Login.MaxFailedAttempts, _options.Login.LockoutDuration, _options.Login.ExtendLockOnFailure);
-                await _authenticationSecurityManager.UpdateAsync(factorState, securityVersion, ct);
-
                 DateTimeOffset? lockedUntil = null;
                 int? remainingAttempts = null;
 
+                if (!loginExecution.SuppressFailureAttempt)
+                {
+                    var version = factorState.SecurityVersion;
+                    factorState = factorState.RegisterFailure(now, _options.Login.MaxFailedAttempts, _options.Login.LockoutDuration, _options.Login.ExtendLockOnFailure);
+                    await _authenticationSecurityManager.UpdateAsync(factorState, version, ct);
+                }
+
                 if (_options.Login.IncludeFailureDetails)
                 {
-                    if (factorState.IsLocked(now))
+                    var stateForResponse = factorState;
+
+                    if (stateForResponse.IsLocked(now))
                     {
-                        lockedUntil = factorState.LockedUntil;
+                        lockedUntil = stateForResponse.LockedUntil;
                         remainingAttempts = 0;
                     }
                     else if (_options.Login.MaxFailedAttempts > 0)
                     {
-                        remainingAttempts = _options.Login.MaxFailedAttempts - factorState.FailedAttempts;
+                        remainingAttempts = _options.Login.MaxFailedAttempts - stateForResponse.FailedAttempts;
                     }
                 }
 
+
                 return LoginResult.Failed(
                     factorState.IsLocked(now)
                         ? AuthFailureReason.LockedOut
@@ -194,18 +203,23 @@ public async Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest req
             return LoginResult.Failed(AuthFailureReason.InvalidCredentials);
 
         // After this point, the login is successful. We can reset any failure counts and proceed to create a session.
-        if (factorState is not null)
+        if (loginExecution.Mode == LoginExecutionMode.Preview)
+        {
+            return LoginResult.SuccessPreview();
+        }
+
+        if (!loginExecution.SuppressSuccessReset && factorState is not null)
         {
             var version = factorState.SecurityVersion;
             factorState = factorState.RegisterSuccess();
             await _authenticationSecurityManager.UpdateAsync(factorState, version, ct);
         }
 
-        var claims = await _claimsProvider.GetClaimsAsync(request.Tenant, userKey.Value, ct);
+        var claims = await _claimsProvider.GetClaimsAsync(flow.Tenant, userKey.Value, ct);
 
         var sessionContext = new AuthenticatedSessionContext
         {
-            Tenant = request.Tenant,
+            Tenant = flow.Tenant,
             UserKey = userKey.Value,
             Now = now,
             Device = flow.Device,
@@ -224,7 +238,7 @@ public async Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest req
         {
             var tokenContext = new TokenIssuanceContext
             {
-                Tenant = request.Tenant,
+                Tenant = flow.Tenant,
                 UserKey = userKey.Value,
                 SessionId = issuedSession.Session.SessionId,
                 ChainId = issuedSession.Session.ChainId,
@@ -239,7 +253,7 @@ public async Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest req
         }
 
         await _events.DispatchAsync(
-            new UserLoggedInContext(request.Tenant, userKey.Value, now, flow.Device, issuedSession.Session.SessionId));
+            new UserLoggedInContext(flow.Tenant, userKey.Value, now, flow.Device, issuedSession.Session.SessionId));
 
         return LoginResult.Success(issuedSession.Session.SessionId, tokens);
     }
diff --git a/src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginPreviewFingerprint.cs b/src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginPreviewFingerprint.cs
new file mode 100644
index 00000000..a32dc31f
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginPreviewFingerprint.cs
@@ -0,0 +1,16 @@
+using System.Security.Cryptography;
+using System.Text;
+using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Core.MultiTenancy;
+
+namespace CodeBeam.UltimateAuth.Server.Flows;
+
+internal static class LoginPreviewFingerprint
+{
+    public static string Create(TenantKey tenant, string identifier, CredentialType factor, string secret, DeviceId deviceId)
+    {
+        var normalized = $"{tenant.Value}|{identifier}|{factor}|{deviceId.Value}|{secret}";
+        var bytes = SHA256.HashData(Encoding.UTF8.GetBytes(normalized));
+        return Convert.ToHexString(bytes);
+    }
+}
\ No newline at end of file
diff --git a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/AspNetCore/ITransportCredentialResolver.cs b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/AspNetCore/ITransportCredentialResolver.cs
index 22015398..a14f8437 100644
--- a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/AspNetCore/ITransportCredentialResolver.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/AspNetCore/ITransportCredentialResolver.cs
@@ -4,5 +4,5 @@ namespace CodeBeam.UltimateAuth.Server.Infrastructure;
 
 public interface ITransportCredentialResolver
 {
-    TransportCredential? Resolve(HttpContext context);
+    ValueTask<TransportCredential?> ResolveAsync(HttpContext context);
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/AspNetCore/TransportCredentialResolver.cs b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/AspNetCore/TransportCredentialResolver.cs
index 2a23d8b3..2751b2a3 100644
--- a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/AspNetCore/TransportCredentialResolver.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/AspNetCore/TransportCredentialResolver.cs
@@ -14,121 +14,85 @@ public TransportCredentialResolver(IOptionsMonitor<UAuthServerOptions> server)
         _server = server;
     }
 
-    public TransportCredential? Resolve(HttpContext context)
+    public async ValueTask<TransportCredential?> ResolveAsync(HttpContext context)
     {
         var cookies = _server.CurrentValue.Cookie;
 
-        if (TryFromAuthorizationHeader(context, out var bearer))
-            return bearer;
-
-        if (TryFromCookies(context, cookies, out var cookie))
-            return cookie;
-
-        if (TryFromQuery(context, out var query))
-            return query;
-
-        if (TryFromBody(context, out var body))
-            return body;
-
-        if (TryFromHub(context, out var hub))
-            return hub;
-
-        return null;
+        return await TryFromAuthorizationHeaderAsync(context)
+            ?? await TryFromCookiesAsync(context, cookies)
+            ?? await TryFromQueryAsync(context)
+            ?? await TryFromBodyAsync(context)
+            ?? await TryFromHubAsync(context);
     }
 
     // TODO: Make scheme configurable, shouldn't be hard coded
-    private static bool TryFromAuthorizationHeader(HttpContext ctx, out TransportCredential credential)
+    private static async ValueTask<TransportCredential?> TryFromAuthorizationHeaderAsync(HttpContext ctx)
     {
-        credential = default!;
-
         if (!ctx.Request.Headers.TryGetValue("Authorization", out var header))
-            return false;
+            return null;
 
         var value = header.ToString();
         if (!value.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
-            return false;
+            return null;
 
         var token = value["Bearer ".Length..].Trim();
         if (string.IsNullOrWhiteSpace(token))
-            return false;
+            return null;
 
-        credential = new TransportCredential
+        return new TransportCredential
         {
             Kind = TransportCredentialKind.AccessToken,
             Value = token,
             TenantId = ctx.GetTenant().Value,
-            Device = ctx.GetDevice()
+            Device = await ctx.GetDeviceAsync()
         };
-
-        return true;
     }
 
-    private static bool TryFromCookies(
-    HttpContext ctx,
-    UAuthCookiePolicyOptions cookieSet,
-    out TransportCredential credential)
+    private static async ValueTask<TransportCredential?> TryFromCookiesAsync(HttpContext ctx, UAuthCookiePolicyOptions cookieSet)
     {
-        credential = default!;
-
-        // Session cookie
         if (TryReadCookie(ctx, cookieSet.Session.Name, out var session))
-        {
-            credential = Build(ctx, TransportCredentialKind.Session, session);
-            return true;
-        }
+            return await BuildAsync(ctx, TransportCredentialKind.Session, session);
 
-        // Refresh token cookie
         if (TryReadCookie(ctx, cookieSet.RefreshToken.Name, out var refresh))
-        {
-            credential = Build(ctx, TransportCredentialKind.RefreshToken, refresh);
-            return true;
-        }
+            return await BuildAsync(ctx, TransportCredentialKind.RefreshToken, refresh);
 
-        // Access token cookie (optional)
         if (TryReadCookie(ctx, cookieSet.AccessToken.Name, out var access))
-        {
-            credential = Build(ctx, TransportCredentialKind.AccessToken, access);
-            return true;
-        }
+            return await BuildAsync(ctx, TransportCredentialKind.AccessToken, access);
 
-        return false;
+        return null;
     }
 
-    private static bool TryFromQuery(HttpContext ctx, out TransportCredential credential)
+    private static async ValueTask<TransportCredential?> TryFromQueryAsync(HttpContext ctx)
     {
-        credential = default!;
-
         if (!ctx.Request.Query.TryGetValue("access_token", out var token))
-            return false;
+            return null;
 
         var value = token.ToString();
         if (string.IsNullOrWhiteSpace(value))
-            return false;
+            return null;
 
-        credential = new TransportCredential
+        return new TransportCredential
         {
             Kind = TransportCredentialKind.AccessToken,
             Value = value,
             TenantId = ctx.GetTenant().Value,
-            Device = ctx.GetDevice()
+            Device = await ctx.GetDeviceAsync()
         };
-
-        return true;
     }
 
-    private static bool TryFromBody(HttpContext ctx, out TransportCredential credential)
+    private static ValueTask<TransportCredential?> TryFromBodyAsync(HttpContext ctx)
     {
-        credential = default!;
         // intentionally empty for now
         // body parsing is expensive and opt-in later
-        return false;
+
+        return ValueTask.FromResult<TransportCredential?>(null);
     }
 
-    private static bool TryFromHub(HttpContext ctx, out TransportCredential credential)
+    private static ValueTask<TransportCredential?> TryFromHubAsync(HttpContext ctx)
     {
-        credential = default!;
         // UAuthHub detection can live here later
-        return false;
+
+        return ValueTask.FromResult<TransportCredential?>(null);
     }
 
     private static bool TryReadCookie(HttpContext ctx, string name, out string value)
@@ -149,12 +113,12 @@ private static bool TryReadCookie(HttpContext ctx, string name, out string value
         return true;
     }
 
-    private static TransportCredential Build(HttpContext ctx, TransportCredentialKind kind, string value)
+    private static async Task<TransportCredential> BuildAsync(HttpContext ctx, TransportCredentialKind kind, string value)
         => new()
         {
             Kind = kind,
             Value = value,
             TenantId = ctx.GetTenant().Value,
-            Device = ctx.GetDevice()
+            Device = await ctx.GetDeviceAsync()
         };
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/IFlowCredentialResolver.cs b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/IValidateCredentialResolver.cs
similarity index 71%
rename from src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/IFlowCredentialResolver.cs
rename to src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/IValidateCredentialResolver.cs
index a798db95..3a8efc49 100644
--- a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/IFlowCredentialResolver.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/IValidateCredentialResolver.cs
@@ -8,7 +8,7 @@ namespace CodeBeam.UltimateAuth.Server.Infrastructure;
 /// Gets the credential from the HTTP context.
 /// IPrimaryCredentialResolver is used to determine which kind of credential to resolve.
 /// </summary>
-public interface IFlowCredentialResolver
+public interface IValidateCredentialResolver
 {
-    ResolvedCredential? Resolve(HttpContext context, EffectiveAuthResponse response);
+    Task<ResolvedCredential?> ResolveAsync(HttpContext context, EffectiveAuthResponse response);
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/FlowCredentialResolver.cs b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/ValidateCredentialResolver.cs
similarity index 72%
rename from src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/FlowCredentialResolver.cs
rename to src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/ValidateCredentialResolver.cs
index 8aa3f572..1923e5c3 100644
--- a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/FlowCredentialResolver.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Credentials/ValidateCredentialResolver.cs
@@ -8,29 +8,29 @@
 
 namespace CodeBeam.UltimateAuth.Server.Infrastructure;
 
-internal sealed class FlowCredentialResolver : IFlowCredentialResolver
+internal sealed class ValidateCredentialResolver : IValidateCredentialResolver
 {
     private readonly IPrimaryCredentialResolver _primaryResolver;
 
-    public FlowCredentialResolver(IPrimaryCredentialResolver primaryResolver)
+    public ValidateCredentialResolver(IPrimaryCredentialResolver primaryResolver)
     {
         _primaryResolver = primaryResolver;
     }
 
-    public ResolvedCredential? Resolve(HttpContext context, EffectiveAuthResponse response)
+    public async Task<ResolvedCredential?> ResolveAsync(HttpContext context, EffectiveAuthResponse response)
     {
         var kind = _primaryResolver.Resolve(context);
 
         return kind switch
         {
-            PrimaryGrantKind.Stateful => ResolveSession(context, response),
-            PrimaryGrantKind.Stateless => ResolveAccessToken(context, response),
+            PrimaryGrantKind.Stateful => await ResolveSession(context, response),
+            PrimaryGrantKind.Stateless => await ResolveAccessToken(context, response),
 
             _ => null
         };
     }
 
-    private static ResolvedCredential? ResolveSession(HttpContext context, EffectiveAuthResponse response)
+    private static async Task<ResolvedCredential?> ResolveSession(HttpContext context, EffectiveAuthResponse response)
     {
         var delivery = response.SessionIdDelivery;
 
@@ -52,11 +52,11 @@ public FlowCredentialResolver(IPrimaryCredentialResolver primaryResolver)
             Kind = PrimaryGrantKind.Stateful,
             Value = raw.Trim(),
             Tenant = context.GetTenant(),
-            Device = context.GetDevice()
+            Device = await context.GetDeviceAsync()
         };
     }
 
-    private static ResolvedCredential? ResolveAccessToken(HttpContext context, EffectiveAuthResponse response)
+    private static async Task<ResolvedCredential?> ResolveAccessToken(HttpContext context, EffectiveAuthResponse response)
     {
         var delivery = response.AccessTokenDelivery;
 
@@ -84,8 +84,7 @@ public FlowCredentialResolver(IPrimaryCredentialResolver primaryResolver)
             Kind = PrimaryGrantKind.Stateless,
             Value = value,
             Tenant = context.GetTenant(),
-            Device = context.GetDevice()
+            Device = await context.GetDeviceAsync()
         };
     }
-
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Device/DeviceResolver.cs b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Device/DeviceResolver.cs
index dbcc0a50..9748509e 100644
--- a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Device/DeviceResolver.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Device/DeviceResolver.cs
@@ -2,6 +2,7 @@
 using CodeBeam.UltimateAuth.Core.Defaults;
 using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Server.Abstractions;
+using CodeBeam.UltimateAuth.Server.Extensions;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Primitives;
 
@@ -11,11 +12,11 @@ namespace CodeBeam.UltimateAuth.Server.Infrastructure;
 // Consider creating a seperate package with a library like UA Parser, WURFL or DeviceAtlas for more accurate device detection. (Add IDeviceInfoParser)
 public sealed class DeviceResolver : IDeviceResolver
 {
-    public DeviceInfo Resolve(HttpContext context)
+    public async Task<DeviceInfo> ResolveAsync(HttpContext context)
     {
         var request = context.Request;
 
-        var rawDeviceId = ResolveRawDeviceId(context);
+        var rawDeviceId = await ResolveRawDeviceId(context);
         if (!DeviceId.TryCreate(rawDeviceId, out var deviceId))
         {
             //throw new InvalidOperationException("device_id_required");
@@ -35,14 +36,21 @@ public DeviceInfo Resolve(HttpContext context)
         return deviceInfo;
     }
 
-    private static string? ResolveRawDeviceId(HttpContext context)
+    private static async Task<string?> ResolveRawDeviceId(HttpContext context)
     {
         if (context.Request.Headers.TryGetValue("X-UDID", out var header))
             return header.ToString();
 
-        if (context.Request.HasFormContentType && context.Request.Form.TryGetValue(UAuthConstants.Form.Device, out var formValue) && !StringValues.IsNullOrEmpty(formValue))
+        if (context.Request.HasFormContentType)
         {
-            return formValue.ToString();
+            var form = await context.GetCachedFormAsync();
+
+            if (form is not null &&
+                form.TryGetValue(UAuthConstants.Form.Device, out var formValue) &&
+                !StringValues.IsNullOrEmpty(formValue))
+            {
+                return formValue.ToString();
+            }
         }
 
         if (context.Request.Cookies.TryGetValue("udid", out var cookie))
diff --git a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/HubFlowReader.cs b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/HubFlowReader.cs
index 646e780a..55c96fa4 100644
--- a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/HubFlowReader.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/HubFlowReader.cs
@@ -31,6 +31,8 @@ public HubFlowReader(IAuthStore store, IClock clock)
             FlowType = flow.FlowType,
             ClientProfile = flow.ClientProfile,
             ReturnUrl = flow.ReturnUrl,
+            Error = flow.Error,
+            AttemptCount = flow.AttemptCount,
             IsExpired = flow.IsExpired(now),
             IsCompleted = flow.IsCompleted,
             IsActive = !flow.IsExpired(now) && !flow.IsCompleted
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/IUAuthFlowService.cs b/src/CodeBeam.UltimateAuth.Server/Services/IUAuthFlowService.cs
index 54924e2a..4445c7e1 100644
--- a/src/CodeBeam.UltimateAuth.Server/Services/IUAuthFlowService.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Services/IUAuthFlowService.cs
@@ -1,5 +1,6 @@
 using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Server.Auth;
+using CodeBeam.UltimateAuth.Server.Flows;
 
 namespace CodeBeam.UltimateAuth.Server.Services;
 
@@ -25,3 +26,9 @@ public interface IUAuthFlowService
 
     Task<ReauthResult> ReauthenticateAsync(ReauthRequest request, CancellationToken ct = default);
 }
+
+internal interface IUAuthInternalFlowService
+{
+    Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest request, LoginExecutionOptions loginExecution, CancellationToken ct = default);
+    Task<LoginResult> LoginAsync(AuthFlowContext flow, AuthExecutionContext execution, LoginRequest request, LoginExecutionOptions loginExecution, CancellationToken ct = default);
+}
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/UAuthFlowService.cs b/src/CodeBeam.UltimateAuth.Server/Services/UAuthFlowService.cs
index cc247a8e..23b7e174 100644
--- a/src/CodeBeam.UltimateAuth.Server/Services/UAuthFlowService.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Services/UAuthFlowService.cs
@@ -9,11 +9,12 @@
 
 namespace CodeBeam.UltimateAuth.Server.Services;
 
-internal sealed class UAuthFlowService : IUAuthFlowService
+internal sealed class UAuthFlowService : IUAuthFlowService, IUAuthInternalFlowService
 {
     private readonly IAuthFlowContextAccessor _authFlow;
     private readonly IAuthFlowContextFactory _authFlowContextFactory;
     private readonly ILoginOrchestrator _loginOrchestrator;
+    private readonly IInternalLoginOrchestrator _internalLoginOrchestrator;
     private readonly ISessionOrchestrator _orchestrator;
     private readonly UAuthEventDispatcher _events;
 
@@ -21,12 +22,14 @@ public UAuthFlowService(
         IAuthFlowContextAccessor authFlow,
         IAuthFlowContextFactory authFlowContextFactory,
         ILoginOrchestrator loginOrchestrator,
+        IInternalLoginOrchestrator internalLoginOrchestrator,
         ISessionOrchestrator orchestrator,
         UAuthEventDispatcher events)
     {
         _authFlow = authFlow;
         _authFlowContextFactory = authFlowContextFactory;
         _loginOrchestrator = loginOrchestrator;
+        _internalLoginOrchestrator = internalLoginOrchestrator;
         _orchestrator = orchestrator;
         _events = events;
     }
@@ -47,6 +50,22 @@ public async Task<LoginResult> LoginAsync(AuthFlowContext flow, AuthExecutionCon
         return await _loginOrchestrator.LoginAsync(effectiveFlow, request, ct);
     }
 
+    public Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest request, LoginExecutionOptions loginExecution, CancellationToken ct = default)
+    {
+        return _internalLoginOrchestrator.LoginAsync(flow, request, loginExecution, ct);
+    }
+
+    public async Task<LoginResult> LoginAsync(AuthFlowContext flow, AuthExecutionContext execution, LoginRequest request, LoginExecutionOptions loginExecution, CancellationToken ct = default)
+    {
+        var effectiveFlow = execution.EffectiveClientProfile is null
+            ? flow
+            : await _authFlowContextFactory.RecreateWithClientProfileAsync(flow, (UAuthClientProfile)execution.EffectiveClientProfile, ct);
+        effectiveFlow = execution.Device is null
+            ? effectiveFlow
+            : await _authFlowContextFactory.RecreateWithDeviceAsync(effectiveFlow, execution.Device, ct);
+        return await _internalLoginOrchestrator.LoginAsync(effectiveFlow, request, loginExecution, ct);
+    }
+
     public async Task LogoutAsync(LogoutRequest request, CancellationToken ct = default)
     {
         var authFlow = _authFlow.Current;
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor
index 75ebab7b..35804511 100644
--- a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor
@@ -12,7 +12,7 @@
 @inject IOptions<UAuthClientOptions> Options
 @inject NavigationManager Navigation
 
-<form @ref="_form" method="post" action="@ResolvedEndpoint">
+<form @ref="_form" method="post" action="@ResolvedEndpoint" onsubmit="@HandleSubmit" onsubmit:preventDefault>
     <input type="hidden" name="Identifier" value="@Identifier" />
     <input type="hidden" name="Secret" value="@Secret" autocomplete="off" />
     <input type="hidden" name="@UAuthConstants.Form.ClientProfile" value="@ClientProfileValue" />
@@ -23,7 +23,11 @@
     {
         <input type="hidden" name="authorization_code" value="@_credentials?.AuthorizationCode" />
         <input type="hidden" name="code_verifier" value="@_credentials?.CodeVerifier" />
-        <input type="hidden" name="@UAuthConstants.Form.ReturnUrl" value="@EffectiveReturnUrl" />
+    }
+
+    @if (SubmitMode == UAuthSubmitMode.DirectCommit)
+    {
+        <input type="hidden" name="return_url" value="@EffectiveReturnUrl" />
     }
 
     @ChildContent
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs
index bb730360..5a7ea6e5 100644
--- a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs
@@ -11,9 +11,13 @@ namespace CodeBeam.UltimateAuth.Client.Blazor;
 
 public partial class UAuthLoginForm
 {
-    [Inject] IDeviceIdProvider DeviceIdProvider { get; set; } = null!;
+    [Inject]
+    IDeviceIdProvider DeviceIdProvider { get; set; } = null!;
     private DeviceId? _deviceId;
 
+    [Inject]
+    IUAuthClient UAuthClient { get; set; } = null!;
+
     [Inject]
     IHubCredentialResolver HubCredentialResolver { get; set; } = null!;
 
@@ -47,12 +51,18 @@ public partial class UAuthLoginForm
     [Parameter]
     public UAuthLoginType LoginType { get; set; } = UAuthLoginType.Password;
 
+    [Parameter]
+    public UAuthSubmitMode SubmitMode { get; set; }
+
     [Parameter]
     public RenderFragment? ChildContent { get; set; }
 
     [Parameter]
     public bool AllowEnterKeyToSubmit { get; set; } = true;
 
+    [Parameter]
+    public EventCallback<TryLoginResult> OnTryResult { get; set; }
+
     private ElementReference _form;
 
     private HubCredentials? _credentials;
@@ -107,18 +117,130 @@ public async Task ReloadStateAsync()
         _flow = await HubFlowReader.GetStateAsync(EffectiveHubSessionId.Value);
     }
 
+    private async Task HandleSubmit()
+    {
+        await SubmitAsync();
+    }
+
     public async Task SubmitAsync()
     {
         if (_form.Context is null)
             throw new InvalidOperationException("Form is not yet rendered. Call SubmitAsync after OnAfterRender.");
 
-        await JS.InvokeVoidAsync("uauth.submitForm", _form);
+        if (LoginType == UAuthLoginType.Pkce)
+        {
+            await SubmitPkceAsync();
+        }
+        else
+        {
+            await SubmitPasswordAsync();
+        }
+    }
+
+    private async Task SubmitPasswordAsync()
+    {
+        var request = new LoginRequest
+        {
+            Identifier = Identifier,
+            Secret = Secret,
+        };
+
+        switch (SubmitMode)
+        {
+            case UAuthSubmitMode.DirectCommit:
+                await JS.InvokeVoidAsync("uauth.submitForm", _form);
+                break;
+
+            case UAuthSubmitMode.TryOnly:
+                {
+                    var result = await UAuthClient.Flows.TryLoginAsync(request, UAuthSubmitMode.TryOnly);
+                    await EmitResultAsync(result);
+                    break;
+                }
+
+            case UAuthSubmitMode.TryAndCommit:
+            default:
+                {
+                    var result = await UAuthClient.Flows.TryLoginAsync(request, UAuthSubmitMode.TryAndCommit, EffectiveReturnUrl);
+                    await EmitResultAsync(result);
+                    break;
+                }
+        }
+    }
+
+    private async Task SubmitPkceAsync()
+    {
+        if (_credentials is null)
+            throw new InvalidOperationException("Missing PKCE credentials.");
+
+        var request = new TryPkceLoginRequest
+        {
+            Identifier = Identifier,
+            Secret = Secret,
+            AuthorizationCode = _credentials.AuthorizationCode,
+            CodeVerifier = _credentials.CodeVerifier,
+            ReturnUrl = EffectiveReturnUrl,
+            HubSessionId = EffectiveHubSessionId?.Value
+        };
+
+        //switch (SubmitMode)
+        //{
+        //    case UAuthSubmitMode.DirectCommit:
+        //        {
+        //            await UAuthClient.Flows.CompletePkceLoginAsync(new PkceLoginRequest
+        //            {
+        //                Identifier = Identifier,
+        //                Secret = Secret,
+        //                AuthorizationCode = _credentials.AuthorizationCode,
+        //                CodeVerifier = _credentials.CodeVerifier,
+        //                ReturnUrl = EffectiveReturnUrl,
+        //                //HubSessionId = EffectiveHubSessionId?.Value
+        //            });
+        //            break;
+        //        }
+
+        //    case UAuthSubmitMode.TryOnly:
+        //        {
+        //            var result = await UAuthClient.Flows.TryCompletePkceLoginAsync(request);
+        //            await EmitResultAsync(result);
+        //            break;
+        //        }
+
+        //    case UAuthSubmitMode.TryThenCommit:
+        //    default:
+        //        {
+        //            var result = await UAuthClient.Flows.TryCompletePkceLoginAsync(request);
+
+        //            await EmitResultAsync(result);
+
+        //            if (!result.Success)
+        //                return;
+
+        //            await UAuthClient.Flows.CompletePkceLoginAsync(new PkceLoginRequest
+        //            {
+        //                Identifier = Identifier,
+        //                Secret = Secret,
+        //                AuthorizationCode = _credentials.AuthorizationCode,
+        //                CodeVerifier = _credentials.CodeVerifier,
+        //                ReturnUrl = EffectiveReturnUrl,
+        //                //HubSessionId = EffectiveHubSessionId?.Value
+        //            });
+
+        //            break;
+        //        }
+        //}
+    }
+
+    private async Task EmitResultAsync(TryLoginResult result)
+    {
+        if (OnTryResult.HasDelegate)
+            await OnTryResult.InvokeAsync(result);
     }
 
     private string ClientProfileValue => Options.Value.ClientProfile.ToString();
 
     private string EffectiveEndpoint => LoginType == UAuthLoginType.Pkce
-        ? Options.Value.Endpoints.PkceComplete
+        ? Options.Value.Endpoints.PkceTryComplete
         : Options.Value.Endpoints.Login;
 
 
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Infrastructure/UAuthRequestClient.cs b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Infrastructure/UAuthRequestClient.cs
index b0a2a020..bc66f3cb 100644
--- a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Infrastructure/UAuthRequestClient.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Infrastructure/UAuthRequestClient.cs
@@ -2,6 +2,7 @@
 using CodeBeam.UltimateAuth.Client.Errors;
 using CodeBeam.UltimateAuth.Client.Infrastructure;
 using CodeBeam.UltimateAuth.Client.Options;
+using CodeBeam.UltimateAuth.Core.Contracts;
 using Microsoft.Extensions.Options;
 using Microsoft.JSInterop;
 using System.Net;
@@ -87,4 +88,25 @@ public async Task<UAuthTransportResult> SendJsonAsync(string endpoint, object? p
 
         return result;
     }
+
+    public async Task<TTryResult> TryAndCommitAsync<TTryResult>(string tryEndpoint, string commitEndpoint, object request, CancellationToken ct = default)
+    {
+        await _bootstrapper.EnsureStartedAsync();
+
+        var response = await _js.InvokeAsync<TTryResult>(
+            "uauth.tryAndCommit",
+            ct,
+            new
+            {
+                tryUrl = tryEndpoint,
+                commitUrl = commitEndpoint,
+                data = request,
+                clientProfile = _options.ClientProfile.ToString()
+            });
+
+        if (response is null)
+            throw new UAuthProtocolException("Invalid tryAndCommit response.");
+
+        return response;
+    }
 }
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/TScripts/uauth.js b/src/client/CodeBeam.UltimateAuth.Client.Blazor/TScripts/uauth.js
index 6aba29d1..6982bded 100644
--- a/src/client/CodeBeam.UltimateAuth.Client.Blazor/TScripts/uauth.js
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/TScripts/uauth.js
@@ -54,6 +54,55 @@ window.uauth.submitForm = function (form) {
     form.submit();
 };
 
+window.uauth.tryAndCommit = async function (options) {
+    const { tryUrl, commitUrl, data, clientProfile } = options;
+
+    const tryResponse = await window.uauth.postJson({
+        url: tryUrl,
+        payload: data,
+        clientProfile: clientProfile
+    });
+
+    if (!tryResponse || !tryResponse.body) {
+        return { success: false };
+    }
+
+    const result = tryResponse.body;
+
+    if (result.success) {
+        const form = document.createElement("form");
+        form.method = "POST";
+        form.action = commitUrl;
+
+        for (const key in data) {
+            const input = document.createElement("input");
+            input.type = "hidden";
+            input.name = key;
+            input.value = data[key] ?? "";
+            form.appendChild(input);
+        }
+
+        const cp = document.createElement("input");
+        cp.type = "hidden";
+        cp.name = "__uauth_client_profile";
+        cp.value = clientProfile ?? "";
+        form.appendChild(cp);
+
+        const udid = document.createElement("input");
+        udid.type = "hidden";
+        udid.name = "__uauth_device";
+        udid.value = window.uauth.deviceId;
+        form.appendChild(udid);
+
+        document.body.appendChild(form);
+        form.submit();
+
+        return result;
+    }
+
+    return result;
+};
+
 window.uauth.post = async function (options) {
     const {
         url,
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/wwwroot/uauth.min.js b/src/client/CodeBeam.UltimateAuth.Client.Blazor/wwwroot/uauth.min.js
index 5b835c21..0044ed81 100644
--- a/src/client/CodeBeam.UltimateAuth.Client.Blazor/wwwroot/uauth.min.js
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/wwwroot/uauth.min.js
@@ -1 +1 @@
-window.uauth=window.uauth||{};window.uauth.storage={set:function(n,t,i){const r=n==="local"?window.localStorage:window.sessionStorage;r.setItem(t,i)},get:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;return i.getItem(t)},remove:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;i.removeItem(t)},exists:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;return i.getItem(t)!==null}};window.uauth.submitForm=function(n){if(n){if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");let t=n.querySelector("input[name='__uauth_device']");t||(t=document.createElement("input"),t.type="hidden",t.name="__uauth_device",n.appendChild(t));t.value=window.uauth.deviceId;n.submit()}};window.uauth.post=async function(n){const{url:f,mode:s,data:t,clientProfile:e}=n;if(s==="navigate"){const n=document.createElement("form");n.method="POST";n.action=f;const i=document.createElement("input");i.type="hidden";i.name="__uauth_client_profile";i.value=e??"";n.appendChild(i);const r=document.createElement("input");if(r.type="hidden",r.name="__uauth_device",r.value=window.uauth.deviceId,n.appendChild(r),t)for(const i in t){const r=document.createElement("input");r.type="hidden";r.name=i;r.value=t[i];n.appendChild(r)}return document.body.appendChild(n),n.submit(),null}let r=null;if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");const o={"X-UDID":window.uauth.deviceId,"X-UAuth-ClientProfile":e,"X-Requested-With":"UAuth"};if(t){r=new URLSearchParams;for(const n in t)r.append(n,t[n]);o["Content-Type"]="application/x-www-form-urlencoded"}const i=await fetch(f,{method:"POST",credentials:"include",headers:o,body:r});let u=null;try{u=await i.json()}catch{u=null}return{ok:i.ok,status:i.status,refreshOutcome:i.headers.get("X-UAuth-Refresh"),body:u}};window.uauth.postJson=async function(n){const{url:u,payload:r,clientProfile:f}=n;if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");const e={"Content-Type":"application/json","X-UDID":window.uauth.deviceId,"X-UAuth-ClientProfile":f??"","X-Requested-With":"UAuth"},t=await fetch(u,{method:"POST",credentials:"include",headers:e,body:r?JSON.stringify(r):null});let i=null;try{i=await t.json()}catch{i=null}return{ok:t.ok,status:t.status,refreshOutcome:t.headers.get("X-UAuth-Refresh"),body:i}};window.uauth.setDeviceId=function(n){window.uauth.deviceId=n}
\ No newline at end of file
+window.uauth=window.uauth||{};window.uauth.storage={set:function(n,t,i){const r=n==="local"?window.localStorage:window.sessionStorage;r.setItem(t,i)},get:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;return i.getItem(t)},remove:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;i.removeItem(t)},exists:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;return i.getItem(t)!==null}};window.uauth.submitForm=function(n){if(n){if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");let t=n.querySelector("input[name='__uauth_device']");t||(t=document.createElement("input"),t.type="hidden",t.name="__uauth_device",n.appendChild(t));t.value=window.uauth.deviceId;n.submit()}};window.uauth.tryAndCommit=async function(n){const{tryUrl:f,commitUrl:e,data:t,clientProfile:u}=n,i=await window.uauth.postJson({url:f,payload:t,clientProfile:u});if(!i||!i.body)return{success:!1};const r=i.body;if(r.success){const n=document.createElement("form");n.method="POST";n.action=e;for(const i in t){const r=document.createElement("input");r.type="hidden";r.name=i;r.value=t[i]??"";n.appendChild(r)}const i=document.createElement("input");i.type="hidden";i.name="__uauth_client_profile";i.value=u??"";n.appendChild(i);const f=document.createElement("input");return f.type="hidden",f.name="__uauth_device",f.value=window.uauth.deviceId,n.appendChild(f),document.body.appendChild(n),n.submit(),r}return r};window.uauth.post=async function(n){const{url:f,mode:s,data:t,clientProfile:e}=n;if(s==="navigate"){const n=document.createElement("form");n.method="POST";n.action=f;const i=document.createElement("input");i.type="hidden";i.name="__uauth_client_profile";i.value=e??"";n.appendChild(i);const r=document.createElement("input");if(r.type="hidden",r.name="__uauth_device",r.value=window.uauth.deviceId,n.appendChild(r),t)for(const i in t){const r=document.createElement("input");r.type="hidden";r.name=i;r.value=t[i];n.appendChild(r)}return document.body.appendChild(n),n.submit(),null}let r=null;if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");const o={"X-UDID":window.uauth.deviceId,"X-UAuth-ClientProfile":e,"X-Requested-With":"UAuth"};if(t){r=new URLSearchParams;for(const n in t)r.append(n,t[n]);o["Content-Type"]="application/x-www-form-urlencoded"}const i=await fetch(f,{method:"POST",credentials:"include",headers:o,body:r});let u=null;try{u=await i.json()}catch{u=null}return{ok:i.ok,status:i.status,refreshOutcome:i.headers.get("X-UAuth-Refresh"),body:u}};window.uauth.postJson=async function(n){const{url:u,payload:r,clientProfile:f}=n;if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");const e={"Content-Type":"application/json","X-UDID":window.uauth.deviceId,"X-UAuth-ClientProfile":f??"","X-Requested-With":"UAuth"},t=await fetch(u,{method:"POST",credentials:"include",headers:e,body:r?JSON.stringify(r):null});let i=null;try{i=await t.json()}catch{i=null}return{ok:t.ok,status:t.status,refreshOutcome:t.headers.get("X-UAuth-Refresh"),body:i}};window.uauth.setDeviceId=function(n){window.uauth.deviceId=n}
\ No newline at end of file
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Contracts/PkceClientState.cs b/src/client/CodeBeam.UltimateAuth.Client/Contracts/PkceClientState.cs
deleted file mode 100644
index a22da4f0..00000000
--- a/src/client/CodeBeam.UltimateAuth.Client/Contracts/PkceClientState.cs
+++ /dev/null
@@ -1,7 +0,0 @@
-namespace CodeBeam.UltimateAuth.Client.Contracts;
-
-internal sealed class PkceClientState
-{
-    public string Verifier { get; init; } = default!;
-    public string AuthorizationCode { get; init; } = default!;
-}
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Contracts/UAuthSubmitMode.cs b/src/client/CodeBeam.UltimateAuth.Client/Contracts/UAuthSubmitMode.cs
new file mode 100644
index 00000000..4875462b
--- /dev/null
+++ b/src/client/CodeBeam.UltimateAuth.Client/Contracts/UAuthSubmitMode.cs
@@ -0,0 +1,8 @@
+namespace CodeBeam.UltimateAuth.Client;
+
+public enum UAuthSubmitMode
+{
+    DirectCommit = 0,
+    TryOnly = 10,
+    TryAndCommit = 20,
+}
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Infrastructure/IUAuthRequestClient.cs b/src/client/CodeBeam.UltimateAuth.Client/Infrastructure/IUAuthRequestClient.cs
index d43838bc..98618306 100644
--- a/src/client/CodeBeam.UltimateAuth.Client/Infrastructure/IUAuthRequestClient.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client/Infrastructure/IUAuthRequestClient.cs
@@ -1,4 +1,5 @@
 using CodeBeam.UltimateAuth.Client.Contracts;
+using CodeBeam.UltimateAuth.Core.Contracts;
 
 namespace CodeBeam.UltimateAuth.Client.Infrastructure;
 
@@ -9,4 +10,6 @@ public interface IUAuthRequestClient
     Task<UAuthTransportResult> SendFormAsync(string endpoint, IDictionary<string, string>? form = null, CancellationToken ct = default);
 
     Task<UAuthTransportResult> SendJsonAsync(string endpoint, object? payload = null, CancellationToken ct = default);
+
+    Task<TTryResult> TryAndCommitAsync<TTryResult>(string tryEndpoint, string commitEndpoint, object request, CancellationToken ct = default);
 }
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Options/UAuthClientEndpointOptions.cs b/src/client/CodeBeam.UltimateAuth.Client/Options/UAuthClientEndpointOptions.cs
index f1cd1281..9bc5b2a6 100644
--- a/src/client/CodeBeam.UltimateAuth.Client/Options/UAuthClientEndpointOptions.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client/Options/UAuthClientEndpointOptions.cs
@@ -8,11 +8,13 @@ public sealed class UAuthClientEndpointOptions
     public string BasePath { get; set; } = "/auth";
 
     public string Login { get; set; } = "/login";
+    public string TryLogin { get; set; } = "/try-login";
     public string Logout { get; set; } = "/logout";
     public string Refresh { get; set; } = "/refresh";
     public string Reauth { get; set; } = "/reauth";
     public string Validate { get; set; } = "/validate";
     public string PkceAuthorize { get; set; } = "/pkce/authorize";
+    public string PkceTryComplete { get; set; } = "/pkce/try-complete";
     public string PkceComplete { get; set; } = "/pkce/complete";
     public string HubLoginPath { get; set; } = "/uauthhub/login";
 }
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs b/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs
index fade45c2..193e26fd 100644
--- a/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs
@@ -9,12 +9,15 @@ namespace CodeBeam.UltimateAuth.Client.Services;
 public interface IFlowClient
 {
     Task LoginAsync(LoginRequest request, string? returnUrl = null);
+    Task<TryLoginResult> TryLoginAsync(LoginRequest request, UAuthSubmitMode mode, string? returnUrl = null);
+
     Task LogoutAsync();
     Task<RefreshResult> RefreshAsync(bool isAuto = false);
     //Task ReauthAsync();
     Task<AuthValidationResult> ValidateAsync();
 
     Task BeginPkceAsync(string? returnUrl = null);
+    Task<TryPkceLoginResult> TryCompletePkceLoginAsync(TryPkceLoginRequest request, bool commitOnSuccess = false, CancellationToken ct = default);
     Task CompletePkceLoginAsync(PkceLoginRequest request);
 
     Task<UAuthResult<RevokeResult>> LogoutDeviceSelfAsync(LogoutDeviceRequest request);
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs b/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
index 85d21ab3..db6cecdd 100644
--- a/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
@@ -41,30 +41,55 @@ public UAuthFlowClient(IUAuthRequestClient post, IUAuthClientEvents events, IDev
 
     public async Task LoginAsync(LoginRequest request, string? returnUrl = null)
     {
-        var canPost = ClientLoginCapabilities.CanPostCredentials(_options.ClientProfile);
+        EnsureCanPost();
 
-        if (!_options.Login.AllowCredentialPost && !canPost)
-        {
-            throw new InvalidOperationException("Direct credential posting is disabled for this client profile. " +
-                "Public clients (e.g. Blazor WASM) MUST use PKCE-based login flows. " +
-                "If this is a trusted server-hosted client, you may explicitly enable " +
-                "Login.AllowCredentialPost, but doing so is insecure for public clients.");
-        }
+        var payload = BuildPayload(request, returnUrl);
 
-        var resolvedReturnUrl =
-            returnUrl
-            ?? _options.Login.ReturnUrl
-            ?? _options.DefaultReturnUrl;
+        var url = Url(_options.Endpoints.Login);
+        await _post.NavigateAsync(url, payload);
+    }
 
-        var payload = request.ToDictionary();
+    public async Task<TryLoginResult> TryLoginAsync(LoginRequest request, UAuthSubmitMode mode, string? returnUrl = null)
+    {
+        EnsureCanPost();
 
-        if (!string.IsNullOrWhiteSpace(resolvedReturnUrl))
+        var payload = BuildPayload(request, returnUrl);
+
+        var tryUrl = Url(_options.Endpoints.TryLogin);
+        var commitUrl = Url(_options.Endpoints.Login);
+
+        switch (mode)
         {
-            payload["return_url"] = resolvedReturnUrl;
-        }
+            case UAuthSubmitMode.TryOnly:
+                {
+                    var result = await _post.SendJsonAsync(tryUrl, request);
 
-        var url = Url(_options.Endpoints.Login);
-        await _post.NavigateAsync(url, payload);
+                    var parsed = result.Body.Value.Deserialize<TryLoginResult>(
+                        new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
+
+                    if (parsed is null)
+                        throw new UAuthProtocolException("Invalid try-login result.");
+
+                    return parsed;
+                }
+
+            case UAuthSubmitMode.DirectCommit:
+                {
+                    await _post.NavigateAsync(commitUrl, payload);
+                    return new TryLoginResult { Success = true };
+                }
+
+            case UAuthSubmitMode.TryAndCommit:
+            default:
+                {
+                    var result = await _post.TryAndCommitAsync<TryLoginResult>(tryUrl, commitUrl, payload);
+
+                    if (result is null)
+                        throw new UAuthProtocolException("Invalid try-login result.");
+
+                    return result;
+                }
+        }
     }
 
     public async Task LogoutAsync()
@@ -216,6 +241,46 @@ public async Task BeginPkceAsync(string? returnUrl = null)
         }
     }
 
+    public async Task<TryPkceLoginResult> TryCompletePkceLoginAsync(TryPkceLoginRequest request, bool commitOnSuccess = false, CancellationToken ct = default)
+    {
+        if (request is null)
+            throw new ArgumentNullException(nameof(request));
+
+        if (!_options.Pkce.Enabled)
+        {
+            throw new InvalidOperationException("PKCE login is disabled by configuration, but a PKCE try-complete was attempted.");
+        }
+
+        var url = Url(_options.Endpoints.PkceTryComplete);
+        var raw = await _post.SendJsonAsync(url, request, ct);
+
+        if (raw == null || raw.Body is null)
+            throw new UAuthProtocolException("Invalid PKCE try-complete response.");
+
+        var result = raw.Body.Value.Deserialize<TryPkceLoginResult>(
+            new JsonSerializerOptions
+            {
+                PropertyNameCaseInsensitive = true
+            });
+
+        if (result is null)
+            throw new UAuthProtocolException("Invalid PKCE try-complete result format.");
+
+        if (commitOnSuccess && result.Success)
+        {
+            await CompletePkceLoginAsync(new PkceLoginRequest
+            {
+                AuthorizationCode = request.AuthorizationCode,
+                CodeVerifier = request.CodeVerifier,
+                Identifier = request.Identifier,
+                Secret = request.Secret,
+                ReturnUrl = request.ReturnUrl
+            });
+        }
+
+        return result;
+    }
+
     public async Task CompletePkceLoginAsync(PkceLoginRequest request)
     {
         if (request is null)
@@ -296,6 +361,36 @@ public async Task<UAuthResult> LogoutAllDevicesAdminAsync(UserKey userKey)
     }
 
 
+    private void EnsureCanPost()
+    {
+        var canPost = ClientLoginCapabilities.CanPostCredentials(_options.ClientProfile);
+
+        if (!_options.Login.AllowCredentialPost && !canPost)
+        {
+            throw new InvalidOperationException("Direct credential posting is disabled for this client profile. " +
+                "Public clients (e.g. Blazor WASM) MUST use PKCE-based login flows. " +
+                "If this is a trusted server-hosted client, you may explicitly enable " +
+                "Login.AllowCredentialPost, but doing so is insecure for public clients.");
+        }
+    }
+
+    private IDictionary<string, string> BuildPayload(LoginRequest request, string? returnUrl)
+    {
+        var payload = request.ToDictionary();
+
+        var resolvedReturnUrl =
+            returnUrl
+            ?? _options.Login.ReturnUrl
+            ?? _options.DefaultReturnUrl;
+
+        if (!string.IsNullOrWhiteSpace(resolvedReturnUrl))
+        {
+            payload["return_url"] = resolvedReturnUrl;
+        }
+
+        return payload;
+    }
+
     private Task NavigateToHubLoginAsync(string authorizationCode, string codeVerifier, string returnUrl, string deviceId)
     {
         var hubLoginUrl = Url(_options.Endpoints.HubLoginPath);
diff --git a/tests/CodeBeam.UltimateAuth.Tests.Unit/Credentials/ChangePasswordTests.cs b/tests/CodeBeam.UltimateAuth.Tests.Unit/Credentials/ChangePasswordTests.cs
index 0413196d..56003bfb 100644
--- a/tests/CodeBeam.UltimateAuth.Tests.Unit/Credentials/ChangePasswordTests.cs
+++ b/tests/CodeBeam.UltimateAuth.Tests.Unit/Credentials/ChangePasswordTests.cs
@@ -111,7 +111,6 @@ await service.ChangeSecretAsync(context,
         var oldLogin = await orchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "user",
                 Secret = "user"
             });
@@ -121,7 +120,6 @@ await service.ChangeSecretAsync(context,
         var newLogin = await orchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "user",
                 Secret = "newpass123"
             });
diff --git a/tests/CodeBeam.UltimateAuth.Tests.Unit/Fake/FakeFlowClient.cs b/tests/CodeBeam.UltimateAuth.Tests.Unit/Fake/FakeFlowClient.cs
index 1d6b2e0e..46f77de2 100644
--- a/tests/CodeBeam.UltimateAuth.Tests.Unit/Fake/FakeFlowClient.cs
+++ b/tests/CodeBeam.UltimateAuth.Tests.Unit/Fake/FakeFlowClient.cs
@@ -1,4 +1,5 @@
-using CodeBeam.UltimateAuth.Client.Contracts;
+using CodeBeam.UltimateAuth.Client;
+using CodeBeam.UltimateAuth.Client.Contracts;
 using CodeBeam.UltimateAuth.Client.Services;
 using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Domain;
@@ -119,6 +120,16 @@ public Task<RefreshResult> RefreshAsync(bool isAuto = false)
         });
     }
 
+    public Task<TryPkceLoginResult> TryCompletePkceLoginAsync(TryPkceLoginRequest request, bool commitOnSuccess = false, CancellationToken ct = default)
+    {
+        throw new NotImplementedException();
+    }
+
+    public Task<TryLoginResult> TryLoginAsync(LoginRequest request, UAuthSubmitMode mode, string? returnUrl = null)
+    {
+        throw new NotImplementedException();
+    }
+
     public Task<AuthValidationResult> ValidateAsync()
     {
         throw new NotImplementedException();
diff --git a/tests/CodeBeam.UltimateAuth.Tests.Unit/Helpers/TestAuthRuntime.cs b/tests/CodeBeam.UltimateAuth.Tests.Unit/Helpers/TestAuthRuntime.cs
index fd082291..38a62c52 100644
--- a/tests/CodeBeam.UltimateAuth.Tests.Unit/Helpers/TestAuthRuntime.cs
+++ b/tests/CodeBeam.UltimateAuth.Tests.Unit/Helpers/TestAuthRuntime.cs
@@ -88,7 +88,6 @@ public async Task<LoginResult> LoginAsync(AuthFlowContext flow)
 
         return await orchestrator.LoginAsync(flow, new LoginRequest
         {
-            Tenant = TenantKeys.Single,
             Identifier = "user",
             Secret = "user"
         });
diff --git a/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/LoginOrchestratorTests.cs b/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/LoginOrchestratorTests.cs
index bff92f6d..199ba153 100644
--- a/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/LoginOrchestratorTests.cs
+++ b/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/LoginOrchestratorTests.cs
@@ -22,7 +22,6 @@ public async Task Successful_login_should_return_success_result()
         var result = await orchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "user",
                 Secret = "user",
             });
@@ -40,7 +39,6 @@ public async Task Successful_login_should_create_session()
         var result = await orchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "user",
                 Secret = "user",
             });
@@ -62,7 +60,6 @@ public async Task First_failed_login_should_record_attempt()
         await orchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "user",
                 Secret = "wrong",
             });
@@ -87,7 +84,6 @@ public async Task Successful_login_should_clear_failure_state()
         await orchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "user",
                 Secret = "wrong",
             });
@@ -95,7 +91,6 @@ await orchestrator.LoginAsync(flow,
         await orchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "user",
                 Secret = "user", // valid password
             });
@@ -116,7 +111,6 @@ public async Task Invalid_password_should_fail_login()
         var result = await orchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "user",
                 Secret = "wrong",
             });
@@ -134,7 +128,6 @@ public async Task Non_existent_user_should_fail_login_gracefully()
         var result = await orchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "ghost",
                 Secret = "whatever",
             });
@@ -156,7 +149,6 @@ public async Task MaxFailedAttempts_one_should_lock_user_on_first_fail()
         await orchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "user",
                 Secret = "wrong",
             });
@@ -182,7 +174,6 @@ public async Task Locked_user_should_not_login_even_with_correct_password()
         await orchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "user",
                 Secret = "wrong",
             });
@@ -190,7 +181,6 @@ await orchestrator.LoginAsync(flow,
         var result = await orchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "user",
                 Secret = "user",
             });
@@ -212,7 +202,6 @@ public async Task Locked_user_should_not_increment_failed_attempts()
         await orchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "user",
                 Secret = "wrong",
             });
@@ -224,7 +213,6 @@ await orchestrator.LoginAsync(flow,
         await orchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "user",
             });
 
@@ -248,7 +236,6 @@ public async Task MaxFailedAttempts_zero_should_disable_lockout()
             await orchestrator.LoginAsync(flow,
                 new LoginRequest
                 {
-                    Tenant = TenantKey.Single,
                     Identifier = "user",
                     Secret = "wrong",
                 });
@@ -277,7 +264,6 @@ public async Task Locked_user_failed_login_should_not_extend_lockout_duration()
         await orchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "user",
                 Secret = "wrong",
             });
@@ -291,7 +277,6 @@ await orchestrator.LoginAsync(flow,
         await orchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "user",
                 Secret = "wrong",
             });
@@ -319,7 +304,6 @@ public async Task Login_success_should_trigger_UserLoggedIn_event()
 
         await orchestrator.LoginAsync(flow, new LoginRequest
         {
-            Tenant = TenantKey.Single,
             Identifier = "user",
             Secret = "user",
         });
@@ -347,7 +331,6 @@ public async Task Login_success_should_trigger_OnAnyEvent()
 
         await orchestrator.LoginAsync(flow, new LoginRequest
         {
-            Tenant = TenantKey.Single,
             Identifier = "user",
             Secret = "user",
         });
@@ -368,7 +351,6 @@ public async Task Event_handler_exception_should_not_break_login_flow()
 
         var result = await orchestrator.LoginAsync(flow, new LoginRequest
         {
-            Tenant = TenantKey.Single,
             Identifier = "user",
             Secret = "user",
         });
diff --git a/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/RedirectTests.cs b/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/RedirectTests.cs
index cd72bded..76c39738 100644
--- a/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/RedirectTests.cs
+++ b/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/RedirectTests.cs
@@ -48,13 +48,13 @@ public void LoginFlow_Uses_Configured_Redirect_Options()
     }
 
     [Fact]
-    public void ClientProfile_Is_Read_From_Header()
+    public async Task ClientProfile_Is_Read_From_Header()
     {
         var reader = new ClientProfileReader();
         var ctx = TestHttpContext.Create();
         ctx.Request.Headers[UAuthConstants.Headers.ClientProfile] = "BlazorServer";
 
-        var profile = reader.Read(ctx);
+        var profile = await reader.ReadAsync(ctx);
         profile.Should().Be(UAuthClientProfile.BlazorServer);
     }
 
diff --git a/tests/CodeBeam.UltimateAuth.Tests.Unit/Sessions/SessionTests.cs b/tests/CodeBeam.UltimateAuth.Tests.Unit/Sessions/SessionTests.cs
index 404a9fc2..0011259e 100644
--- a/tests/CodeBeam.UltimateAuth.Tests.Unit/Sessions/SessionTests.cs
+++ b/tests/CodeBeam.UltimateAuth.Tests.Unit/Sessions/SessionTests.cs
@@ -42,7 +42,6 @@ public async Task Logout_device_should_revoke_sessions_but_keep_chain()
 
         var result = await orchestrator.LoginAsync(flow, new LoginRequest
         {
-            Tenant = TenantKey.Single,
             Identifier = "user",
             Secret = "user"
         });
@@ -96,7 +95,6 @@ public async Task Get_chain_detail_should_return_sessions()
 
         await orchestrator.LoginAsync(flow, new LoginRequest
         {
-            Tenant = TenantKeys.Single,
             Identifier = "user",
             Secret = "user"
         });
@@ -121,7 +119,6 @@ public async Task Revoke_chain_should_revoke_all_sessions()
 
         await orchestrator.LoginAsync(flow, new LoginRequest
         {
-            Tenant = TenantKeys.Single,
             Identifier = "user",
             Secret = "user"
         });
diff --git a/tests/CodeBeam.UltimateAuth.Tests.Unit/Users/UserIdentifierApplicationServiceTests.cs b/tests/CodeBeam.UltimateAuth.Tests.Unit/Users/UserIdentifierApplicationServiceTests.cs
index 277d6922..049eeefc 100644
--- a/tests/CodeBeam.UltimateAuth.Tests.Unit/Users/UserIdentifierApplicationServiceTests.cs
+++ b/tests/CodeBeam.UltimateAuth.Tests.Unit/Users/UserIdentifierApplicationServiceTests.cs
@@ -66,10 +66,8 @@ await identifierService.AddUserIdentifierAsync(context,
         var result = await loginOrchestrator.LoginAsync(flow,
             new LoginRequest
             {
-                Tenant = TenantKey.Single,
                 Identifier = "+905551111111",
                 Secret = "user",
-                //Device = TestDevice.Default()
             });
 
         result.IsSuccess.Should().BeFalse();

From 850867f41d0846154060755fe9c175204e0c998d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mehmet=20Can=20Karag=C3=B6z?= <m.cankaragoz@outlook.com>
Date: Sun, 22 Mar 2026 22:22:16 +0300
Subject: [PATCH 02/10] Some WASM TryPkceComplete Arrangements

---
 .../Components/Pages/Home.razor               |  2 +-
 .../Components/Pages/Home.razor.cs            | 21 +++--
 .../Components/Pages/Login.razor              |  2 +-
 .../Components/Pages/Login.razor.cs           | 23 ++++--
 .../Contracts/Common/IUAuthTryResult.cs       | 11 +++
 .../Contracts/Login/TryLoginResult.cs         |  2 +-
 .../Contracts/Pkce/PkceCompleteRequest.cs     | 16 +++-
 .../Contracts/Pkce/PkceLoginRequest.cs        | 15 ----
 .../Contracts/Pkce/TryPkceLoginRequest.cs     | 11 ---
 .../Contracts/Pkce/TryPkceLoginResult.cs      |  2 +-
 .../Endpoints/PkceEndpointHandler.cs          | 50 +++---------
 .../Components/UAuthLoginForm.razor           |  2 +-
 .../Components/UAuthLoginForm.razor.cs        | 80 ++++++-------------
 .../TScripts/uauth.js                         | 21 +++--
 .../wwwroot/uauth.min.js                      |  2 +-
 .../Services/Abstractions/IFlowClient.cs      |  4 +-
 .../Services/UAuthFlowClient.cs               | 73 +++++++++++------
 .../Fake/FakeFlowClient.cs                    |  9 ++-
 18 files changed, 162 insertions(+), 184 deletions(-)
 create mode 100644 src/CodeBeam.UltimateAuth.Core/Contracts/Common/IUAuthTryResult.cs
 delete mode 100644 src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceLoginRequest.cs
 delete mode 100644 src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/TryPkceLoginRequest.cs

diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
index 056cc78a..6df5960a 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
@@ -69,7 +69,7 @@
 
             <MudItem Class="order-0 order-sm-1" xs="12" sm="6">
                 <MudPaper Class="uauth-login-paper pa-8" Elevation="3">
-                    <UAuthLoginForm Identifier="@_username" Secret="@_password" LoginType="UAuthLoginType.Pkce" SubmitMode="UAuthSubmitMode.TryAndCommit" OnTryResult="HandleLoginResult">
+                    <UAuthLoginForm Identifier="@_username" Secret="@_password" LoginType="UAuthLoginType.Pkce" SubmitMode="UAuthSubmitMode.TryAndCommit" OnTryResult="@HandleLoginResult">
                         <MudStack Class="mud-width-full">
                             <MudStack Row="true" AlignItems="AlignItems.Center">
                                 <UAuthLogo Size="48" ShieldColor="var(--mud-palette-primary)" KeyColor="white" />
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
index eeb77706..f7046359 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
@@ -1,4 +1,5 @@
-using CodeBeam.UltimateAuth.Client.Contracts;
+using CodeBeam.UltimateAuth.Client;
+using CodeBeam.UltimateAuth.Client.Contracts;
 using CodeBeam.UltimateAuth.Client.Runtime;
 using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Domain;
@@ -141,7 +142,7 @@ private async Task ProgrammaticPkceLogin()
         //    ReturnUrl = _state?.ReturnUrl ?? string.Empty
         //};
 
-        var request = new TryPkceLoginRequest
+        var request = new PkceCompleteRequest
         {
             Identifier = "admin",
             Secret = "admin",
@@ -151,21 +152,19 @@ private async Task ProgrammaticPkceLogin()
             HubSessionId = _state?.HubSessionId.Value ?? hubSessionId.Value,
         };
 
-        await UAuthClient.Flows.TryCompletePkceLoginAsync(request);
+        await UAuthClient.Flows.TryCompletePkceLoginAsync(request, UAuthSubmitMode.TryAndCommit);
     }
 
-    private void HandleLoginResult(TryLoginResult result)
+    private async Task HandleLoginResult(IUAuthTryResult result)
     {
-        if (!result.Success)
+        if (result is TryPkceLoginResult pkce)
         {
-            Snackbar.Add("Login failed", Severity.Error);
-
-            if (result.RemainingAttempts is not null)
+            if (!result.Success)
             {
-                // UI update
+                Snackbar.Add("Login failed", Severity.Error);
+                await StartNewPkceAsync();
             }
-
-            return;
+            
         }
     }
 
diff --git a/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor b/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor
index 49452e66..3ead18e9 100644
--- a/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor
+++ b/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor
@@ -73,7 +73,7 @@
 
             <MudItem Class="order-0 order-sm-1" xs="12" sm="6">
                 <MudPaper Class="uauth-login-paper pa-8" Elevation="3">
-                    <UAuthLoginForm Identifier="@_username" Secret="@_password" SubmitMode="UAuthSubmitMode.TryAndCommit" OnTryResult="HandleTry" ReturnUrl="@(ReturnUrl ?? "/home")">
+                    <UAuthLoginForm Identifier="@_username" Secret="@_password" SubmitMode="UAuthSubmitMode.TryAndCommit" OnTryResult="@HandleTry" ReturnUrl="@(ReturnUrl ?? "/home")">
                         <MudStack Class="mud-width-full">
                             <MudStack Row="true" AlignItems="AlignItems.Center">
                                 <UAuthLogo Size="48" ShieldColor="var(--mud-palette-primary)" KeyColor="white" />
diff --git a/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor.cs b/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor.cs
index 02257ae8..0cbc8441 100644
--- a/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor.cs
+++ b/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor.cs
@@ -157,18 +157,25 @@ private void UpdateRemaining()
         }
     }
 
-    private void HandleTry(TryLoginResult result)
+    private void HandleTry(IUAuthTryResult result)
     {
-        if (!result.Success)
+        if (result is TryLoginResult pkce)
         {
-            if (result.Reason == AuthFailureReason.LockedOut && result.LockoutUntilUtc is { } until)
+            if (!result.Success)
             {
-                _lockoutUntil = until;
-                StartCountdown();
-            }
+                if (result.Reason == AuthFailureReason.LockedOut && result.LockoutUntilUtc is { } until)
+                {
+                    _lockoutUntil = until;
+                    StartCountdown();
+                }
 
-            _remainingAttempts = result.RemainingAttempts;
-            ShowLoginError(result.Reason, result.RemainingAttempts);
+                _remainingAttempts = result.RemainingAttempts;
+                ShowLoginError(result.Reason, result.RemainingAttempts);
+            }
+        }
+        else
+        {
+            Snackbar.Add("Unexpected result type.", Severity.Error);
         }
     }
 
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Common/IUAuthTryResult.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Common/IUAuthTryResult.cs
new file mode 100644
index 00000000..1fee5de4
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Core/Contracts/Common/IUAuthTryResult.cs
@@ -0,0 +1,11 @@
+using CodeBeam.UltimateAuth.Core.Domain;
+
+namespace CodeBeam.UltimateAuth.Core.Contracts;
+
+public interface IUAuthTryResult
+{
+    bool Success { get; }
+    AuthFailureReason? Reason { get; }
+    int? RemainingAttempts { get; }
+    DateTimeOffset? LockoutUntilUtc { get; }
+}
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Login/TryLoginResult.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Login/TryLoginResult.cs
index 9b95455a..f91c14ab 100644
--- a/src/CodeBeam.UltimateAuth.Core/Contracts/Login/TryLoginResult.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Contracts/Login/TryLoginResult.cs
@@ -2,7 +2,7 @@
 
 namespace CodeBeam.UltimateAuth.Core.Contracts;
 
-public sealed record TryLoginResult
+public sealed record TryLoginResult : IUAuthTryResult
 {
     public bool Success { get; init; }
     public AuthFailureReason? Reason { get; init; }
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceCompleteRequest.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceCompleteRequest.cs
index d04b6eca..22cb7bab 100644
--- a/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceCompleteRequest.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceCompleteRequest.cs
@@ -1,10 +1,22 @@
-namespace CodeBeam.UltimateAuth.Core.Contracts;
+using System.Text.Json.Serialization;
 
-internal sealed class PkceCompleteRequest
+namespace CodeBeam.UltimateAuth.Core.Contracts;
+
+public sealed class PkceCompleteRequest
 {
+    [JsonPropertyName("authorization_code")]
     public string AuthorizationCode { get; init; } = default!;
+
+    [JsonPropertyName("code_verifier")]
     public string CodeVerifier { get; init; } = default!;
+
+
     public string Identifier { get; init; } = default!;
     public string Secret { get; init; } = default!;
+
+    [JsonPropertyName("return_url")]
     public string ReturnUrl { get; init; } = default!;
+
+    [JsonPropertyName("hub_session_id")]
+    public string HubSessionId { get; init; } = default!;
 }
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceLoginRequest.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceLoginRequest.cs
deleted file mode 100644
index 9d446030..00000000
--- a/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceLoginRequest.cs
+++ /dev/null
@@ -1,15 +0,0 @@
-using CodeBeam.UltimateAuth.Core.MultiTenancy;
-
-namespace CodeBeam.UltimateAuth.Core.Contracts;
-
-public sealed class PkceLoginRequest
-{
-    public string AuthorizationCode { get; init; } = default!;
-    public string CodeVerifier { get; init; } = default!;
-    public string ReturnUrl { get; init; } = default!;
-
-    public string Identifier { get; init; } = default!;
-    public string Secret { get; init; } = default!;
-
-    public TenantKey Tenant { get; init; }
-}
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/TryPkceLoginRequest.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/TryPkceLoginRequest.cs
deleted file mode 100644
index 6ed6b462..00000000
--- a/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/TryPkceLoginRequest.cs
+++ /dev/null
@@ -1,11 +0,0 @@
-namespace CodeBeam.UltimateAuth.Core.Contracts;
-
-public sealed class TryPkceLoginRequest
-{
-    public string AuthorizationCode { get; init; } = string.Empty;
-    public string CodeVerifier { get; init; } = string.Empty;
-    public string? Identifier { get; init; }
-    public string? Secret { get; init; }
-    public string? ReturnUrl { get; init; }
-    public string? HubSessionId { get; init; }
-}
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/TryPkceLoginResult.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/TryPkceLoginResult.cs
index 16cfd9f3..fb0b7913 100644
--- a/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/TryPkceLoginResult.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/TryPkceLoginResult.cs
@@ -2,7 +2,7 @@
 
 namespace CodeBeam.UltimateAuth.Core.Contracts;
 
-public sealed class TryPkceLoginResult
+public sealed class TryPkceLoginResult : IUAuthTryResult
 {
     public bool Success { get; init; }
     public AuthFailureReason? Reason { get; init; }
diff --git a/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs b/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
index faa6a686..e116f039 100644
--- a/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
@@ -3,6 +3,7 @@
 using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Server.Abstractions;
 using CodeBeam.UltimateAuth.Server.Auth;
+using CodeBeam.UltimateAuth.Server.Extensions;
 using CodeBeam.UltimateAuth.Server.Flows;
 using CodeBeam.UltimateAuth.Server.Infrastructure;
 using CodeBeam.UltimateAuth.Server.Options;
@@ -100,9 +101,9 @@ public async Task<IResult> TryCompleteAsync(HttpContext ctx)
         if (authContext.FlowType != AuthFlowType.Login)
             return Results.BadRequest("PKCE is only supported for login flow.");
 
-        var request = await ReadPkceTryCompleteRequestAsync(ctx);
+        var request = await ReadPkceCompleteRequestAsync(ctx);
         if (request is null)
-            return Results.BadRequest("Invalid PKCE completion payload.");
+            return Results.BadRequest("Invalid PKCE payload.");
 
         if (string.IsNullOrWhiteSpace(request.AuthorizationCode) || string.IsNullOrWhiteSpace(request.CodeVerifier))
             return Results.BadRequest("authorization_code and code_verifier are required.");
@@ -277,19 +278,18 @@ public async Task<IResult> CompleteAsync(HttpContext ctx)
     {
         if (ctx.Request.HasJsonContentType())
         {
-            return await ctx.Request.ReadFromJsonAsync<PkceCompleteRequest>(
-                cancellationToken: ctx.RequestAborted);
+            return await ctx.Request.ReadFromJsonAsync<PkceCompleteRequest>(cancellationToken: ctx.RequestAborted);
         }
 
         if (ctx.Request.HasFormContentType)
         {
-            var form = await ctx.Request.ReadFormAsync(ctx.RequestAborted);
+            var form = await ctx.GetCachedFormAsync();
 
-            var authorizationCode = form["authorization_code"].ToString();
-            var codeVerifier = form["code_verifier"].ToString();
-            var identifier = form["Identifier"].ToString();
-            var secret = form["Secret"].ToString();
-            var returnUrl = form["return_url"].ToString();
+            var authorizationCode = form["authorization_code"].FirstOrDefault();
+            var codeVerifier = form["code_verifier"].FirstOrDefault();
+            var identifier = form["Identifier"].FirstOrDefault();
+            var secret = form["Secret"].FirstOrDefault();
+            var returnUrl = form["return_url"].FirstOrDefault();
 
             return new PkceCompleteRequest
             {
@@ -304,36 +304,6 @@ public async Task<IResult> CompleteAsync(HttpContext ctx)
         return null;
     }
 
-    private static async Task<TryPkceLoginRequest?> ReadPkceTryCompleteRequestAsync(HttpContext ctx)
-    {
-        if (ctx.Request.HasJsonContentType())
-        {
-            return await ctx.Request.ReadFromJsonAsync<TryPkceLoginRequest>(cancellationToken: ctx.RequestAborted);
-        }
-
-        if (ctx.Request.HasFormContentType)
-        {
-            var form = await ctx.Request.ReadFormAsync(ctx.RequestAborted);
-
-            var authorizationCode = form["authorization_code"].ToString();
-            var codeVerifier = form["code_verifier"].ToString();
-            var identifier = form["Identifier"].ToString();
-            var secret = form["Secret"].ToString();
-            var returnUrl = form["return_url"].ToString();
-
-            return new TryPkceLoginRequest
-            {
-                AuthorizationCode = authorizationCode,
-                CodeVerifier = codeVerifier,
-                Identifier = identifier,
-                Secret = secret,
-                ReturnUrl = returnUrl
-            };
-        }
-
-        return null;
-    }
-
     private async Task<IResult> RedirectToLoginWithErrorAsync(HttpContext ctx, AuthFlowContext auth, string error)
     {
         var basePath = auth.OriginalOptions.Hub.LoginPath ?? "/login";
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor
index 35804511..93eb2736 100644
--- a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor
@@ -12,7 +12,7 @@
 @inject IOptions<UAuthClientOptions> Options
 @inject NavigationManager Navigation
 
-<form @ref="_form" method="post" action="@ResolvedEndpoint" onsubmit="@HandleSubmit" onsubmit:preventDefault>
+<form @ref="_form" method="post" action="@ResolvedEndpoint" onsubmit="@SubmitAsync" onsubmit:preventDefault>
     <input type="hidden" name="Identifier" value="@Identifier" />
     <input type="hidden" name="Secret" value="@Secret" autocomplete="off" />
     <input type="hidden" name="@UAuthConstants.Form.ClientProfile" value="@ClientProfileValue" />
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs
index 5a7ea6e5..0d8f399c 100644
--- a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs
@@ -61,7 +61,7 @@ public partial class UAuthLoginForm
     public bool AllowEnterKeyToSubmit { get; set; } = true;
 
     [Parameter]
-    public EventCallback<TryLoginResult> OnTryResult { get; set; }
+    public EventCallback<IUAuthTryResult> OnTryResult { get; set; }
 
     private ElementReference _form;
 
@@ -117,11 +117,6 @@ public async Task ReloadStateAsync()
         _flow = await HubFlowReader.GetStateAsync(EffectiveHubSessionId.Value);
     }
 
-    private async Task HandleSubmit()
-    {
-        await SubmitAsync();
-    }
-
     public async Task SubmitAsync()
     {
         if (_form.Context is null)
@@ -173,7 +168,7 @@ private async Task SubmitPkceAsync()
         if (_credentials is null)
             throw new InvalidOperationException("Missing PKCE credentials.");
 
-        var request = new TryPkceLoginRequest
+        var request = new PkceCompleteRequest
         {
             Identifier = Identifier,
             Secret = Secret,
@@ -183,55 +178,32 @@ private async Task SubmitPkceAsync()
             HubSessionId = EffectiveHubSessionId?.Value
         };
 
-        //switch (SubmitMode)
-        //{
-        //    case UAuthSubmitMode.DirectCommit:
-        //        {
-        //            await UAuthClient.Flows.CompletePkceLoginAsync(new PkceLoginRequest
-        //            {
-        //                Identifier = Identifier,
-        //                Secret = Secret,
-        //                AuthorizationCode = _credentials.AuthorizationCode,
-        //                CodeVerifier = _credentials.CodeVerifier,
-        //                ReturnUrl = EffectiveReturnUrl,
-        //                //HubSessionId = EffectiveHubSessionId?.Value
-        //            });
-        //            break;
-        //        }
-
-        //    case UAuthSubmitMode.TryOnly:
-        //        {
-        //            var result = await UAuthClient.Flows.TryCompletePkceLoginAsync(request);
-        //            await EmitResultAsync(result);
-        //            break;
-        //        }
-
-        //    case UAuthSubmitMode.TryThenCommit:
-        //    default:
-        //        {
-        //            var result = await UAuthClient.Flows.TryCompletePkceLoginAsync(request);
-
-        //            await EmitResultAsync(result);
-
-        //            if (!result.Success)
-        //                return;
-
-        //            await UAuthClient.Flows.CompletePkceLoginAsync(new PkceLoginRequest
-        //            {
-        //                Identifier = Identifier,
-        //                Secret = Secret,
-        //                AuthorizationCode = _credentials.AuthorizationCode,
-        //                CodeVerifier = _credentials.CodeVerifier,
-        //                ReturnUrl = EffectiveReturnUrl,
-        //                //HubSessionId = EffectiveHubSessionId?.Value
-        //            });
-
-        //            break;
-        //        }
-        //}
+        switch (SubmitMode)
+        {
+            case UAuthSubmitMode.DirectCommit:
+                {
+                    await UAuthClient.Flows.TryCompletePkceLoginAsync(request, UAuthSubmitMode.DirectCommit);
+                    break;
+                }
+
+            case UAuthSubmitMode.TryOnly:
+                {
+                    var result = await UAuthClient.Flows.TryCompletePkceLoginAsync(request, UAuthSubmitMode.TryOnly);
+                    await EmitResultAsync(result);
+                    break;
+                }
+
+            case UAuthSubmitMode.TryAndCommit:
+            default:
+                {
+                    var result = await UAuthClient.Flows.TryCompletePkceLoginAsync(request, UAuthSubmitMode.TryAndCommit);
+                    await EmitResultAsync(result);
+                    break;
+                }
+        }
     }
 
-    private async Task EmitResultAsync(TryLoginResult result)
+    private async Task EmitResultAsync(IUAuthTryResult result)
     {
         if (OnTryResult.HasDelegate)
             await OnTryResult.InvokeAsync(result);
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/TScripts/uauth.js b/src/client/CodeBeam.UltimateAuth.Client.Blazor/TScripts/uauth.js
index 6982bded..a045e254 100644
--- a/src/client/CodeBeam.UltimateAuth.Client.Blazor/TScripts/uauth.js
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/TScripts/uauth.js
@@ -63,13 +63,22 @@ window.uauth.tryAndCommit = async function (options) {
         clientProfile: clientProfile
     });
 
-    if (!tryResponse || !tryResponse.body) {
-        return { success: false };
+    let result = tryResponse?.body;
+
+    if (!result) {
+        result = {};
     }
 
-    const result = tryResponse.body;
+    const normalized = {
+        success: result.success ?? false,
+        reason: result.reason ?? null,
+        remainingAttempts: result.remainingAttempts ?? null,
+        lockoutUntilUtc: result.lockoutUntilUtc ?? null,
+        requiresMfa: result.requiresMfa ?? false,
+        retryWithNewPkce: result.retryWithNewPkce ?? false
+    };
 
-    if (result.success) {
+    if (normalized.success) {
         const form = document.createElement("form");
         form.method = "POST";
         form.action = commitUrl;
@@ -96,11 +105,9 @@ window.uauth.tryAndCommit = async function (options) {
 
         document.body.appendChild(form);
         form.submit();
-
-        return result;
     }
 
-    return result;
+    return normalized;
 };
 
 window.uauth.post = async function (options) {
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/wwwroot/uauth.min.js b/src/client/CodeBeam.UltimateAuth.Client.Blazor/wwwroot/uauth.min.js
index 0044ed81..190db2a7 100644
--- a/src/client/CodeBeam.UltimateAuth.Client.Blazor/wwwroot/uauth.min.js
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/wwwroot/uauth.min.js
@@ -1 +1 @@
-window.uauth=window.uauth||{};window.uauth.storage={set:function(n,t,i){const r=n==="local"?window.localStorage:window.sessionStorage;r.setItem(t,i)},get:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;return i.getItem(t)},remove:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;i.removeItem(t)},exists:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;return i.getItem(t)!==null}};window.uauth.submitForm=function(n){if(n){if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");let t=n.querySelector("input[name='__uauth_device']");t||(t=document.createElement("input"),t.type="hidden",t.name="__uauth_device",n.appendChild(t));t.value=window.uauth.deviceId;n.submit()}};window.uauth.tryAndCommit=async function(n){const{tryUrl:f,commitUrl:e,data:t,clientProfile:u}=n,i=await window.uauth.postJson({url:f,payload:t,clientProfile:u});if(!i||!i.body)return{success:!1};const r=i.body;if(r.success){const n=document.createElement("form");n.method="POST";n.action=e;for(const i in t){const r=document.createElement("input");r.type="hidden";r.name=i;r.value=t[i]??"";n.appendChild(r)}const i=document.createElement("input");i.type="hidden";i.name="__uauth_client_profile";i.value=u??"";n.appendChild(i);const f=document.createElement("input");return f.type="hidden",f.name="__uauth_device",f.value=window.uauth.deviceId,n.appendChild(f),document.body.appendChild(n),n.submit(),r}return r};window.uauth.post=async function(n){const{url:f,mode:s,data:t,clientProfile:e}=n;if(s==="navigate"){const n=document.createElement("form");n.method="POST";n.action=f;const i=document.createElement("input");i.type="hidden";i.name="__uauth_client_profile";i.value=e??"";n.appendChild(i);const r=document.createElement("input");if(r.type="hidden",r.name="__uauth_device",r.value=window.uauth.deviceId,n.appendChild(r),t)for(const i in t){const r=document.createElement("input");r.type="hidden";r.name=i;r.value=t[i];n.appendChild(r)}return document.body.appendChild(n),n.submit(),null}let r=null;if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");const o={"X-UDID":window.uauth.deviceId,"X-UAuth-ClientProfile":e,"X-Requested-With":"UAuth"};if(t){r=new URLSearchParams;for(const n in t)r.append(n,t[n]);o["Content-Type"]="application/x-www-form-urlencoded"}const i=await fetch(f,{method:"POST",credentials:"include",headers:o,body:r});let u=null;try{u=await i.json()}catch{u=null}return{ok:i.ok,status:i.status,refreshOutcome:i.headers.get("X-UAuth-Refresh"),body:u}};window.uauth.postJson=async function(n){const{url:u,payload:r,clientProfile:f}=n;if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");const e={"Content-Type":"application/json","X-UDID":window.uauth.deviceId,"X-UAuth-ClientProfile":f??"","X-Requested-With":"UAuth"},t=await fetch(u,{method:"POST",credentials:"include",headers:e,body:r?JSON.stringify(r):null});let i=null;try{i=await t.json()}catch{i=null}return{ok:t.ok,status:t.status,refreshOutcome:t.headers.get("X-UAuth-Refresh"),body:i}};window.uauth.setDeviceId=function(n){window.uauth.deviceId=n}
\ No newline at end of file
+window.uauth=window.uauth||{};window.uauth.storage={set:function(n,t,i){const r=n==="local"?window.localStorage:window.sessionStorage;r.setItem(t,i)},get:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;return i.getItem(t)},remove:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;i.removeItem(t)},exists:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;return i.getItem(t)!==null}};window.uauth.submitForm=function(n){if(n){if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");let t=n.querySelector("input[name='__uauth_device']");t||(t=document.createElement("input"),t.type="hidden",t.name="__uauth_device",n.appendChild(t));t.value=window.uauth.deviceId;n.submit()}};window.uauth.tryAndCommit=async function(n){const{tryUrl:f,commitUrl:e,data:i,clientProfile:r}=n,o=await window.uauth.postJson({url:f,payload:i,clientProfile:r});let t=o?.body;t||(t={});const u={success:t.success??!1,reason:t.reason??null,remainingAttempts:t.remainingAttempts??null,lockoutUntilUtc:t.lockoutUntilUtc??null,requiresMfa:t.requiresMfa??!1,retryWithNewPkce:t.retryWithNewPkce??!1};if(u.success){const n=document.createElement("form");n.method="POST";n.action=e;for(const t in i){const r=document.createElement("input");r.type="hidden";r.name=t;r.value=i[t]??"";n.appendChild(r)}const t=document.createElement("input");t.type="hidden";t.name="__uauth_client_profile";t.value=r??"";n.appendChild(t);const u=document.createElement("input");u.type="hidden";u.name="__uauth_device";u.value=window.uauth.deviceId;n.appendChild(u);document.body.appendChild(n);n.submit()}return u};window.uauth.post=async function(n){const{url:f,mode:s,data:t,clientProfile:e}=n;if(s==="navigate"){const n=document.createElement("form");n.method="POST";n.action=f;const i=document.createElement("input");i.type="hidden";i.name="__uauth_client_profile";i.value=e??"";n.appendChild(i);const r=document.createElement("input");if(r.type="hidden",r.name="__uauth_device",r.value=window.uauth.deviceId,n.appendChild(r),t)for(const i in t){const r=document.createElement("input");r.type="hidden";r.name=i;r.value=t[i];n.appendChild(r)}return document.body.appendChild(n),n.submit(),null}let r=null;if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");const o={"X-UDID":window.uauth.deviceId,"X-UAuth-ClientProfile":e,"X-Requested-With":"UAuth"};if(t){r=new URLSearchParams;for(const n in t)r.append(n,t[n]);o["Content-Type"]="application/x-www-form-urlencoded"}const i=await fetch(f,{method:"POST",credentials:"include",headers:o,body:r});let u=null;try{u=await i.json()}catch{u=null}return{ok:i.ok,status:i.status,refreshOutcome:i.headers.get("X-UAuth-Refresh"),body:u}};window.uauth.postJson=async function(n){const{url:u,payload:r,clientProfile:f}=n;if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");const e={"Content-Type":"application/json","X-UDID":window.uauth.deviceId,"X-UAuth-ClientProfile":f??"","X-Requested-With":"UAuth"},t=await fetch(u,{method:"POST",credentials:"include",headers:e,body:r?JSON.stringify(r):null});let i=null;try{i=await t.json()}catch{i=null}return{ok:t.ok,status:t.status,refreshOutcome:t.headers.get("X-UAuth-Refresh"),body:i}};window.uauth.setDeviceId=function(n){window.uauth.deviceId=n}
\ No newline at end of file
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs b/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs
index 193e26fd..a97d3294 100644
--- a/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs
@@ -17,8 +17,8 @@ public interface IFlowClient
     Task<AuthValidationResult> ValidateAsync();
 
     Task BeginPkceAsync(string? returnUrl = null);
-    Task<TryPkceLoginResult> TryCompletePkceLoginAsync(TryPkceLoginRequest request, bool commitOnSuccess = false, CancellationToken ct = default);
-    Task CompletePkceLoginAsync(PkceLoginRequest request);
+    Task<TryPkceLoginResult> TryCompletePkceLoginAsync(PkceCompleteRequest request, UAuthSubmitMode mode);
+    Task CompletePkceLoginAsync(PkceCompleteRequest request);
 
     Task<UAuthResult<RevokeResult>> LogoutDeviceSelfAsync(LogoutDeviceRequest request);
     Task<UAuthResult> LogoutOtherDevicesSelfAsync();
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs b/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
index db6cecdd..af2eb10d 100644
--- a/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
@@ -241,47 +241,68 @@ public async Task BeginPkceAsync(string? returnUrl = null)
         }
     }
 
-    public async Task<TryPkceLoginResult> TryCompletePkceLoginAsync(TryPkceLoginRequest request, bool commitOnSuccess = false, CancellationToken ct = default)
+    public async Task<TryPkceLoginResult> TryCompletePkceLoginAsync(PkceCompleteRequest request, UAuthSubmitMode mode)
     {
         if (request is null)
             throw new ArgumentNullException(nameof(request));
 
         if (!_options.Pkce.Enabled)
+            throw new InvalidOperationException("PKCE login is disabled.");
+
+        var tryUrl = Url(_options.Endpoints.PkceTryComplete);
+        var commitUrl = Url(_options.Endpoints.PkceComplete);
+
+        var payload = new Dictionary<string, string>
+        {
+            ["authorization_code"] = request.AuthorizationCode,
+            ["code_verifier"] = request.CodeVerifier,
+            ["Identifier"] = request.Identifier ?? string.Empty,
+            ["Secret"] = request.Secret ?? string.Empty
+        };
+
+        if (!string.IsNullOrWhiteSpace(request.ReturnUrl))
         {
-            throw new InvalidOperationException("PKCE login is disabled by configuration, but a PKCE try-complete was attempted.");
+            payload["return_url"] = request.ReturnUrl;
         }
 
-        var url = Url(_options.Endpoints.PkceTryComplete);
-        var raw = await _post.SendJsonAsync(url, request, ct);
+        switch (mode)
+        {
+            case UAuthSubmitMode.TryOnly:
+                {
+                    var raw = await _post.SendJsonAsync(tryUrl, request);
 
-        if (raw == null || raw.Body is null)
-            throw new UAuthProtocolException("Invalid PKCE try-complete response.");
+                    var parsed = raw.Body.Value.Deserialize<TryPkceLoginResult>(
+                        new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
 
-        var result = raw.Body.Value.Deserialize<TryPkceLoginResult>(
-            new JsonSerializerOptions
-            {
-                PropertyNameCaseInsensitive = true
-            });
+                    if (parsed is null)
+                        throw new UAuthProtocolException("Invalid PKCE try result.");
+
+                    return parsed;
+                }
 
-        if (result is null)
-            throw new UAuthProtocolException("Invalid PKCE try-complete result format.");
+            case UAuthSubmitMode.DirectCommit:
+                {
+                    await _post.NavigateAsync(commitUrl, payload);
+                    return new TryPkceLoginResult { Success = true };
+                }
 
-        if (commitOnSuccess && result.Success)
-        {
-            await CompletePkceLoginAsync(new PkceLoginRequest
-            {
-                AuthorizationCode = request.AuthorizationCode,
-                CodeVerifier = request.CodeVerifier,
-                Identifier = request.Identifier,
-                Secret = request.Secret,
-                ReturnUrl = request.ReturnUrl
-            });
-        }
+            case UAuthSubmitMode.TryAndCommit:
+            default:
+                {
+                    var result = await _post.TryAndCommitAsync<TryPkceLoginResult>(
+                        tryUrl,
+                        commitUrl,
+                        payload);
 
-        return result;
+                    if (result is null)
+                        throw new UAuthProtocolException("Invalid PKCE try result.");
+
+                    return result;
+                }
+        }
     }
 
-    public async Task CompletePkceLoginAsync(PkceLoginRequest request)
+    public async Task CompletePkceLoginAsync(PkceCompleteRequest request)
     {
         if (request is null)
             throw new ArgumentNullException(nameof(request));
diff --git a/tests/CodeBeam.UltimateAuth.Tests.Unit/Fake/FakeFlowClient.cs b/tests/CodeBeam.UltimateAuth.Tests.Unit/Fake/FakeFlowClient.cs
index 46f77de2..4dda4404 100644
--- a/tests/CodeBeam.UltimateAuth.Tests.Unit/Fake/FakeFlowClient.cs
+++ b/tests/CodeBeam.UltimateAuth.Tests.Unit/Fake/FakeFlowClient.cs
@@ -32,7 +32,7 @@ public Task CompletePkceLoginAsync(LoginRequest request)
         throw new NotImplementedException();
     }
 
-    public Task CompletePkceLoginAsync(PkceLoginRequest request)
+    public Task CompletePkceLoginAsync(PkceCompleteRequest request)
     {
         throw new NotImplementedException();
     }
@@ -120,7 +120,12 @@ public Task<RefreshResult> RefreshAsync(bool isAuto = false)
         });
     }
 
-    public Task<TryPkceLoginResult> TryCompletePkceLoginAsync(TryPkceLoginRequest request, bool commitOnSuccess = false, CancellationToken ct = default)
+    public Task<TryPkceLoginResult> TryCompletePkceLoginAsync(PkceCompleteRequest request, bool commitOnSuccess = false, CancellationToken ct = default)
+    {
+        throw new NotImplementedException();
+    }
+
+    public Task<TryPkceLoginResult> TryCompletePkceLoginAsync(PkceCompleteRequest request, UAuthSubmitMode mode)
     {
         throw new NotImplementedException();
     }

From 05b1acb53c9564083e70f83054e85fb2c146b52a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mehmet=20Can=20Karag=C3=B6z?= <m.cankaragoz@outlook.com>
Date: Mon, 23 Mar 2026 12:57:51 +0300
Subject: [PATCH 03/10] More Fixes

---
 .../Components/Pages/Home.razor               |   7 +-
 .../Components/Pages/Home.razor.cs            | 208 +++++++++++++-----
 .../Controllers/HubLoginController.cs         |   4 +-
 .../Program.cs                                |   9 +-
 .../Contracts/Pkce/PkceAuthorizeCommand.cs    |  15 ++
 .../Contracts/Pkce/PkceCompleteResult.cs      |  14 ++
 .../Domain/Hub/HubFlowArtifact.cs             |   6 +
 .../Domain/Hub/HubFlowPayload.cs              |  13 ++
 .../Domain/Hub/HubFlowState.cs                |  17 ++
 .../Domain/Pkce/PkceCredentials.cs            |   7 +
 .../Contracts/Hub/HubBeginRequest.cs          |  19 ++
 .../Contracts/Hub/HubSessionResult.cs         |   6 +
 .../Endpoints/PkceEndpointHandler.cs          | 157 +++++--------
 .../Extensions/ServiceCollectionExtensions.cs |   2 +
 .../Services/Abstractions/IHubFlowService.cs  |  12 +
 .../Services/Abstractions/IPkceService.cs     |  10 +
 .../{ => Abstractions}/IRefreshFlowService.cs |   0
 .../IRefreshTokenRotationService.cs           |   0
 .../ISessionApplicationService.cs             |   0
 .../ISessionQueryService.cs                   |   0
 .../{ => Abstractions}/ISessionValidator.cs   |   0
 .../{ => Abstractions}/IUAuthFlowService.cs   |   0
 .../Services/HubFlowService.cs                |  82 +++++++
 .../Services/PkceService.cs                   | 122 ++++++++++
 .../Components/UAuthLoginForm.razor.cs        |   2 +-
 .../Services/Abstractions/IFlowClient.cs      |   2 +
 .../Services/UAuthFlowClient.cs               |  81 +++++++
 27 files changed, 630 insertions(+), 165 deletions(-)
 create mode 100644 src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceAuthorizeCommand.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceCompleteResult.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Core/Domain/Pkce/PkceCredentials.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Server/Contracts/Hub/HubBeginRequest.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Server/Contracts/Hub/HubSessionResult.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IHubFlowService.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IPkceService.cs
 rename src/CodeBeam.UltimateAuth.Server/Services/{ => Abstractions}/IRefreshFlowService.cs (100%)
 rename src/CodeBeam.UltimateAuth.Server/Services/{ => Abstractions}/IRefreshTokenRotationService.cs (100%)
 rename src/CodeBeam.UltimateAuth.Server/Services/{ => Abstractions}/ISessionApplicationService.cs (100%)
 rename src/CodeBeam.UltimateAuth.Server/Services/{ => Abstractions}/ISessionQueryService.cs (100%)
 rename src/CodeBeam.UltimateAuth.Server/Services/{ => Abstractions}/ISessionValidator.cs (100%)
 rename src/CodeBeam.UltimateAuth.Server/Services/{ => Abstractions}/IUAuthFlowService.cs (100%)
 create mode 100644 src/CodeBeam.UltimateAuth.Server/Services/HubFlowService.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs

diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
index 6df5960a..7ae068ed 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
@@ -5,12 +5,16 @@
 
 @implements IDisposable
 @using CodeBeam.UltimateAuth.Client.Infrastructure
+@using CodeBeam.UltimateAuth.Client.Options
 @using CodeBeam.UltimateAuth.Client.Runtime
 @using CodeBeam.UltimateAuth.Core.Abstractions
 @using CodeBeam.UltimateAuth.Core.Contracts
+@using CodeBeam.UltimateAuth.Server.Services
 @using CodeBeam.UltimateAuth.Server.Stores
+@using Microsoft.Extensions.Options
 @inject IUAuthClient UAuthClient
 @inject IAuthStore AuthStore
+@inject IHubFlowService HubFlowService
 @inject IHubFlowReader HubFlowReader
 @inject IHubCredentialResolver HubCredentialResolver
 @inject IClientStorage BrowserStorage
@@ -18,6 +22,7 @@
 @inject IUAuthClientProductInfoProvider ClientProductInfoProvider
 @inject IDeviceIdProvider DeviceIdProvider
 @inject IDialogService DialogService
+@inject IOptions<UAuthClientOptions> Options
 
 @if (_state == null || !_state.IsActive)
 {
@@ -69,7 +74,7 @@
 
             <MudItem Class="order-0 order-sm-1" xs="12" sm="6">
                 <MudPaper Class="uauth-login-paper pa-8" Elevation="3">
-                    <UAuthLoginForm Identifier="@_username" Secret="@_password" LoginType="UAuthLoginType.Pkce" SubmitMode="UAuthSubmitMode.TryAndCommit" OnTryResult="@HandleLoginResult">
+                    <UAuthLoginForm Identifier="@_username" Secret="@_password" LoginType="UAuthLoginType.Pkce" SubmitMode="UAuthSubmitMode.DirectCommit" OnTryResult="@HandleLoginResult">
                         <MudStack Class="mud-width-full">
                             <MudStack Row="true" AlignItems="AlignItems.Center">
                                 <UAuthLogo Size="48" ShieldColor="var(--mud-palette-primary)" KeyColor="white" />
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
index f7046359..f75478c6 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
@@ -1,11 +1,11 @@
 using CodeBeam.UltimateAuth.Client;
-using CodeBeam.UltimateAuth.Client.Contracts;
 using CodeBeam.UltimateAuth.Client.Runtime;
 using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Core.MultiTenancy;
+using CodeBeam.UltimateAuth.Server.Contracts;
 using CodeBeam.UltimateAuth.Server.Stores;
 using Microsoft.AspNetCore.Components;
-using Microsoft.AspNetCore.WebUtilities;
 using MudBlazor;
 
 namespace CodeBeam.UltimateAuth.Sample.UAuthHub.Components.Pages;
@@ -70,56 +70,18 @@ protected override async Task OnAfterRenderAsync(bool firstRender)
         if (_state.Error != null)
         {
             Snackbar.Add(ResolveErrorMessage(_state.Error), Severity.Error);
+            _state = _state.ClearError();
 
-            await Task.Delay(200); // UX
-            await StartNewPkceAsync();
+            await Task.Delay(200);
+            await ContinuePkceAsync();
+
+            if (HubSessionId.TryParse(HubKey, out var hubSessionId))
+            {
+                _state = await HubFlowReader.GetStateAsync(hubSessionId);
+            }
         }
     }
 
-    //protected override async Task OnAfterRenderAsync(bool firstRender)
-    //{
-    //    if (!firstRender)
-    //        return;
-
-    //    var currentError = await BrowserStorage.GetAsync(StorageScope.Session, "uauth:last_error");
-
-    //    if (!string.IsNullOrWhiteSpace(currentError))
-    //    {
-    //        Snackbar.Add(ResolveErrorMessage(currentError), Severity.Error);
-    //        await BrowserStorage.RemoveAsync(StorageScope.Session, "uauth:last_error");
-    //    }
-
-    //    var uri = Nav.ToAbsoluteUri(Nav.Uri);
-    //    var query = QueryHelpers.ParseQuery(uri.Query);
-
-    //    if (query.TryGetValue("__uauth_error", out var error))
-    //    {
-    //        await BrowserStorage.SetAsync(StorageScope.Session, "uauth:last_error", error.ToString());
-    //    }
-
-    //    if (string.IsNullOrWhiteSpace(HubKey))
-    //    {
-    //        return;
-    //    }
-
-    //    if (_state is null || !_state.Exists)
-    //        return;
-
-    //    if (_state?.IsActive != true)
-    //    {
-    //        await StartNewPkceAsync();
-    //        return;
-    //    }
-
-    //    if (_state?.Error != null)
-    //    {
-    //        Snackbar.Add("Error.", Severity.Error);
-
-    //        await Task.Delay(300); // UX
-    //        await StartNewPkceAsync();
-    //    }
-    //}
-
     // For testing & debugging
     private async Task ProgrammaticPkceLogin()
     {
@@ -133,15 +95,6 @@ private async Task ProgrammaticPkceLogin()
 
         var credentials = await HubCredentialResolver.ResolveAsync(hubSessionId);
 
-        //var request = new PkceLoginRequest
-        //{
-        //    Identifier = "admin",
-        //    Secret = "admin",
-        //    AuthorizationCode = credentials?.AuthorizationCode ?? string.Empty,
-        //    CodeVerifier = credentials?.CodeVerifier ?? string.Empty,
-        //    ReturnUrl = _state?.ReturnUrl ?? string.Empty
-        //};
-
         var request = new PkceCompleteRequest
         {
             Identifier = "admin",
@@ -161,13 +114,54 @@ private async Task HandleLoginResult(IUAuthTryResult result)
         {
             if (!result.Success)
             {
-                Snackbar.Add("Login failed", Severity.Error);
-                await StartNewPkceAsync();
+                if (result.Reason == AuthFailureReason.LockedOut && result.LockoutUntilUtc is { } until)
+                {
+                    _lockoutUntil = until;
+                    StartCountdown();
+                }
+
+                _remainingAttempts = result.RemainingAttempts;
+
+                ShowLoginError(result.Reason, result.RemainingAttempts);
+                await ContinuePkceAsync();
             }
-            
         }
     }
 
+    private PkceCredentials? _pkce;
+    private string? _hubSessionId;
+
+    private async Task ContinuePkceAsync()
+    {
+        if (string.IsNullOrWhiteSpace(_hubSessionId))
+            return;
+
+        _pkce = await UAuthClient.Flows.BeginPkceSilentAsync();
+        await HubFlowService.ContinuePkceAsync(_hubSessionId, _pkce.AuthorizationCode, _pkce.CodeVerifier);
+    }
+
+    private async Task StartNewPkceSilentAsync()
+    {
+        var returnUrl = await ResolveReturnUrlAsync();
+
+        _pkce = await UAuthClient.Flows.BeginPkceSilentAsync();
+
+        HubBeginRequest request = new HubBeginRequest()
+        {
+            AuthorizationCode = _pkce.AuthorizationCode,
+            CodeVerifier = _pkce.CodeVerifier,
+            ClientProfile = Options.Value.ClientProfile,
+            Tenant = TenantKeys.Single, // TODO
+            ReturnUrl = returnUrl,
+            PreviousHubSessionId = _hubSessionId
+            //deviceId: _deviceId
+        };
+
+        var result = await HubFlowService.BeginLoginAsync(request);
+
+        _hubSessionId = result.HubSessionId;
+    }
+
     private async Task StartNewPkceAsync()
     {
         var returnUrl = await ResolveReturnUrlAsync();
@@ -199,7 +193,99 @@ private async Task<string> ResolveReturnUrlAsync()
 
         return Nav.Uri;
     }
-    
+
+    private async void StartCountdown()
+    {
+        if (_lockoutUntil is null)
+            return;
+
+        _isLocked = true;
+        _lockoutStartedAt = DateTimeOffset.UtcNow;
+        _lockoutDuration = _lockoutUntil.Value - DateTimeOffset.UtcNow;
+        UpdateRemaining();
+
+        _lockoutCts?.Cancel();
+        _lockoutCts = new CancellationTokenSource();
+
+        _lockoutTimer?.Dispose();
+        _lockoutTimer = new PeriodicTimer(TimeSpan.FromSeconds(1));
+
+        try
+        {
+            while (await _lockoutTimer.WaitForNextTickAsync(_lockoutCts.Token))
+            {
+                UpdateRemaining();
+
+                if (_remaining <= TimeSpan.Zero)
+                {
+                    ResetLockoutState();
+                    await InvokeAsync(StateHasChanged);
+                    break;
+                }
+
+                await InvokeAsync(StateHasChanged);
+            }
+        }
+        catch (OperationCanceledException)
+        {
+
+        }
+    }
+
+    private void ResetLockoutState()
+    {
+        _isLocked = false;
+        _lockoutUntil = null;
+        _progressPercent = 0;
+        _remainingAttempts = null;
+    }
+
+    private void UpdateRemaining()
+    {
+        if (_lockoutUntil is null || _lockoutStartedAt is null)
+            return;
+
+        var now = DateTimeOffset.UtcNow;
+
+        _remaining = _lockoutUntil.Value - now;
+
+        if (_remaining <= TimeSpan.Zero)
+        {
+            _remaining = TimeSpan.Zero;
+            return;
+        }
+
+        var elapsed = now - _lockoutStartedAt.Value;
+
+        if (_lockoutDuration.TotalSeconds > 0)
+        {
+            var percent = 100 - (elapsed.TotalSeconds / _lockoutDuration.TotalSeconds * 100);
+            _progressPercent = Math.Max(0, percent);
+        }
+    }
+
+    private void ShowLoginError(AuthFailureReason? reason, int? remainingAttempts)
+    {
+        string message = reason switch
+        {
+            AuthFailureReason.InvalidCredentials when remainingAttempts is > 0
+                => $"Invalid username or password. {remainingAttempts} attempt(s) remaining.",
+
+            AuthFailureReason.InvalidCredentials
+                => "Invalid username or password.",
+
+            AuthFailureReason.RequiresMfa
+                => "Multi-factor authentication required.",
+
+            AuthFailureReason.LockedOut
+                => "Your account is locked.",
+
+            _ => "Login failed."
+        };
+
+        Snackbar.Add(message, Severity.Error);
+    }
+
     private string ResolveErrorMessage(string? errorKey)
     {
         if (errorKey == "invalid")
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Controllers/HubLoginController.cs b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Controllers/HubLoginController.cs
index 6b6f486d..a4350aa5 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Controllers/HubLoginController.cs
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Controllers/HubLoginController.cs
@@ -30,13 +30,15 @@ public async Task<IActionResult> BeginLogin(
         [FromForm] string authorization_code,
         [FromForm] string code_verifier,
         [FromForm] UAuthClientProfile client_profile,
-        [FromForm] string? return_url)
+        [FromForm] string? return_url,
+        [FromForm] string device_id)
     {
         var hubSessionId = HubSessionId.New();
 
         var payload = new HubFlowPayload();
         payload.Set("authorization_code", authorization_code);
         payload.Set("code_verifier", code_verifier);
+        payload.Set("device_id", device_id);
 
         var artifact = new HubFlowArtifact(
             hubSessionId: hubSessionId,
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs
index a745644f..728640df 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs
@@ -28,6 +28,8 @@
 });
 builder.Services.AddMudExtensions();
 
+builder.Services.AddScoped<DarkModeManager>();
+
 //builder.Services.AddAuthorization();
 
 //builder.Services.AddHttpContextAccessor();
@@ -35,8 +37,14 @@
 builder.Services.AddUltimateAuthServer(o => {
     o.Diagnostics.EnableRefreshDetails = true;
     //o.Session.MaxLifetime = TimeSpan.FromSeconds(32);
+    //o.Session.Lifetime = TimeSpan.FromSeconds(32);
     //o.Session.TouchInterval = TimeSpan.FromSeconds(9);
     //o.Session.IdleTimeout = TimeSpan.FromSeconds(15);
+    //o.Token.AccessTokenLifetime = TimeSpan.FromSeconds(30);
+    //o.Token.RefreshTokenLifetime = TimeSpan.FromSeconds(32);
+    o.Login.MaxFailedAttempts = 2;
+    o.Login.LockoutDuration = TimeSpan.FromSeconds(10);
+    o.Identifiers.AllowMultipleUsernames = true;
 })
     .AddUltimateAuthInMemory();
 
@@ -47,7 +55,6 @@
 });
 
 builder.Services.AddSingleton<IUAuthHubMarker, DefaultUAuthHubMarker>();
-builder.Services.AddScoped<DarkModeManager>();
 
 builder.Services.AddCors(options =>
 {
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceAuthorizeCommand.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceAuthorizeCommand.cs
new file mode 100644
index 00000000..31ce580a
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceAuthorizeCommand.cs
@@ -0,0 +1,15 @@
+using CodeBeam.UltimateAuth.Core.MultiTenancy;
+using CodeBeam.UltimateAuth.Core.Options;
+
+namespace CodeBeam.UltimateAuth.Core.Contracts;
+
+public sealed record PkceAuthorizeCommand
+{
+    public string CodeChallenge { get; init; } = default!;
+    public string ChallengeMethod { get; init; } = "S256";
+    public string? DeviceId { get; init; }
+    public string? RedirectUri { get; init; }
+
+    public UAuthClientProfile ClientProfile { get; init; }
+    public TenantKey Tenant { get; init; }
+}
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceCompleteResult.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceCompleteResult.cs
new file mode 100644
index 00000000..bc16b023
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceCompleteResult.cs
@@ -0,0 +1,14 @@
+using CodeBeam.UltimateAuth.Core.Domain;
+
+namespace CodeBeam.UltimateAuth.Core.Contracts;
+
+public sealed record PkceCompleteResult
+{
+    public bool Success { get; init; }
+
+    public AuthFailureReason? FailureReason { get; init; }
+
+    public LoginResult? LoginResult { get; init; }
+
+    public bool InvalidPkce { get; init; }
+}
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowArtifact.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowArtifact.cs
index 6a7d9388..913b5220 100644
--- a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowArtifact.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowArtifact.cs
@@ -39,4 +39,10 @@ public void SetError(string error)
         Error = error;
         RegisterAttempt();
     }
+
+    public void ClearError()
+    {
+        Error = null;
+        RegisterAttempt();
+    }
 }
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowPayload.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowPayload.cs
index c9833737..47c2c78f 100644
--- a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowPayload.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowPayload.cs
@@ -19,4 +19,17 @@ public bool TryGet<T>(string key, out T? value)
         value = default;
         return false;
     }
+
+    public T GetRequired<T>(string key)
+    {
+        if (TryGet<T>(key, out var value) && value is not null)
+            return value;
+
+        throw new InvalidOperationException($"Payload key '{key}' is missing or invalid.");
+    }
+
+    public T? GetOptional<T>(string key)
+    {
+        return TryGet<T>(key, out var value) ? value : default;
+    }
 }
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowState.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowState.cs
index 4720b975..f5e9fb25 100644
--- a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowState.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowState.cs
@@ -15,4 +15,21 @@ public sealed class HubFlowState
     public bool IsExpired { get; init; }
     public bool IsCompleted { get; init; }
     public bool Exists { get; init; }
+
+    public HubFlowState ClearError()
+    {
+        return new HubFlowState
+        {
+            HubSessionId = HubSessionId,
+            FlowType = FlowType,
+            ClientProfile = ClientProfile,
+            ReturnUrl = ReturnUrl,
+            Error = null,
+            AttemptCount = AttemptCount,
+            IsActive = IsActive,
+            IsExpired = IsExpired,
+            IsCompleted = IsCompleted,
+            Exists = Exists
+        };
+    }
 }
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Pkce/PkceCredentials.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Pkce/PkceCredentials.cs
new file mode 100644
index 00000000..bbd3005a
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Core/Domain/Pkce/PkceCredentials.cs
@@ -0,0 +1,7 @@
+namespace CodeBeam.UltimateAuth.Core.Domain;
+
+public sealed record PkceCredentials
+{
+    public string AuthorizationCode { get; init; } = default!;
+    public string CodeVerifier { get; init; } = default!;
+}
diff --git a/src/CodeBeam.UltimateAuth.Server/Contracts/Hub/HubBeginRequest.cs b/src/CodeBeam.UltimateAuth.Server/Contracts/Hub/HubBeginRequest.cs
new file mode 100644
index 00000000..5aa403c3
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Server/Contracts/Hub/HubBeginRequest.cs
@@ -0,0 +1,19 @@
+using CodeBeam.UltimateAuth.Core.MultiTenancy;
+using CodeBeam.UltimateAuth.Core.Options;
+
+namespace CodeBeam.UltimateAuth.Server.Contracts;
+
+public sealed record HubBeginRequest
+{
+    public string AuthorizationCode { get; init; } = default!;
+    public string CodeVerifier { get; init; } = default!;
+
+    public UAuthClientProfile ClientProfile { get; init; }
+    public TenantKey Tenant { get; init; }
+
+    public string? ReturnUrl { get; init; }
+
+    public string? PreviousHubSessionId { get; init; }
+
+    public string? DeviceId { get; init; }
+}
diff --git a/src/CodeBeam.UltimateAuth.Server/Contracts/Hub/HubSessionResult.cs b/src/CodeBeam.UltimateAuth.Server/Contracts/Hub/HubSessionResult.cs
new file mode 100644
index 00000000..288b531e
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Server/Contracts/Hub/HubSessionResult.cs
@@ -0,0 +1,6 @@
+namespace CodeBeam.UltimateAuth.Server.Contracts;
+
+public sealed record HubSessionResult
+{
+    public string HubSessionId { get; init; } = default!;
+}
diff --git a/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs b/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
index e116f039..fbc686fb 100644
--- a/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
@@ -18,79 +18,60 @@ internal sealed class PkceEndpointHandler : IPkceEndpointHandler
 {
     private readonly IAuthFlowContextAccessor _authContext;
     private readonly IUAuthFlowService _flow;
+    private readonly IPkceService _pkceService;
     private readonly IUAuthInternalFlowService _internalFlowService;
     private readonly IAuthStore _authStore;
     private readonly IPkceAuthorizationValidator _validator;
     private readonly IClock _clock;
-    private readonly UAuthServerOptions _options;
     private readonly ICredentialResponseWriter _credentialResponseWriter;
     private readonly IAuthRedirectResolver _redirectResolver;
 
     public PkceEndpointHandler(
         IAuthFlowContextAccessor authContext,
         IUAuthFlowService flow,
+        IPkceService pkceService,
         IUAuthInternalFlowService internalFlowService,
         IAuthStore authStore,
         IPkceAuthorizationValidator validator,
         IClock clock,
-        IOptions<UAuthServerOptions> options,
         ICredentialResponseWriter credentialResponseWriter,
         IAuthRedirectResolver redirectResolver)
     {
         _authContext = authContext;
         _flow = flow;
+        _pkceService = pkceService;
         _internalFlowService = internalFlowService;
         _authStore = authStore;
         _validator = validator;
         _clock = clock;
-        _options = options.Value;
         _credentialResponseWriter = credentialResponseWriter;
         _redirectResolver = redirectResolver;
     }
 
     public async Task<IResult> AuthorizeAsync(HttpContext ctx)
     {
-        var authContext = _authContext.Current;
-
-        // TODO: Make PKCE flow free
-        if (authContext.FlowType != AuthFlowType.Login)
-            return Results.BadRequest("PKCE is only supported for login flow.");
+        var auth = _authContext.Current;
 
         var request = await ReadPkceAuthorizeRequestAsync(ctx);
         if (request is null)
             return Results.BadRequest("Invalid content type.");
 
-        if (string.IsNullOrWhiteSpace(request.CodeChallenge))
-            return Results.BadRequest("code_challenge is required.");
-
-        if (!string.Equals(request.ChallengeMethod, "S256", StringComparison.Ordinal))
-            return Results.BadRequest("Only S256 challenge method is supported.");
-
-        var authorizationCode = AuthArtifactKey.New();
-
-        var snapshot = new PkceContextSnapshot(
-            clientProfile: authContext.ClientProfile,
-            tenant: authContext.Tenant,
-            redirectUri: request.RedirectUri,
-            deviceId: request.DeviceId
-        );
-
-        var expiresAt = _clock.UtcNow.AddSeconds(_options.Pkce.AuthorizationCodeLifetimeSeconds);
-
-        var artifact = new PkceAuthorizationArtifact(
-            authorizationCode: authorizationCode,
-            codeChallenge: request.CodeChallenge,
-            challengeMethod: PkceChallengeMethod.S256,
-            expiresAt: expiresAt,
-            context: snapshot
-        );
-
-        await _authStore.StoreAsync(authorizationCode, artifact, ctx.RequestAborted);
+        var result = await _pkceService.AuthorizeAsync(
+            new PkceAuthorizeCommand
+            {
+                CodeChallenge = request.CodeChallenge,
+                ChallengeMethod = request.ChallengeMethod,
+                DeviceId = request.DeviceId,
+                RedirectUri = request.RedirectUri,
+                ClientProfile = auth.ClientProfile,
+                Tenant = auth.Tenant
+            },
+            ctx.RequestAborted);
 
         return Results.Ok(new PkceAuthorizeResponse
         {
-            AuthorizationCode = authorizationCode.Value,
-            ExpiresIn = _options.Pkce.AuthorizationCodeLifetimeSeconds
+            AuthorizationCode = result.AuthorizationCode,
+            ExpiresIn = result.ExpiresIn
         });
     }
 
@@ -171,75 +152,43 @@ public async Task<IResult> TryCompleteAsync(HttpContext ctx)
         });
     }
 
-    // TODO: Handle PKCE complete here as same as login try flow
     public async Task<IResult> CompleteAsync(HttpContext ctx)
     {
-        var authContext = _authContext.Current;
-
-        if (authContext.FlowType != AuthFlowType.Login)
-            return Results.BadRequest("PKCE is only supported for login flow.");
+        var auth = _authContext.Current;
 
         var request = await ReadPkceCompleteRequestAsync(ctx);
         if (request is null)
-            return Results.BadRequest("Invalid PKCE completion payload.");
-
-        if (string.IsNullOrWhiteSpace(request.AuthorizationCode) || string.IsNullOrWhiteSpace(request.CodeVerifier))
-            return Results.BadRequest("authorization_code and code_verifier are required.");
-
-        var artifactKey = new AuthArtifactKey(request.AuthorizationCode);
-        var artifact = await _authStore.ConsumeAsync(artifactKey, ctx.RequestAborted) as PkceAuthorizationArtifact;
-
-        if (artifact is null)
-            return Results.Unauthorized(); // replay / expired / unknown code
-
-        var validation = _validator.Validate(artifact, request.CodeVerifier,
-            new PkceContextSnapshot(
-                clientProfile: authContext.ClientProfile,
-                tenant: authContext.Tenant,
-                redirectUri: null,
-                deviceId: artifact.Context.DeviceId),
-            _clock.UtcNow);
-
-        if (!validation.Success)
-        {
-            artifact.RegisterAttempt();
-            return await RedirectToLoginWithErrorAsync(ctx, authContext, "invalid");
-        }
+            return Results.BadRequest("Invalid PKCE payload.");
 
-        var loginRequest = new LoginRequest
-        {
-            Identifier = request.Identifier,
-            Secret = request.Secret,
-            RequestTokens = authContext.AllowsTokenIssuance
-        };
+        var result = await _pkceService.CompleteAsync(
+            auth,
+            new PkceCompleteRequest
+            {
+                AuthorizationCode = request.AuthorizationCode!,
+                CodeVerifier = request.CodeVerifier!,
+                Identifier = request.Identifier,
+                Secret = request.Secret
+            },
+            ctx.RequestAborted);
 
-        var execution = new AuthExecutionContext
-        {
-            EffectiveClientProfile = artifact.Context.ClientProfile,
-            Device = DeviceContext.Create(DeviceId.Create(artifact.Context.DeviceId), null, null, null, null, null)
-        };
+        if (result.InvalidPkce)
+            return Results.Unauthorized();
 
-        var result = await _flow.LoginAsync(authContext, execution, loginRequest, ctx.RequestAborted);
+        if (!result.Success)
+            return await RedirectToLoginWithErrorAsync(ctx, auth, "invalid");
 
-        if (!result.IsSuccess)
-            return await RedirectToLoginWithErrorAsync(ctx, authContext, "invalid");
+        var login = result.LoginResult!;
 
-        if (result.SessionId is not null)
-        {
-            _credentialResponseWriter.Write(ctx, GrantKind.Session, result.SessionId.Value);
-        }
+        if (login.SessionId is not null)
+            _credentialResponseWriter.Write(ctx, GrantKind.Session, login.SessionId.Value);
 
-        if (result.AccessToken is not null)
-        {
-            _credentialResponseWriter.Write(ctx, GrantKind.AccessToken, result.AccessToken);
-        }
+        if (login.AccessToken is not null)
+            _credentialResponseWriter.Write(ctx, GrantKind.AccessToken, login.AccessToken);
 
-        if (result.RefreshToken is not null)
-        {
-            _credentialResponseWriter.Write(ctx, GrantKind.RefreshToken, result.RefreshToken);
-        }
+        if (login.RefreshToken is not null)
+            _credentialResponseWriter.Write(ctx, GrantKind.RefreshToken, login.RefreshToken);
 
-        var decision = _redirectResolver.ResolveSuccess(authContext, ctx);
+        var decision = _redirectResolver.ResolveSuccess(auth, ctx);
 
         return decision.Enabled
             ? Results.Redirect(decision.TargetUrl!)
@@ -307,7 +256,7 @@ public async Task<IResult> CompleteAsync(HttpContext ctx)
     private async Task<IResult> RedirectToLoginWithErrorAsync(HttpContext ctx, AuthFlowContext auth, string error)
     {
         var basePath = auth.OriginalOptions.Hub.LoginPath ?? "/login";
-        var hubKey = ctx.Request.Query["hub"].ToString();
+        var hubKey = await ResolveHubKeyAsync(ctx);
 
         if (!string.IsNullOrWhiteSpace(hubKey))
         {
@@ -316,20 +265,28 @@ private async Task<IResult> RedirectToLoginWithErrorAsync(HttpContext ctx, AuthF
 
             if (artifact is HubFlowArtifact hub)
             {
-                //hub.MarkCompleted();
-                //await _authStore.StoreAsync(key, hub, ctx.RequestAborted);
-
                 hub.SetError("invalid");
                 await _authStore.StoreAsync(key, hub);
 
                 return Results.Redirect($"{basePath}?hub={Uri.EscapeDataString(hubKey)}");
             }
+        }
+        return Results.Redirect(basePath);
+    }
 
-            //return Results.Redirect($"{basePath}?hub={Uri.EscapeDataString(hubKey)}&__uauth_error={Uri.EscapeDataString(error)}");
-            
+    private async Task<string?> ResolveHubKeyAsync(HttpContext ctx)
+    {
+        if (ctx.Request.Query.TryGetValue("hub", out var q) && !string.IsNullOrWhiteSpace(q))
+            return q.ToString();
+
+        if (ctx.Request.HasFormContentType)
+        {
+            var form = await ctx.GetCachedFormAsync();
+
+            if (form?.TryGetValue("hub_session_id", out var f) == true && !string.IsNullOrWhiteSpace(f))
+                return f.ToString();
         }
 
-        //return Results.Redirect($"{basePath}?__uauth_error={Uri.EscapeDataString(error)}");
-        return Results.Redirect(basePath);
+        return null;
     }
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Extensions/ServiceCollectionExtensions.cs b/src/CodeBeam.UltimateAuth.Server/Extensions/ServiceCollectionExtensions.cs
index 0cd486ab..ef4f06e9 100644
--- a/src/CodeBeam.UltimateAuth.Server/Extensions/ServiceCollectionExtensions.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Extensions/ServiceCollectionExtensions.cs
@@ -170,6 +170,8 @@ private static IServiceCollection AddUltimateAuthServerInternal(this IServiceCol
         services.TryAddScoped<IUAuthFlowService, UAuthFlowService>();
         services.TryAddScoped<IUAuthInternalFlowService, UAuthFlowService>();
         services.TryAddScoped<IRefreshFlowService, RefreshFlowService>();
+        services.TryAddScoped<IPkceService, PkceService>();
+        services.TryAddScoped<IHubFlowService, HubFlowService>();
 
         services.TryAddSingleton<IClock, CodeBeam.UltimateAuth.Server.Infrastructure.SystemClock>();
 
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IHubFlowService.cs b/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IHubFlowService.cs
new file mode 100644
index 00000000..71185aab
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IHubFlowService.cs
@@ -0,0 +1,12 @@
+using CodeBeam.UltimateAuth.Server.Contracts;
+
+namespace CodeBeam.UltimateAuth.Server.Services;
+
+public interface IHubFlowService
+{
+    Task<HubSessionResult> BeginLoginAsync(HubBeginRequest request, CancellationToken ct = default);
+
+    Task ContinuePkceAsync(string hubSessionId, string authorizationCode, string codeVerifier, CancellationToken ct = default);
+
+    Task ConsumeAsync(string hubSessionId, CancellationToken ct = default);
+}
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IPkceService.cs b/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IPkceService.cs
new file mode 100644
index 00000000..d3ea4405
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IPkceService.cs
@@ -0,0 +1,10 @@
+using CodeBeam.UltimateAuth.Core.Contracts;
+using CodeBeam.UltimateAuth.Server.Auth;
+
+namespace CodeBeam.UltimateAuth.Server.Services;
+
+public interface IPkceService
+{
+    Task<PkceAuthorizeResponse> AuthorizeAsync(PkceAuthorizeCommand command, CancellationToken ct = default);
+    Task<PkceCompleteResult> CompleteAsync(AuthFlowContext auth, PkceCompleteRequest request, CancellationToken ct = default);
+}
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/IRefreshFlowService.cs b/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IRefreshFlowService.cs
similarity index 100%
rename from src/CodeBeam.UltimateAuth.Server/Services/IRefreshFlowService.cs
rename to src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IRefreshFlowService.cs
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/IRefreshTokenRotationService.cs b/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IRefreshTokenRotationService.cs
similarity index 100%
rename from src/CodeBeam.UltimateAuth.Server/Services/IRefreshTokenRotationService.cs
rename to src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IRefreshTokenRotationService.cs
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/ISessionApplicationService.cs b/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/ISessionApplicationService.cs
similarity index 100%
rename from src/CodeBeam.UltimateAuth.Server/Services/ISessionApplicationService.cs
rename to src/CodeBeam.UltimateAuth.Server/Services/Abstractions/ISessionApplicationService.cs
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/ISessionQueryService.cs b/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/ISessionQueryService.cs
similarity index 100%
rename from src/CodeBeam.UltimateAuth.Server/Services/ISessionQueryService.cs
rename to src/CodeBeam.UltimateAuth.Server/Services/Abstractions/ISessionQueryService.cs
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/ISessionValidator.cs b/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/ISessionValidator.cs
similarity index 100%
rename from src/CodeBeam.UltimateAuth.Server/Services/ISessionValidator.cs
rename to src/CodeBeam.UltimateAuth.Server/Services/Abstractions/ISessionValidator.cs
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/IUAuthFlowService.cs b/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IUAuthFlowService.cs
similarity index 100%
rename from src/CodeBeam.UltimateAuth.Server/Services/IUAuthFlowService.cs
rename to src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IUAuthFlowService.cs
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/HubFlowService.cs b/src/CodeBeam.UltimateAuth.Server/Services/HubFlowService.cs
new file mode 100644
index 00000000..c9767792
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Server/Services/HubFlowService.cs
@@ -0,0 +1,82 @@
+using CodeBeam.UltimateAuth.Core.Abstractions;
+using CodeBeam.UltimateAuth.Core.Contracts;
+using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Server.Contracts;
+using CodeBeam.UltimateAuth.Server.Options;
+using CodeBeam.UltimateAuth.Server.Stores;
+using Microsoft.Extensions.Options;
+
+namespace CodeBeam.UltimateAuth.Server.Services;
+
+internal sealed class HubFlowService : IHubFlowService
+{
+    private readonly IAuthStore _authStore;
+    private readonly IClock _clock;
+    private readonly UAuthServerOptions _options;
+
+    public HubFlowService(
+        IAuthStore authStore,
+        IClock clock,
+        IOptions<UAuthServerOptions> options)
+    {
+        _authStore = authStore;
+        _clock = clock;
+        _options = options.Value;
+    }
+
+    public async Task<HubSessionResult> BeginLoginAsync(HubBeginRequest request, CancellationToken ct = default)
+    {
+        if (!string.IsNullOrWhiteSpace(request.PreviousHubSessionId))
+        {
+            await _authStore.ConsumeAsync(new AuthArtifactKey(request.PreviousHubSessionId), ct);
+        }
+
+        var hubSessionId = HubSessionId.New();
+
+        var payload = new HubFlowPayload();
+        payload.Set("authorization_code", request.AuthorizationCode);
+        payload.Set("code_verifier", request.CodeVerifier);
+        payload.Set("device_id", request.DeviceId);
+
+        var artifact = new HubFlowArtifact(
+            hubSessionId,
+            HubFlowType.Login,
+            request.ClientProfile,
+            request.Tenant,
+            request.ReturnUrl,
+            payload,
+            _clock.UtcNow.Add(_options.Hub.FlowLifetime));
+
+        await _authStore.StoreAsync(new AuthArtifactKey(hubSessionId.Value), artifact, ct);
+
+        return new HubSessionResult
+        {
+            HubSessionId = hubSessionId.Value
+        };
+    }
+
+    public async Task ContinuePkceAsync(string hubSessionId, string authorizationCode, string codeVerifier, CancellationToken ct = default)
+    {
+        var key = new AuthArtifactKey(hubSessionId);
+
+        var artifact = await _authStore.GetAsync(key, ct) as HubFlowArtifact;
+
+        if (artifact is null)
+            throw new InvalidOperationException("Hub session not found.");
+
+        artifact.Payload.Set("authorization_code", authorizationCode);
+        artifact.Payload.Set("code_verifier", codeVerifier);
+
+        artifact.ClearError();
+
+        await _authStore.StoreAsync(key, artifact, ct);
+    }
+
+    public async Task ConsumeAsync(string hubSessionId, CancellationToken ct = default)
+    {
+        if (string.IsNullOrWhiteSpace(hubSessionId))
+            return;
+
+        await _authStore.ConsumeAsync(new AuthArtifactKey(hubSessionId), ct);
+    }
+}
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs b/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
new file mode 100644
index 00000000..73f430f8
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
@@ -0,0 +1,122 @@
+using CodeBeam.UltimateAuth.Core.Abstractions;
+using CodeBeam.UltimateAuth.Core.Contracts;
+using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Server.Auth;
+using CodeBeam.UltimateAuth.Server.Flows;
+using CodeBeam.UltimateAuth.Server.Options;
+using CodeBeam.UltimateAuth.Server.Stores;
+using Microsoft.Extensions.Options;
+
+namespace CodeBeam.UltimateAuth.Server.Services;
+
+internal sealed class PkceService : IPkceService
+{
+    private readonly IAuthStore _authStore;
+    private readonly IPkceAuthorizationValidator _validator;
+    private readonly IUAuthFlowService _flow;
+    private readonly IClock _clock;
+    private readonly UAuthServerOptions _options;
+
+    public PkceService(IAuthStore authStore, IPkceAuthorizationValidator validator, IUAuthFlowService flow, IClock clock, IOptions<UAuthServerOptions> options)
+    {
+        _authStore = authStore;
+        _validator = validator;
+        _flow = flow;
+        _clock = clock;
+        _options = options.Value;
+    }
+
+    public async Task<PkceAuthorizeResponse> AuthorizeAsync(PkceAuthorizeCommand command, CancellationToken ct = default)
+    {
+        if (string.IsNullOrWhiteSpace(command.CodeChallenge))
+            throw new InvalidOperationException("code_challenge is required.");
+
+        if (!string.Equals(command.ChallengeMethod, "S256", StringComparison.Ordinal))
+            throw new InvalidOperationException("Only S256 supported.");
+
+        var authorizationCode = AuthArtifactKey.New();
+
+        var snapshot = new PkceContextSnapshot(
+            clientProfile: command.ClientProfile,
+            tenant: command.Tenant,
+            redirectUri: command.RedirectUri,
+            deviceId: command.DeviceId
+        );
+
+        var expiresAt = _clock.UtcNow.AddSeconds(_options.Pkce.AuthorizationCodeLifetimeSeconds);
+
+        var artifact = new PkceAuthorizationArtifact(
+            authorizationCode: authorizationCode,
+            codeChallenge: command.CodeChallenge,
+            challengeMethod: PkceChallengeMethod.S256,
+            expiresAt: expiresAt,
+            context: snapshot
+        );
+
+        await _authStore.StoreAsync(authorizationCode, artifact, ct);
+
+        return new PkceAuthorizeResponse
+        {
+            AuthorizationCode = authorizationCode.Value,
+            ExpiresIn = _options.Pkce.AuthorizationCodeLifetimeSeconds
+        };
+    }
+
+    public async Task<PkceCompleteResult> CompleteAsync(AuthFlowContext auth, PkceCompleteRequest request, CancellationToken ct = default)
+    {
+        var key = new AuthArtifactKey(request.AuthorizationCode);
+
+        var artifact = await _authStore.ConsumeAsync(key, ct) as PkceAuthorizationArtifact;
+
+        if (artifact is null)
+        {
+            return new PkceCompleteResult
+            {
+                InvalidPkce = true
+            };
+        }
+
+        var validation = _validator.Validate(
+            artifact,
+            request.CodeVerifier,
+            new PkceContextSnapshot(
+                clientProfile: auth.ClientProfile,
+                tenant: auth.Tenant,
+                redirectUri: null,
+                deviceId: artifact.Context.DeviceId),
+            _clock.UtcNow);
+
+        if (!validation.Success)
+        {
+            artifact.RegisterAttempt();
+
+            return new PkceCompleteResult
+            {
+                Success = false,
+                FailureReason = AuthFailureReason.InvalidCredentials
+            };
+        }
+
+        var loginRequest = new LoginRequest
+        {
+            Identifier = request.Identifier!,
+            Secret = request.Secret!,
+            RequestTokens = auth.AllowsTokenIssuance
+        };
+
+        var execution = new AuthExecutionContext
+        {
+            EffectiveClientProfile = artifact.Context.ClientProfile,
+            Device = DeviceContext.Create(DeviceId.Create(artifact.Context.DeviceId))
+        };
+
+        var result = await _flow.LoginAsync(auth, execution, loginRequest, ct);
+
+        return new PkceCompleteResult
+        {
+            Success = result.IsSuccess,
+            FailureReason = result.FailureReason,
+            LoginResult = result
+        };
+    }
+}
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs
index 0d8f399c..3254867b 100644
--- a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs
@@ -182,7 +182,7 @@ private async Task SubmitPkceAsync()
         {
             case UAuthSubmitMode.DirectCommit:
                 {
-                    await UAuthClient.Flows.TryCompletePkceLoginAsync(request, UAuthSubmitMode.DirectCommit);
+                    await UAuthClient.Flows.CompletePkceLoginAsync(request);
                     break;
                 }
 
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs b/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs
index a97d3294..2d4915b4 100644
--- a/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs
@@ -17,6 +17,8 @@ public interface IFlowClient
     Task<AuthValidationResult> ValidateAsync();
 
     Task BeginPkceAsync(string? returnUrl = null);
+    Task<PkceCredentials> ContinuePkceAsync(HubFlowArtifact hub);
+    Task<PkceCredentials> BeginPkceSilentAsync();
     Task<TryPkceLoginResult> TryCompletePkceLoginAsync(PkceCompleteRequest request, UAuthSubmitMode mode);
     Task CompletePkceLoginAsync(PkceCompleteRequest request);
 
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs b/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
index af2eb10d..e1839de3 100644
--- a/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
@@ -241,8 +241,87 @@ public async Task BeginPkceAsync(string? returnUrl = null)
         }
     }
 
+    public async Task<PkceCredentials> BeginPkceSilentAsync()
+    {
+        var pkce = _options.Pkce;
+
+        if (!pkce.Enabled)
+            throw new InvalidOperationException("PKCE login is disabled.");
+
+        var verifier = CreateVerifier();
+        var challenge = CreateChallenge(verifier);
+
+        var authorizeUrl = Url(_options.Endpoints.PkceAuthorize);
+
+        var raw = await _post.SendFormAsync(
+            authorizeUrl,
+            new Dictionary<string, string>
+            {
+                ["code_challenge"] = challenge,
+                ["challenge_method"] = "S256",
+            });
+
+        if (!raw.Ok || raw.Body is null)
+            throw new InvalidOperationException("PKCE authorize failed.");
+
+        var response = raw.Body.Value.Deserialize<PkceAuthorizeResponse>(
+            new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
+
+        if (response is null || string.IsNullOrWhiteSpace(response.AuthorizationCode))
+            throw new InvalidOperationException("Invalid PKCE authorize response.");
+
+        if (pkce.OnAuthorized is not null)
+            await pkce.OnAuthorized(response);
+
+        return new PkceCredentials
+        {
+            AuthorizationCode = response.AuthorizationCode,
+            CodeVerifier = verifier
+        };
+    }
+
+    public async Task<PkceCredentials> ContinuePkceAsync(HubFlowArtifact hub)
+    {
+        var pkce = _options.Pkce;
+
+        if (!pkce.Enabled)
+            throw new InvalidOperationException("PKCE disabled.");
+
+        var deviceId = hub.Payload.GetRequired<string>("device_id");
+        var clientProfile = hub.ClientProfile;
+
+        var verifier = CreateVerifier();
+        var challenge = CreateChallenge(verifier);
+
+        var authorizeUrl = Url(_options.Endpoints.PkceAuthorize);
+
+        var raw = await _post.SendFormAsync(
+            authorizeUrl,
+            new Dictionary<string, string>
+            {
+                ["code_challenge"] = challenge,
+                ["challenge_method"] = "S256",
+                ["device_id"] = deviceId
+            });
+
+        var response = raw.Body.Value.Deserialize<PkceAuthorizeResponse>(
+            new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
+
+        return new PkceCredentials
+        {
+            AuthorizationCode = response.AuthorizationCode,
+            CodeVerifier = verifier
+        };
+    }
+
     public async Task<TryPkceLoginResult> TryCompletePkceLoginAsync(PkceCompleteRequest request, UAuthSubmitMode mode)
     {
+        if (mode == UAuthSubmitMode.DirectCommit)
+        {
+            await CompletePkceLoginAsync(request);
+            return new TryPkceLoginResult();
+        }
+
         if (request is null)
             throw new ArgumentNullException(nameof(request));
 
@@ -323,6 +402,8 @@ public async Task CompletePkceLoginAsync(PkceCompleteRequest request)
 
             ["Identifier"] = request.Identifier ?? string.Empty,
             ["Secret"] = request.Secret ?? string.Empty,
+
+            ["hub_session_id"] = request.HubSessionId ?? string.Empty,
         };
 
         await _post.NavigateAsync(url, payload);

From d530cbad236ccfb95defdde99ee998b437394f9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mehmet=20Can=20Karag=C3=B6z?= <m.cankaragoz@outlook.com>
Date: Mon, 23 Mar 2026 15:48:05 +0300
Subject: [PATCH 04/10] Completed PKCE

---
 .../Components/Pages/Home.razor               |   3 +-
 .../Components/Pages/Home.razor.cs            |  47 ++++----
 .../Services/Abstractions/IPkceService.cs     |   2 +
 .../Services/PkceService.cs                   |  57 ++++++++++
 .../Components/UAuthLoginForm.razor.cs        |   7 ++
 .../Services/Abstractions/IFlowClient.cs      |   3 +-
 .../Services/UAuthFlowClient.cs               | 104 +++++-------------
 7 files changed, 117 insertions(+), 106 deletions(-)

diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
index 7ae068ed..6a5b9eae 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
@@ -15,6 +15,7 @@
 @inject IUAuthClient UAuthClient
 @inject IAuthStore AuthStore
 @inject IHubFlowService HubFlowService
+@inject IPkceService PkceService
 @inject IHubFlowReader HubFlowReader
 @inject IHubCredentialResolver HubCredentialResolver
 @inject IClientStorage BrowserStorage
@@ -74,7 +75,7 @@
 
             <MudItem Class="order-0 order-sm-1" xs="12" sm="6">
                 <MudPaper Class="uauth-login-paper pa-8" Elevation="3">
-                    <UAuthLoginForm Identifier="@_username" Secret="@_password" LoginType="UAuthLoginType.Pkce" SubmitMode="UAuthSubmitMode.DirectCommit" OnTryResult="@HandleLoginResult">
+                    <UAuthLoginForm @ref="_loginForm" Identifier="@_username" Secret="@_password" LoginType="UAuthLoginType.Pkce" SubmitMode="UAuthSubmitMode.TryAndCommit" OnTryResult="@HandleLoginResult">
                         <MudStack Class="mud-width-full">
                             <MudStack Row="true" AlignItems="AlignItems.Center">
                                 <UAuthLogo Size="48" ShieldColor="var(--mud-palette-primary)" KeyColor="white" />
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
index f75478c6..738bd392 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
@@ -1,9 +1,11 @@
 using CodeBeam.UltimateAuth.Client;
+using CodeBeam.UltimateAuth.Client.Blazor;
 using CodeBeam.UltimateAuth.Client.Runtime;
 using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Core.MultiTenancy;
 using CodeBeam.UltimateAuth.Server.Contracts;
+using CodeBeam.UltimateAuth.Server.Services;
 using CodeBeam.UltimateAuth.Server.Stores;
 using Microsoft.AspNetCore.Components;
 using MudBlazor;
@@ -21,6 +23,7 @@ public partial class Home
     private HubFlowState? _state;
 
     private UAuthClientProductInfo? _productInfo;
+    private UAuthLoginForm _loginForm = null!;
     private MudTextField<string> _usernameField = default!;
 
     private CancellationTokenSource? _lockoutCts;
@@ -32,6 +35,7 @@ public partial class Home
     private TimeSpan _lockoutDuration;
     private double _progressPercent;
     private int? _remainingAttempts = null;
+    private bool _errorHandled;
 
     protected override async Task OnInitializedAsync()
     {
@@ -67,18 +71,24 @@ protected override async Task OnAfterRenderAsync(bool firstRender)
             return;
         }
 
-        if (_state.Error != null)
+        if (_state.Error != null && !_errorHandled)
         {
+            _errorHandled = true;
+
             Snackbar.Add(ResolveErrorMessage(_state.Error), Severity.Error);
-            _state = _state.ClearError();
+            //_state = _state.ClearError();
 
-            await Task.Delay(200);
+            //await Task.Delay(200);
             await ContinuePkceAsync();
 
             if (HubSessionId.TryParse(HubKey, out var hubSessionId))
             {
                 _state = await HubFlowReader.GetStateAsync(hubSessionId);
             }
+
+            await _loginForm.RefreshAsync();
+
+            StateHasChanged();
         }
     }
 
@@ -129,37 +139,20 @@ private async Task HandleLoginResult(IUAuthTryResult result)
     }
 
     private PkceCredentials? _pkce;
-    private string? _hubSessionId;
 
     private async Task ContinuePkceAsync()
     {
-        if (string.IsNullOrWhiteSpace(_hubSessionId))
+        if (string.IsNullOrWhiteSpace(HubKey))
             return;
 
-        _pkce = await UAuthClient.Flows.BeginPkceSilentAsync();
-        await HubFlowService.ContinuePkceAsync(_hubSessionId, _pkce.AuthorizationCode, _pkce.CodeVerifier);
-    }
+        var key = new AuthArtifactKey(HubKey);
+        var artifact = await AuthStore.GetAsync(key) as HubFlowArtifact;
 
-    private async Task StartNewPkceSilentAsync()
-    {
-        var returnUrl = await ResolveReturnUrlAsync();
-
-        _pkce = await UAuthClient.Flows.BeginPkceSilentAsync();
-
-        HubBeginRequest request = new HubBeginRequest()
-        {
-            AuthorizationCode = _pkce.AuthorizationCode,
-            CodeVerifier = _pkce.CodeVerifier,
-            ClientProfile = Options.Value.ClientProfile,
-            Tenant = TenantKeys.Single, // TODO
-            ReturnUrl = returnUrl,
-            PreviousHubSessionId = _hubSessionId
-            //deviceId: _deviceId
-        };
-
-        var result = await HubFlowService.BeginLoginAsync(request);
+        if (artifact is null)
+            return;
 
-        _hubSessionId = result.HubSessionId;
+        _pkce = await PkceService.RefreshAsync(artifact);
+        await HubFlowService.ContinuePkceAsync(HubKey, _pkce.AuthorizationCode, _pkce.CodeVerifier);
     }
 
     private async Task StartNewPkceAsync()
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IPkceService.cs b/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IPkceService.cs
index d3ea4405..a0e867ce 100644
--- a/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IPkceService.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IPkceService.cs
@@ -1,4 +1,5 @@
 using CodeBeam.UltimateAuth.Core.Contracts;
+using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Server.Auth;
 
 namespace CodeBeam.UltimateAuth.Server.Services;
@@ -7,4 +8,5 @@ public interface IPkceService
 {
     Task<PkceAuthorizeResponse> AuthorizeAsync(PkceAuthorizeCommand command, CancellationToken ct = default);
     Task<PkceCompleteResult> CompleteAsync(AuthFlowContext auth, PkceCompleteRequest request, CancellationToken ct = default);
+    Task<PkceCredentials> RefreshAsync(HubFlowArtifact hub, CancellationToken ct = default);
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs b/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
index 73f430f8..8d89b5a2 100644
--- a/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
@@ -6,6 +6,8 @@
 using CodeBeam.UltimateAuth.Server.Options;
 using CodeBeam.UltimateAuth.Server.Stores;
 using Microsoft.Extensions.Options;
+using System.Security.Cryptography;
+using System.Text;
 
 namespace CodeBeam.UltimateAuth.Server.Services;
 
@@ -119,4 +121,59 @@ public async Task<PkceCompleteResult> CompleteAsync(AuthFlowContext auth, PkceCo
             LoginResult = result
         };
     }
+
+    public async Task<PkceCredentials> RefreshAsync(HubFlowArtifact hub, CancellationToken ct = default)
+    {
+        if (!hub.Payload.TryGet<string>("device_id", out var deviceId) || string.IsNullOrWhiteSpace(deviceId))
+            throw new InvalidOperationException("HubFlow missing device_id.");
+
+        var verifier = CreateVerifier();
+        var challenge = CreateChallenge(verifier);
+
+        var authorizationCode = AuthArtifactKey.New();
+
+        var snapshot = new PkceContextSnapshot(
+            clientProfile: hub.ClientProfile,
+            tenant: hub.Tenant,
+            redirectUri: null,
+            deviceId: deviceId
+        );
+
+        var expiresAt = _clock.UtcNow.AddSeconds(_options.Pkce.AuthorizationCodeLifetimeSeconds);
+
+        var artifact = new PkceAuthorizationArtifact(
+            authorizationCode,
+            challenge,
+            PkceChallengeMethod.S256,
+            expiresAt,
+            snapshot
+        );
+
+        await _authStore.StoreAsync(authorizationCode, artifact, ct);
+
+        return new PkceCredentials
+        {
+            AuthorizationCode = authorizationCode.Value,
+            CodeVerifier = verifier
+        };
+    }
+
+    private static string CreateVerifier()
+    {
+        return Convert.ToBase64String(RandomNumberGenerator.GetBytes(32))
+            .TrimEnd('=')
+            .Replace('+', '-')
+            .Replace('/', '_');
+    }
+
+    private static string CreateChallenge(string verifier)
+    {
+        using var sha256 = SHA256.Create();
+        var bytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(verifier));
+
+        return Convert.ToBase64String(bytes)
+            .TrimEnd('=')
+            .Replace('+', '-')
+            .Replace('/', '_');
+    }
 }
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs
index 3254867b..7a710122 100644
--- a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs
@@ -209,6 +209,13 @@ private async Task EmitResultAsync(IUAuthTryResult result)
             await OnTryResult.InvokeAsync(result);
     }
 
+    public async Task RefreshAsync()
+    {
+        await ReloadCredentialsAsync();
+        await ReloadStateAsync();
+        await InvokeAsync(StateHasChanged);
+    }
+
     private string ClientProfileValue => Options.Value.ClientProfile.ToString();
 
     private string EffectiveEndpoint => LoginType == UAuthLoginType.Pkce
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs b/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs
index 2d4915b4..69dc2370 100644
--- a/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs
@@ -17,8 +17,7 @@ public interface IFlowClient
     Task<AuthValidationResult> ValidateAsync();
 
     Task BeginPkceAsync(string? returnUrl = null);
-    Task<PkceCredentials> ContinuePkceAsync(HubFlowArtifact hub);
-    Task<PkceCredentials> BeginPkceSilentAsync();
+    //Task<PkceCredentials> ContinuePkceAsync(HubFlowArtifact hub);
     Task<TryPkceLoginResult> TryCompletePkceLoginAsync(PkceCompleteRequest request, UAuthSubmitMode mode);
     Task CompletePkceLoginAsync(PkceCompleteRequest request);
 
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs b/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
index e1839de3..908342a2 100644
--- a/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
@@ -241,85 +241,46 @@ public async Task BeginPkceAsync(string? returnUrl = null)
         }
     }
 
-    public async Task<PkceCredentials> BeginPkceSilentAsync()
-    {
-        var pkce = _options.Pkce;
-
-        if (!pkce.Enabled)
-            throw new InvalidOperationException("PKCE login is disabled.");
-
-        var verifier = CreateVerifier();
-        var challenge = CreateChallenge(verifier);
-
-        var authorizeUrl = Url(_options.Endpoints.PkceAuthorize);
-
-        var raw = await _post.SendFormAsync(
-            authorizeUrl,
-            new Dictionary<string, string>
-            {
-                ["code_challenge"] = challenge,
-                ["challenge_method"] = "S256",
-            });
-
-        if (!raw.Ok || raw.Body is null)
-            throw new InvalidOperationException("PKCE authorize failed.");
-
-        var response = raw.Body.Value.Deserialize<PkceAuthorizeResponse>(
-            new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
-
-        if (response is null || string.IsNullOrWhiteSpace(response.AuthorizationCode))
-            throw new InvalidOperationException("Invalid PKCE authorize response.");
-
-        if (pkce.OnAuthorized is not null)
-            await pkce.OnAuthorized(response);
+    //public async Task<PkceCredentials> ContinuePkceAsync(HubFlowArtifact hub)
+    //{
+    //    var pkce = _options.Pkce;
 
-        return new PkceCredentials
-        {
-            AuthorizationCode = response.AuthorizationCode,
-            CodeVerifier = verifier
-        };
-    }
+    //    if (!pkce.Enabled)
+    //        throw new InvalidOperationException("PKCE disabled.");
 
-    public async Task<PkceCredentials> ContinuePkceAsync(HubFlowArtifact hub)
-    {
-        var pkce = _options.Pkce;
+    //    var deviceId = hub.Payload.GetRequired<string>("device_id");
+    //    var clientProfile = hub.ClientProfile;
 
-        if (!pkce.Enabled)
-            throw new InvalidOperationException("PKCE disabled.");
+    //    var verifier = CreateVerifier();
+    //    var challenge = CreateChallenge(verifier);
 
-        var deviceId = hub.Payload.GetRequired<string>("device_id");
-        var clientProfile = hub.ClientProfile;
+    //    var authorizeUrl = Url(_options.Endpoints.PkceAuthorize);
 
-        var verifier = CreateVerifier();
-        var challenge = CreateChallenge(verifier);
-
-        var authorizeUrl = Url(_options.Endpoints.PkceAuthorize);
-
-        var raw = await _post.SendFormAsync(
-            authorizeUrl,
-            new Dictionary<string, string>
-            {
-                ["code_challenge"] = challenge,
-                ["challenge_method"] = "S256",
-                ["device_id"] = deviceId
-            });
+    //    var raw = await _post.SendFormAsync(
+    //        authorizeUrl,
+    //        new Dictionary<string, string>
+    //        {
+    //            ["code_challenge"] = challenge,
+    //            ["challenge_method"] = "S256",
+    //            ["device_id"] = deviceId
+    //        });
 
-        var response = raw.Body.Value.Deserialize<PkceAuthorizeResponse>(
-            new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
+    //    var response = raw.Body.Value.Deserialize<PkceAuthorizeResponse>(
+    //        new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
 
-        return new PkceCredentials
-        {
-            AuthorizationCode = response.AuthorizationCode,
-            CodeVerifier = verifier
-        };
-    }
+    //    return new PkceCredentials
+    //    {
+    //        AuthorizationCode = response.AuthorizationCode,
+    //        CodeVerifier = verifier
+    //    };
+    //}
 
     public async Task<TryPkceLoginResult> TryCompletePkceLoginAsync(PkceCompleteRequest request, UAuthSubmitMode mode)
     {
         if (mode == UAuthSubmitMode.DirectCommit)
         {
             await CompletePkceLoginAsync(request);
-            return new TryPkceLoginResult();
+            return new TryPkceLoginResult { Success = true };
         }
 
         if (request is null)
@@ -359,19 +320,10 @@ public async Task<TryPkceLoginResult> TryCompletePkceLoginAsync(PkceCompleteRequ
                     return parsed;
                 }
 
-            case UAuthSubmitMode.DirectCommit:
-                {
-                    await _post.NavigateAsync(commitUrl, payload);
-                    return new TryPkceLoginResult { Success = true };
-                }
-
             case UAuthSubmitMode.TryAndCommit:
             default:
                 {
-                    var result = await _post.TryAndCommitAsync<TryPkceLoginResult>(
-                        tryUrl,
-                        commitUrl,
-                        payload);
+                    var result = await _post.TryAndCommitAsync<TryPkceLoginResult>(tryUrl, commitUrl, payload);
 
                     if (result is null)
                         throw new UAuthProtocolException("Invalid PKCE try result.");

From 60a178942280db0f05eddad42c44da7a67fd2d9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mehmet=20Can=20Karag=C3=B6z?= <m.cankaragoz@outlook.com>
Date: Mon, 23 Mar 2026 20:44:00 +0300
Subject: [PATCH 05/10] Code Refactoring

---
 .../Components/Pages/Home.razor               |   6 +-
 .../Components/Pages/Home.razor.cs            |   6 +-
 .../Controllers/HubLoginController.cs         |  56 --------
 .../DefaultUAuthHubMarker.cs                  |   5 -
 .../Program.cs                                |  39 +++---
 .../wwwroot/app.css                           |   5 +
 .../Contracts/Login/LoginRequest.cs           |   1 -
 .../Domain/Pkce/PkceCredentials.cs            |   7 -
 .../Extensions/ServiceCollectionExtensions.cs |  42 +++++-
 .../Extensions/UAuthHubEndpointExtensions.cs  |  16 +++
 .../Infrastructure/Hub/HandleHubEntry.cs      |  52 ++++++++
 .../Infrastructure/Hub/UAuthHubMarker.cs      |   7 +
 .../Infrastructure/OriginHelper.cs            |  12 ++
 .../Redirect/AuthRedirectResolver.cs          |   6 +-
 .../Options/UAuthHubServerOptions.cs          |   2 +-
 .../Services/Abstractions/IPkceService.cs     |   2 +-
 .../Services/PkceService.cs                   |   4 +-
 .../Components/UAuthLoginForm.razor.cs        | 121 +++++++++++++-----
 .../Options/UAuthClientEndpointOptions.cs     |   2 +-
 .../Services/Abstractions/IFlowClient.cs      |   1 -
 .../Services/UAuthFlowClient.cs               |  34 -----
 21 files changed, 249 insertions(+), 177 deletions(-)
 delete mode 100644 samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Controllers/HubLoginController.cs
 delete mode 100644 samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/DefaultUAuthHubMarker.cs
 delete mode 100644 src/CodeBeam.UltimateAuth.Core/Domain/Pkce/PkceCredentials.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Server/Extensions/UAuthHubEndpointExtensions.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/HandleHubEntry.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/UAuthHubMarker.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Server/Infrastructure/OriginHelper.cs

diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
index 6a5b9eae..37575944 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
@@ -54,10 +54,10 @@
     <MudContainer Class="d-flex align-center justify-center" MaxWidth="MaxWidth.Medium" Gutters="false">
         <MudGrid Spacing="0">
             <MudItem Class="order-1 order-sm-0" xs="12" sm="6">
-                <MudPaper Class="mud-theme-primary uauth-login-paper pa-8 d-flex flex-column align-center justify-center" Elevation="3">
+                <MudPaper Class="mud-theme-secondary uauth-login-paper pa-8 d-flex flex-column align-center justify-center" Elevation="3">
                     <MudStack Class="my-4">
                         <div class="uauth-brand-glow uauth-logo-slide d-flex justify-center">
-                            <UAuthLogo Size="90" ShieldColor="#f6f5ae" KeyColor="var(--mud-palette-primary)" />
+                            <UAuthLogo Size="90" ShieldColor="#f6f5ae" KeyColor="var(--mud-palette-secondary)" />
                         </div>
                         <MudText Style="font-weight: 700" Typo="Typo.h4" Align="Align.Center">UAuthHub</MudText>
                         <MudText Align="Align.Center">The centralized AuthServer for your application.</MudText>
@@ -83,7 +83,7 @@
                                     <MudText Style="font-weight: 700" Inline="true" Typo="Typo.h5" Color="Color.Primary">Sign <MudText Inline="true" Style="font-weight: 700" Typo="Typo.h5" Color="Color.Secondary">In</MudText></MudText>
                                 </MudText>
                             </MudStack>
-                            <MudTextField @ref="@_usernameField" @bind-Value="@_username" Variant="Variant.Outlined" Label="Username" Required="true" Immediate="true" HelperText="@(_remainingAttempts != null ? $"Remaining Attempts: {_remainingAttempts}" : null)" />
+                            <MudTextField @bind-Value="@_username" Variant="Variant.Outlined" Label="Username" Required="true" Immediate="true" HelperText="@(_remainingAttempts != null ? $"Remaining Attempts: {_remainingAttempts}" : null)" />
                             <MudPasswordField @bind-Value="@_password" Variant="Variant.Outlined" Label="Password" Required="true" Immediate="true" />
                             <MudButton Variant="Variant.Filled" Color="Color.Primary" Disabled="@_isLocked" ButtonType="ButtonType.Submit">Login</MudButton>
                             @if (_isLocked)
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
index 738bd392..ec966fdb 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
@@ -3,9 +3,6 @@
 using CodeBeam.UltimateAuth.Client.Runtime;
 using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Domain;
-using CodeBeam.UltimateAuth.Core.MultiTenancy;
-using CodeBeam.UltimateAuth.Server.Contracts;
-using CodeBeam.UltimateAuth.Server.Services;
 using CodeBeam.UltimateAuth.Server.Stores;
 using Microsoft.AspNetCore.Components;
 using MudBlazor;
@@ -24,7 +21,6 @@ public partial class Home
 
     private UAuthClientProductInfo? _productInfo;
     private UAuthLoginForm _loginForm = null!;
-    private MudTextField<string> _usernameField = default!;
 
     private CancellationTokenSource? _lockoutCts;
     private PeriodicTimer? _lockoutTimer;
@@ -138,7 +134,7 @@ private async Task HandleLoginResult(IUAuthTryResult result)
         }
     }
 
-    private PkceCredentials? _pkce;
+    private HubCredentials? _pkce;
 
     private async Task ContinuePkceAsync()
     {
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Controllers/HubLoginController.cs b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Controllers/HubLoginController.cs
deleted file mode 100644
index a4350aa5..00000000
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Controllers/HubLoginController.cs
+++ /dev/null
@@ -1,56 +0,0 @@
-using CodeBeam.UltimateAuth.Core.Abstractions;
-using CodeBeam.UltimateAuth.Core.Domain;
-using CodeBeam.UltimateAuth.Core.MultiTenancy;
-using CodeBeam.UltimateAuth.Core.Options;
-using CodeBeam.UltimateAuth.Server.Options;
-using CodeBeam.UltimateAuth.Server.Stores;
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.Extensions.Options;
-
-namespace CodeBeam.UltimateAuth.Sample.UAuthHub.Controllers;
-
-[Route("auth/uauthhub")]
-[IgnoreAntiforgeryToken]
-public sealed class HubLoginController : Controller
-{
-    private readonly IAuthStore _authStore;
-    private readonly UAuthServerOptions _options;
-    private readonly IClock _clock;
-
-    public HubLoginController(IAuthStore authStore, IOptions<UAuthServerOptions> options, IClock clock)
-    {
-        _authStore = authStore;
-        _options = options.Value;
-        _clock = clock;
-    }
-
-    [HttpPost("login")]
-    [IgnoreAntiforgeryToken]
-    public async Task<IActionResult> BeginLogin(
-        [FromForm] string authorization_code,
-        [FromForm] string code_verifier,
-        [FromForm] UAuthClientProfile client_profile,
-        [FromForm] string? return_url,
-        [FromForm] string device_id)
-    {
-        var hubSessionId = HubSessionId.New();
-
-        var payload = new HubFlowPayload();
-        payload.Set("authorization_code", authorization_code);
-        payload.Set("code_verifier", code_verifier);
-        payload.Set("device_id", device_id);
-
-        var artifact = new HubFlowArtifact(
-            hubSessionId: hubSessionId,
-            flowType: HubFlowType.Login,
-            clientProfile: client_profile,
-            tenant: TenantKeys.System, // TODO: Think about multi tenant scenarios
-            returnUrl: return_url,
-            payload: payload,
-            expiresAt: _clock.UtcNow.Add(_options.Hub.FlowLifetime));
-
-        await _authStore.StoreAsync(new AuthArtifactKey(hubSessionId.Value), artifact, HttpContext.RequestAborted);
-
-        return Redirect($"{_options.Hub.LoginPath}?hub={hubSessionId.Value}");
-    }
-}
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/DefaultUAuthHubMarker.cs b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/DefaultUAuthHubMarker.cs
deleted file mode 100644
index eb5fe640..00000000
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/DefaultUAuthHubMarker.cs
+++ /dev/null
@@ -1,5 +0,0 @@
-using CodeBeam.UltimateAuth.Core.Runtime;
-
-internal sealed class DefaultUAuthHubMarker : IUAuthHubMarker
-{
-}
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs
index 728640df..0a1ba558 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs
@@ -2,7 +2,6 @@
 using CodeBeam.UltimateAuth.Client.Blazor.Extensions;
 using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Core.Infrastructure;
-using CodeBeam.UltimateAuth.Core.Runtime;
 using CodeBeam.UltimateAuth.InMemory;
 using CodeBeam.UltimateAuth.Sample.UAuthHub.Components;
 using CodeBeam.UltimateAuth.Sample.UAuthHub.Infrastructure;
@@ -21,8 +20,6 @@
         options.DetailedErrors = true;
     });
 
-builder.Services.AddControllers();
-
 builder.Services.AddMudServices(o => {
     o.SnackbarConfiguration.PreventDuplicates = false;
 });
@@ -30,9 +27,6 @@
 
 builder.Services.AddScoped<DarkModeManager>();
 
-//builder.Services.AddAuthorization();
-
-//builder.Services.AddHttpContextAccessor();
 
 builder.Services.AddUltimateAuthServer(o => {
     o.Diagnostics.EnableRefreshDetails = true;
@@ -46,7 +40,8 @@
     o.Login.LockoutDuration = TimeSpan.FromSeconds(10);
     o.Identifiers.AllowMultipleUsernames = true;
 })
-    .AddUltimateAuthInMemory();
+    .AddUltimateAuthInMemory()
+    .AddUAuthHub(o => o.AllowedClientOrigins.Add("https://localhost:6130"));
 
 builder.Services.AddUltimateAuthClientBlazor(o =>
 {
@@ -54,20 +49,18 @@
     o.Reauth.Behavior = ReauthBehavior.RaiseEvent;
 });
 
-builder.Services.AddSingleton<IUAuthHubMarker, DefaultUAuthHubMarker>();
-
-builder.Services.AddCors(options =>
-{
-    options.AddPolicy("WasmSample", policy =>
-    {
-        policy
-            .WithOrigins("https://localhost:6130")
-            .AllowAnyHeader()
-            .AllowAnyMethod()
-            .AllowCredentials()
-            .WithExposedHeaders("X-UAuth-Refresh"); // TODO: Add exposed headers globally
-    });
-});
+//builder.Services.AddCors(options =>
+//{
+//    options.AddPolicy("UAuthHub", policy =>
+//    {
+//        policy
+//            .WithOrigins("https://localhost:6130")
+//            .AllowAnyHeader()
+//            .AllowAnyMethod()
+//            .AllowCredentials()
+//            .WithExposedHeaders("X-UAuth-Refresh"); // TODO: Add exposed headers globally
+//    });
+//});
 
 var app = builder.Build();
 
@@ -88,15 +81,15 @@
 }
 
 app.UseHttpsRedirection();
-app.UseCors("WasmSample");
+app.UseCors("UAuthHub");
 
 app.UseUltimateAuthWithAspNetCore();
 app.UseAntiforgery();
 
 app.MapUltimateAuthEndpoints();
+app.MapUAuthHub();
 app.MapStaticAssets();
 
-app.MapControllers();
 app.MapRazorComponents<App>()
     .AddInteractiveServerRenderMode()
     .AddUltimateAuthRoutes(UAuthAssemblies.BlazorClient());
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/wwwroot/app.css b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/wwwroot/app.css
index 9d58cb9c..17fcfd6a 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/wwwroot/app.css
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/wwwroot/app.css
@@ -70,6 +70,11 @@ h1:focus {
         color: white;
     }
 
+    .uauth-login-paper.mud-theme-secondary {
+        background: linear-gradient(145deg, var(--mud-palette-secondary), rgba(0, 0, 0, 0.85) );
+        color: white;
+    }
+
 .uauth-brand-glow {
     filter: drop-shadow(0 0 25px rgba(255,255,255,0.15));
 }
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Login/LoginRequest.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Login/LoginRequest.cs
index fc9a56d8..ae45a071 100644
--- a/src/CodeBeam.UltimateAuth.Core/Contracts/Login/LoginRequest.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Contracts/Login/LoginRequest.cs
@@ -1,5 +1,4 @@
 using CodeBeam.UltimateAuth.Core.Domain;
-using CodeBeam.UltimateAuth.Core.MultiTenancy;
 
 namespace CodeBeam.UltimateAuth.Core.Contracts;
 
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Pkce/PkceCredentials.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Pkce/PkceCredentials.cs
deleted file mode 100644
index bbd3005a..00000000
--- a/src/CodeBeam.UltimateAuth.Core/Domain/Pkce/PkceCredentials.cs
+++ /dev/null
@@ -1,7 +0,0 @@
-namespace CodeBeam.UltimateAuth.Core.Domain;
-
-public sealed record PkceCredentials
-{
-    public string AuthorizationCode { get; init; } = default!;
-    public string CodeVerifier { get; init; } = default!;
-}
diff --git a/src/CodeBeam.UltimateAuth.Server/Extensions/ServiceCollectionExtensions.cs b/src/CodeBeam.UltimateAuth.Server/Extensions/ServiceCollectionExtensions.cs
index ef4f06e9..589f059f 100644
--- a/src/CodeBeam.UltimateAuth.Server/Extensions/ServiceCollectionExtensions.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Extensions/ServiceCollectionExtensions.cs
@@ -171,7 +171,6 @@ private static IServiceCollection AddUltimateAuthServerInternal(this IServiceCol
         services.TryAddScoped<IUAuthInternalFlowService, UAuthFlowService>();
         services.TryAddScoped<IRefreshFlowService, RefreshFlowService>();
         services.TryAddScoped<IPkceService, PkceService>();
-        services.TryAddScoped<IHubFlowService, HubFlowService>();
 
         services.TryAddSingleton<IClock, CodeBeam.UltimateAuth.Server.Infrastructure.SystemClock>();
 
@@ -214,7 +213,6 @@ private static IServiceCollection AddUltimateAuthServerInternal(this IServiceCol
         services.TryAddSingleton<IAuthResponseResolver, AuthResponseResolver>();
         services.TryAddSingleton<IEffectiveAuthModeResolver, EffectiveAuthModeResolver>();
         services.TryAddSingleton<IPrimaryTokenResolver, PrimaryTokenResolver>();
-        services.TryAddScoped<IHubCredentialResolver, HubCredentialResolver>();
         services.TryAddSingleton<IAuthRedirectResolver, AuthRedirectResolver>();
 
         services.TryAddScoped<ISessionTouchService, SessionTouchService>();
@@ -229,7 +227,6 @@ private static IServiceCollection AddUltimateAuthServerInternal(this IServiceCol
         services.TryAddScoped<ICredentialResponseWriter, CredentialResponseWriter>();
         services.TryAddScoped<IRefreshResponseWriter, RefreshResponseWriter>();
         services.TryAddSingleton<IClientProfileReader, ClientProfileReader>();
-        services.TryAddScoped<IHubFlowReader, HubFlowReader>();
         
         services.TryAddSingleton<ClientProfileAuthResponseAdapter>();
         services.TryAddScoped<IEffectiveServerOptionsProvider,EffectiveServerOptionsProvider>();
@@ -397,6 +394,45 @@ private static IServiceCollection AddUltimateAuthResourceInternal(this IServiceC
 
         return services;
     }
+
+    public static IServiceCollection AddUAuthHub(this IServiceCollection services, Action<UAuthHubServerOptions>? configure = null)
+    {
+        services.PostConfigure<UAuthServerOptions>(options =>
+        {
+            configure?.Invoke(options.Hub);
+        });
+
+        services.TryAddSingleton<IUAuthHubMarker, UAuthHubMarker>();
+
+        services.TryAddScoped<IHubFlowService, HubFlowService>();
+        services.TryAddScoped<IHubFlowReader, HubFlowReader>();
+        services.TryAddScoped<IHubCredentialResolver, HubCredentialResolver>();
+
+        services.AddCors(options =>
+        {
+            options.AddPolicy("UAuthHub", policy =>
+            {
+                var sp = services.BuildServiceProvider();
+                var serverOptions = sp.GetRequiredService<IOptions<UAuthServerOptions>>().Value;
+
+                var origins = serverOptions.Hub.AllowedClientOrigins
+                    .Select(OriginHelper.Normalize)
+                    .ToArray();
+
+                if (origins.Length > 0)
+                {
+                    policy
+                        .WithOrigins(origins)
+                        .AllowAnyHeader()
+                        .AllowAnyMethod()
+                        .AllowCredentials()
+                        .WithExposedHeaders("X-UAuth-Refresh");
+                }
+            });
+        });
+
+        return services;
+    }
 }
 
 internal sealed class NullTenantResolver : ITenantIdResolver
diff --git a/src/CodeBeam.UltimateAuth.Server/Extensions/UAuthHubEndpointExtensions.cs b/src/CodeBeam.UltimateAuth.Server/Extensions/UAuthHubEndpointExtensions.cs
new file mode 100644
index 00000000..7aef3c12
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Server/Extensions/UAuthHubEndpointExtensions.cs
@@ -0,0 +1,16 @@
+using CodeBeam.UltimateAuth.Server.Infrastructure;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Routing;
+
+namespace CodeBeam.UltimateAuth.Server.Extensions;
+
+public static class UAuthHubEndpointExtensions
+{
+    public static IEndpointRouteBuilder MapUAuthHub(this IEndpointRouteBuilder endpoints)
+    {
+        var group = endpoints.MapGroup("/auth/uauthhub");
+        group.MapPost("/entry", HandleHub.HandleHubEntry);
+
+        return endpoints;
+    }
+}
diff --git a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/HandleHubEntry.cs b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/HandleHubEntry.cs
new file mode 100644
index 00000000..0b2805ec
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/HandleHubEntry.cs
@@ -0,0 +1,52 @@
+using CodeBeam.UltimateAuth.Core.Abstractions;
+using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Core.Options;
+using CodeBeam.UltimateAuth.Server.Extensions;
+using CodeBeam.UltimateAuth.Server.Options;
+using CodeBeam.UltimateAuth.Server.Stores;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Options;
+
+namespace CodeBeam.UltimateAuth.Server.Infrastructure;
+
+internal class HandleHub
+{
+    internal static async Task<IResult> HandleHubEntry(HttpContext ctx, IAuthStore store, IClock clock, IOptions<UAuthServerOptions> options)
+    {
+        var form = await ctx.GetCachedFormAsync();
+
+        if (form is null)
+            return Results.BadRequest("Form content required.");
+
+        var authorizationCode = form["authorization_code"].ToString();
+        var codeVerifier = form["code_verifier"].ToString();
+        var deviceId = form["device_id"].ToString();
+        var returnUrl = form["return_url"].ToString();
+
+        if (!Enum.TryParse<UAuthClientProfile>(form["__uauth_client_profile"], ignoreCase: true, out var clientProfile))
+        {
+            clientProfile = UAuthClientProfile.NotSpecified;
+        }
+
+        var hubSessionId = HubSessionId.New();
+
+        var payload = new HubFlowPayload();
+        payload.Set("authorization_code", authorizationCode);
+        payload.Set("code_verifier", codeVerifier);
+        payload.Set("device_id", deviceId);
+
+        var tenant = ctx.GetTenant();
+
+        var artifact = new HubFlowArtifact(
+            hubSessionId,
+            HubFlowType.Login,
+            clientProfile,
+            tenant,
+            returnUrl,
+            payload,
+            clock.UtcNow.Add(options.Value.Hub.FlowLifetime));
+
+        await store.StoreAsync(new AuthArtifactKey(hubSessionId.Value), artifact);
+        return Results.Redirect($"{options.Value.Hub.LoginPath}?hub={hubSessionId.Value}");
+    }
+}
diff --git a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/UAuthHubMarker.cs b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/UAuthHubMarker.cs
new file mode 100644
index 00000000..d1888722
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/UAuthHubMarker.cs
@@ -0,0 +1,7 @@
+using CodeBeam.UltimateAuth.Core.Runtime;
+
+namespace CodeBeam.UltimateAuth.Server.Infrastructure;
+
+public class UAuthHubMarker : IUAuthHubMarker
+{
+}
diff --git a/src/CodeBeam.UltimateAuth.Server/Infrastructure/OriginHelper.cs b/src/CodeBeam.UltimateAuth.Server/Infrastructure/OriginHelper.cs
new file mode 100644
index 00000000..3dbf79af
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Server/Infrastructure/OriginHelper.cs
@@ -0,0 +1,12 @@
+namespace CodeBeam.UltimateAuth.Server.Infrastructure;
+
+internal static class OriginHelper
+{
+    public static string Normalize(string origin)
+    {
+        if (string.IsNullOrWhiteSpace(origin))
+            return string.Empty;
+
+        return origin.Trim().TrimEnd('/').ToLowerInvariant();
+    }
+}
diff --git a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Redirect/AuthRedirectResolver.cs b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Redirect/AuthRedirectResolver.cs
index f137f88e..68b2e7a5 100644
--- a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Redirect/AuthRedirectResolver.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Redirect/AuthRedirectResolver.cs
@@ -100,11 +100,11 @@ private static void ValidateAllowed(string baseAddress, UAuthServerOptions optio
         if (options.Hub.AllowedClientOrigins.Count == 0)
             return;
 
-        if (!options.Hub.AllowedClientOrigins.Any(o => Normalize(o) == Normalize(baseAddress)))
+        var normalized = OriginHelper.Normalize(baseAddress);
+
+        if (!options.Hub.AllowedClientOrigins.Any(o => OriginHelper.Normalize(o) == normalized))
         {
             throw new InvalidOperationException($"Redirect to '{baseAddress}' is not allowed.");
         }
     }
-
-    private static string Normalize(string uri) => uri.TrimEnd('/').ToLowerInvariant();
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Options/UAuthHubServerOptions.cs b/src/CodeBeam.UltimateAuth.Server/Options/UAuthHubServerOptions.cs
index 2d904064..96b6f414 100644
--- a/src/CodeBeam.UltimateAuth.Server/Options/UAuthHubServerOptions.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Options/UAuthHubServerOptions.cs
@@ -10,7 +10,7 @@ public sealed class UAuthHubServerOptions
     /// Lifetime of hub flow artifacts (UI orchestration).
     /// Should be short-lived.
     /// </summary>
-    public TimeSpan FlowLifetime { get; set; } = TimeSpan.FromMinutes(2);
+    public TimeSpan FlowLifetime { get; set; } = TimeSpan.FromMinutes(5);
 
     public string? LoginPath { get; set; } = "/login";
 
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IPkceService.cs b/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IPkceService.cs
index a0e867ce..e2c3c6f0 100644
--- a/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IPkceService.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IPkceService.cs
@@ -8,5 +8,5 @@ public interface IPkceService
 {
     Task<PkceAuthorizeResponse> AuthorizeAsync(PkceAuthorizeCommand command, CancellationToken ct = default);
     Task<PkceCompleteResult> CompleteAsync(AuthFlowContext auth, PkceCompleteRequest request, CancellationToken ct = default);
-    Task<PkceCredentials> RefreshAsync(HubFlowArtifact hub, CancellationToken ct = default);
+    Task<HubCredentials> RefreshAsync(HubFlowArtifact hub, CancellationToken ct = default);
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs b/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
index 8d89b5a2..b3921bd8 100644
--- a/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
@@ -122,7 +122,7 @@ public async Task<PkceCompleteResult> CompleteAsync(AuthFlowContext auth, PkceCo
         };
     }
 
-    public async Task<PkceCredentials> RefreshAsync(HubFlowArtifact hub, CancellationToken ct = default)
+    public async Task<HubCredentials> RefreshAsync(HubFlowArtifact hub, CancellationToken ct = default)
     {
         if (!hub.Payload.TryGet<string>("device_id", out var deviceId) || string.IsNullOrWhiteSpace(deviceId))
             throw new InvalidOperationException("HubFlow missing device_id.");
@@ -151,7 +151,7 @@ public async Task<PkceCredentials> RefreshAsync(HubFlowArtifact hub, Cancellatio
 
         await _authStore.StoreAsync(authorizationCode, artifact, ct);
 
-        return new PkceCredentials
+        return new HubCredentials
         {
             AuthorizationCode = authorizationCode.Value,
             CodeVerifier = verifier
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs
index 7a710122..8696afd6 100644
--- a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs
@@ -3,6 +3,7 @@
 using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Defaults;
 using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Core.Errors;
 using Microsoft.AspNetCore.Components;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.JSInterop;
@@ -13,7 +14,6 @@ public partial class UAuthLoginForm
 {
     [Inject]
     IDeviceIdProvider DeviceIdProvider { get; set; } = null!;
-    private DeviceId? _deviceId;
 
     [Inject]
     IUAuthClient UAuthClient { get; set; } = null!;
@@ -27,46 +27,77 @@ public partial class UAuthLoginForm
     [Inject]
     IHubCapabilities HubCapabilities { get; set; } = null!;
 
+    /// <summary>
+    /// Gets or sets the unique login identifier associated with this component instance.
+    /// </summary>
     [Parameter]
     public string? Identifier { get; set; }
 
+    /// <summary>
+    /// Gets or sets the secret value used for authentication or configuration.
+    /// </summary>
     [Parameter]
     public string? Secret { get; set; }
 
+    /// <summary>
+    /// Gets or sets the endpoint URL (login path) used to connect to the target service. If not set, endpoint is set by options.
+    /// </summary>
     [Parameter]
     public string? Endpoint { get; set; }
 
+    /// <summary>
+    /// Gets or sets the URL to which the user is redirected after a successful operation. If not set, return url is set by hub flow state's return url.
+    /// </summary>
     [Parameter]
     public string? ReturnUrl { get; set; }
 
-    //[Parameter]
-    //public IHubCredentialResolver? HubCredentialResolver { get; set; }
-
-    //[Parameter]
-    //public IHubFlowReader? HubFlowReader { get; set; }
-
+    /// <summary>
+    /// Gets or sets the associated UAuthHub flow id. If not set, value is set from query.
+    /// </summary>
     [Parameter]
     public HubSessionId? HubSessionId { get; set; }
 
+    /// <summary>
+    /// Gets or sets the type of login method to use for authentication.
+    /// </summary>
     [Parameter]
     public UAuthLoginType LoginType { get; set; } = UAuthLoginType.Password;
 
+    /// <summary>
+    /// Gets or sets the mode used to submit authentication requests. Default is TryAndCommit.
+    /// </summary>
     [Parameter]
-    public UAuthSubmitMode SubmitMode { get; set; }
-
+    public UAuthSubmitMode SubmitMode { get; set; } = UAuthSubmitMode.TryAndCommit;
+
+    /// <summary>
+    /// Gets or sets the content to be rendered inside the component.
+    /// </summary>
+    /// <remarks>Use this property to specify child markup or components that will be rendered within the body
+    /// of this component. Typically set automatically when the component is used with child content in Razor
+    /// syntax.</remarks>
     [Parameter]
     public RenderFragment? ChildContent { get; set; }
 
+    /// <summary>
+    /// Gets or sets a value indicating whether pressing the Enter key submits the form.
+    /// </summary>
     [Parameter]
     public bool AllowEnterKeyToSubmit { get; set; } = true;
 
+    /// <summary>
+    /// Gets or sets the callback that is invoked when a try result event occurs. Does not fire on DirectCommit submit mode.
+    /// </summary>
+    /// <remarks>Use this property to handle the result of an authentication attempt. The callback receives an
+    /// object that provides details about the outcome of the operation.</remarks>
     [Parameter]
     public EventCallback<IUAuthTryResult> OnTryResult { get; set; }
 
-    private ElementReference _form;
 
+    private ElementReference _form;
     private HubCredentials? _credentials;
     private HubFlowState? _flow;
+    private DeviceId? _deviceId;
+
     protected override async Task OnParametersSetAsync()
     {
         await base.OnParametersSetAsync();
@@ -80,13 +111,6 @@ protected override async Task OnParametersSetAsync()
                 "PKCE is not supported in this client profile." +
                 "Change LoginType to password or place this component to a server-side project.");
         }
-
-        //if (LoginType == UAuthLoginType.Pkce && EffectiveHubSessionId is null)
-        //{
-        //    throw new InvalidOperationException("PKCE login requires an active Hub flow. " +
-        //        "No 'hub' query parameter was found."
-        //    );
-        //}
     }
 
     protected override async Task OnAfterRenderAsync(bool firstRender)
@@ -98,7 +122,7 @@ protected override async Task OnAfterRenderAsync(bool firstRender)
         StateHasChanged();
     }
 
-    public async Task ReloadCredentialsAsync()
+    protected async Task ReloadCredentialsAsync()
     {
         if (LoginType != UAuthLoginType.Pkce)
             return;
@@ -109,7 +133,7 @@ public async Task ReloadCredentialsAsync()
         _credentials = await HubCredentialResolver.ResolveAsync(EffectiveHubSessionId.Value);
     }
 
-    public async Task ReloadStateAsync()
+    protected async Task ReloadStateAsync()
     {
         if (LoginType != UAuthLoginType.Pkce || EffectiveHubSessionId is null || HubFlowReader is null)
             return;
@@ -117,6 +141,24 @@ public async Task ReloadStateAsync()
         _flow = await HubFlowReader.GetStateAsync(EffectiveHubSessionId.Value);
     }
 
+    /// <summary>
+    /// Asynchronously reloads credentials and state, and updates the component state.
+    /// </summary>
+    /// <remarks>Call this method to refresh the component's credentials and state. This method is typically
+    /// used when external changes require the component to update its internal data and UI.</remarks>
+    /// <returns>A task that represents the asynchronous reload operation.</returns>
+    public async Task ReloadAsync()
+    {
+        await ReloadCredentialsAsync();
+        await ReloadStateAsync();
+        await InvokeAsync(StateHasChanged);
+    }
+
+    /// <summary>
+    /// Submits the login form asynchronously using the configured authentication method.
+    /// </summary>
+    /// <returns>A task that represents the asynchronous submit operation.</returns>
+    /// <exception cref="InvalidOperationException">Thrown if the form has not been rendered. Call this method only after the OnAfterRender lifecycle event.</exception>
     public async Task SubmitAsync()
     {
         if (_form.Context is null)
@@ -134,6 +176,11 @@ public async Task SubmitAsync()
 
     private async Task SubmitPasswordAsync()
     {
+        if (string.IsNullOrWhiteSpace(Identifier) || string.IsNullOrWhiteSpace(Secret))
+        {
+            throw new UAuthValidationException("Identifier and Secret are required.");
+        }
+
         var request = new LoginRequest
         {
             Identifier = Identifier,
@@ -168,14 +215,19 @@ private async Task SubmitPkceAsync()
         if (_credentials is null)
             throw new InvalidOperationException("Missing PKCE credentials.");
 
+        if (string.IsNullOrWhiteSpace(Identifier) || string.IsNullOrWhiteSpace(Secret))
+        {
+            throw new UAuthValidationException("Identifier and Secret are required.");
+        }
+
         var request = new PkceCompleteRequest
         {
             Identifier = Identifier,
             Secret = Secret,
             AuthorizationCode = _credentials.AuthorizationCode,
             CodeVerifier = _credentials.CodeVerifier,
-            ReturnUrl = EffectiveReturnUrl,
-            HubSessionId = EffectiveHubSessionId?.Value
+            ReturnUrl = EffectiveReturnUrl ?? string.Empty,
+            HubSessionId = EffectiveHubSessionId?.Value ?? string.Empty
         };
 
         switch (SubmitMode)
@@ -209,13 +261,6 @@ private async Task EmitResultAsync(IUAuthTryResult result)
             await OnTryResult.InvokeAsync(result);
     }
 
-    public async Task RefreshAsync()
-    {
-        await ReloadCredentialsAsync();
-        await ReloadStateAsync();
-        await InvokeAsync(StateHasChanged);
-    }
-
     private string ClientProfileValue => Options.Value.ClientProfile.ToString();
 
     private string EffectiveEndpoint => LoginType == UAuthLoginType.Pkce
@@ -237,13 +282,27 @@ private string ResolvedEndpoint
             if (string.IsNullOrWhiteSpace(returnUrl))
                 return baseUrl;
 
-            return $"{baseUrl}?{(_credentials != null ? "hub=" + EffectiveHubSessionId + "&" : null)}{UAuthConstants.Query.ReturnUrl}={Uri.EscapeDataString(returnUrl)}";
+            var query = new List<string>();
+
+            if (_credentials != null && EffectiveHubSessionId is not null)
+            {
+                query.Add($"hub={EffectiveHubSessionId}");
+            }
+
+            if (!string.IsNullOrWhiteSpace(returnUrl))
+            {
+                query.Add($"{UAuthConstants.Query.ReturnUrl}={Uri.EscapeDataString(returnUrl)}");
+            }
+
+            return query.Count == 0
+                ? baseUrl
+                : $"{baseUrl}?{string.Join("&", query)}";
         }
     }
 
-    private string EffectiveReturnUrl => !string.IsNullOrWhiteSpace(ReturnUrl)
+    private string? EffectiveReturnUrl => !string.IsNullOrWhiteSpace(ReturnUrl)
         ? ReturnUrl
-        : LoginType == UAuthLoginType.Pkce ? _flow?.ReturnUrl ?? string.Empty : Navigation.Uri;
+        : LoginType == UAuthLoginType.Pkce ? _flow?.ReturnUrl : Navigation.Uri;
 
     private HubSessionId? EffectiveHubSessionId
     {
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Options/UAuthClientEndpointOptions.cs b/src/client/CodeBeam.UltimateAuth.Client/Options/UAuthClientEndpointOptions.cs
index 9bc5b2a6..0b709c79 100644
--- a/src/client/CodeBeam.UltimateAuth.Client/Options/UAuthClientEndpointOptions.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client/Options/UAuthClientEndpointOptions.cs
@@ -16,5 +16,5 @@ public sealed class UAuthClientEndpointOptions
     public string PkceAuthorize { get; set; } = "/pkce/authorize";
     public string PkceTryComplete { get; set; } = "/pkce/try-complete";
     public string PkceComplete { get; set; } = "/pkce/complete";
-    public string HubLoginPath { get; set; } = "/uauthhub/login";
+    public string HubLoginPath { get; set; } = "/uauthhub/entry";
 }
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs b/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs
index 69dc2370..a97d3294 100644
--- a/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs
@@ -17,7 +17,6 @@ public interface IFlowClient
     Task<AuthValidationResult> ValidateAsync();
 
     Task BeginPkceAsync(string? returnUrl = null);
-    //Task<PkceCredentials> ContinuePkceAsync(HubFlowArtifact hub);
     Task<TryPkceLoginResult> TryCompletePkceLoginAsync(PkceCompleteRequest request, UAuthSubmitMode mode);
     Task CompletePkceLoginAsync(PkceCompleteRequest request);
 
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs b/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
index 908342a2..e2aeb57e 100644
--- a/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
@@ -241,40 +241,6 @@ public async Task BeginPkceAsync(string? returnUrl = null)
         }
     }
 
-    //public async Task<PkceCredentials> ContinuePkceAsync(HubFlowArtifact hub)
-    //{
-    //    var pkce = _options.Pkce;
-
-    //    if (!pkce.Enabled)
-    //        throw new InvalidOperationException("PKCE disabled.");
-
-    //    var deviceId = hub.Payload.GetRequired<string>("device_id");
-    //    var clientProfile = hub.ClientProfile;
-
-    //    var verifier = CreateVerifier();
-    //    var challenge = CreateChallenge(verifier);
-
-    //    var authorizeUrl = Url(_options.Endpoints.PkceAuthorize);
-
-    //    var raw = await _post.SendFormAsync(
-    //        authorizeUrl,
-    //        new Dictionary<string, string>
-    //        {
-    //            ["code_challenge"] = challenge,
-    //            ["challenge_method"] = "S256",
-    //            ["device_id"] = deviceId
-    //        });
-
-    //    var response = raw.Body.Value.Deserialize<PkceAuthorizeResponse>(
-    //        new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
-
-    //    return new PkceCredentials
-    //    {
-    //        AuthorizationCode = response.AuthorizationCode,
-    //        CodeVerifier = verifier
-    //    };
-    //}
-
     public async Task<TryPkceLoginResult> TryCompletePkceLoginAsync(PkceCompleteRequest request, UAuthSubmitMode mode)
     {
         if (mode == UAuthSubmitMode.DirectCommit)

From bfe6c13120e8f050d8daa1352439c9dbbca342b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mehmet=20Can=20Karag=C3=B6z?= <m.cankaragoz@outlook.com>
Date: Mon, 23 Mar 2026 23:25:38 +0300
Subject: [PATCH 06/10] More Code Refactoring

---
 .../Components/App.razor                      |  4 +-
 .../Components/Pages/Home.razor               | 10 ++--
 .../Components/Pages/Home.razor.cs            | 48 +++++--------------
 .../Program.cs                                | 28 +----------
 .../Components/Pages/Login.razor              |  2 +-
 .../Pages/Login.razor                         |  2 +-
 .../Pages/Login.razor.cs                      | 15 ++++++
 .../Domain/Hub/HubErrorCode.cs                | 10 ++++
 .../Domain/Hub/HubFlowArtifact.cs             |  4 +-
 .../Domain/Hub/HubFlowState.cs                |  2 +-
 .../Runtime/IUAuthHubMarker.cs                |  1 +
 .../Endpoints/PkceEndpointHandler.cs          |  2 +-
 .../EndpointRouteBuilderExtensions.cs         |  3 +-
 .../UAuthApplicationBuilderExtensions.cs      | 22 ++++++++-
 .../Infrastructure/Hub/UAuthHubMarker.cs      |  1 +
 .../Components/UAuthHubPageBase.cs            | 44 +++++++++++++++++
 .../Services/UAuthAuthorizationClient.cs      |  3 +-
 17 files changed, 120 insertions(+), 81 deletions(-)
 create mode 100644 src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubErrorCode.cs
 create mode 100644 src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthHubPageBase.cs

diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/App.razor b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/App.razor
index 71805ad6..48e265d0 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/App.razor
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/App.razor
@@ -6,11 +6,9 @@
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <base href="/" />
     <ResourcePreloader />
-    @* <link rel="stylesheet" href="@Assets["lib/bootstrap/dist/css/bootstrap.min.css"]" /> *@
     <link rel="stylesheet" href="@Assets["app.css"]" />
-    <link rel="stylesheet" href="@Assets["UltimateAuth.Sample.UAuthHub.styles.css"]" />
     <ImportMap />
-    <link rel="icon" type="image/png" href="~/UltimateAuth-Logo.png" />
+    <link rel="icon" type="image/png" href="UltimateAuth-Logo.png" />
 
     <link href="https://fonts.googleapis.com/css?family=Roboto:300,400,500,700&display=swap" rel="stylesheet" />
     <link href="_content/MudBlazor/MudBlazor.min.css" rel="stylesheet" />
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
index 37575944..9c26a4d9 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
@@ -1,7 +1,7 @@
 @page "/"
 @page "/login"
 @attribute [UAuthLoginPage]
-@inherits UAuthFlowPageBase
+@inherits UAuthHubPageBase
 
 @implements IDisposable
 @using CodeBeam.UltimateAuth.Client.Infrastructure
@@ -16,7 +16,6 @@
 @inject IAuthStore AuthStore
 @inject IHubFlowService HubFlowService
 @inject IPkceService PkceService
-@inject IHubFlowReader HubFlowReader
 @inject IHubCredentialResolver HubCredentialResolver
 @inject IClientStorage BrowserStorage
 @inject ISnackbar Snackbar
@@ -25,7 +24,7 @@
 @inject IDialogService DialogService
 @inject IOptions<UAuthClientOptions> Options
 
-@if (_state == null || !_state.IsActive)
+@if (!IsHubAuthorized)
 {
     <MudPage Class="d-flex align-center justify-center" FullScreen="FullScreen.FullWithoutAppbar" Column="1" Row="1">
         <MudPaper Class="pa-8" Elevation="4" Style="max-width: 520px; width: 100%;">
@@ -115,11 +114,12 @@
                         <MudText Style="color: var(--mud-palette-text-secondary)" Typo="Typo.subtitle2" Align="Align.Center">Login programmatically as admin/admin.</MudText>
                     </MudStack>
 
-                    <MudDivider Class="my-2" />
+                    @* <MudDivider Class="my-2" /> *@
 
                     <MudStack>
+                        @* TODO: Enhance sample *@
                         @* <MudText Align="Align.Center" Typo="Typo.subtitle2"><MudLink Class="cursor-pointer" OnClick="OpenResetDialog">Forgot Password</MudLink></MudText> *@
-                        <MudText Align="Align.Center" Typo="Typo.subtitle2">Don't have an account? <MudLink Class="cursor-pointer" Href="/register">SignUp</MudLink></MudText>
+                        @* <MudText Align="Align.Center" Typo="Typo.subtitle2">Don't have an account? <MudLink Class="cursor-pointer" Href="/register">SignUp</MudLink></MudText> *@
                     </MudStack>
                 </MudPaper>
             </MudItem>
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
index ec966fdb..b8cf4512 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
@@ -4,21 +4,15 @@
 using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Server.Stores;
-using Microsoft.AspNetCore.Components;
 using MudBlazor;
 
 namespace CodeBeam.UltimateAuth.Sample.UAuthHub.Components.Pages;
 
 public partial class Home
 {
-    [SupplyParameterFromQuery(Name = "hub")]
-    public string? HubKey { get; set; }
-
     private string? _username;
     private string? _password;
 
-    private HubFlowState? _state;
-
     private UAuthClientProductInfo? _productInfo;
     private UAuthLoginForm _loginForm = null!;
 
@@ -38,51 +32,35 @@ protected override async Task OnInitializedAsync()
         _productInfo = ClientProductInfoProvider.Get();
     }
 
-    protected override async Task OnParametersSetAsync()
-    {
-        if (string.IsNullOrWhiteSpace(HubKey))
-        {
-            _state = null;
-            return;
-        }
-
-        if (HubSessionId.TryParse(HubKey, out var hubSessionId))
-            _state = await HubFlowReader.GetStateAsync(hubSessionId);
-    }
-
     protected override async Task OnAfterRenderAsync(bool firstRender)
     {
         if (string.IsNullOrWhiteSpace(HubKey))
             return;
 
-        if (_state is null || !_state.Exists)
+        if (HubState is null || !HubState.Exists)
         {
             await StartNewPkceAsync();
             return;
         }
 
-        if (_state.IsExpired)
+        if (HubState.IsExpired)
         {
             await StartNewPkceAsync();
             return;
         }
 
-        if (_state.Error != null && !_errorHandled)
+        if (HubState.Error != null && !_errorHandled)
         {
             _errorHandled = true;
-
-            Snackbar.Add(ResolveErrorMessage(_state.Error), Severity.Error);
-            //_state = _state.ClearError();
-
-            //await Task.Delay(200);
+            Snackbar.Add(ResolveErrorMessage(HubState.Error), Severity.Error);
             await ContinuePkceAsync();
 
             if (HubSessionId.TryParse(HubKey, out var hubSessionId))
             {
-                _state = await HubFlowReader.GetStateAsync(hubSessionId);
+                await ReloadState();
             }
 
-            await _loginForm.RefreshAsync();
+            await _loginForm.ReloadAsync();
 
             StateHasChanged();
         }
@@ -91,7 +69,7 @@ protected override async Task OnAfterRenderAsync(bool firstRender)
     // For testing & debugging
     private async Task ProgrammaticPkceLogin()
     {
-        var hub = _state;
+        var hub = HubState;
 
         if (hub is null)
             return;
@@ -107,8 +85,8 @@ private async Task ProgrammaticPkceLogin()
             Secret = "admin",
             AuthorizationCode = credentials?.AuthorizationCode ?? string.Empty,
             CodeVerifier = credentials?.CodeVerifier ?? string.Empty,
-            ReturnUrl = _state?.ReturnUrl ?? string.Empty,
-            HubSessionId = _state?.HubSessionId.Value ?? hubSessionId.Value,
+            ReturnUrl = HubState?.ReturnUrl ?? string.Empty,
+            HubSessionId = HubState?.HubSessionId.Value ?? hubSessionId.Value,
         };
 
         await UAuthClient.Flows.TryCompletePkceLoginAsync(request, UAuthSubmitMode.TryAndCommit);
@@ -159,7 +137,7 @@ private async Task StartNewPkceAsync()
 
     private async Task<string> ResolveReturnUrlAsync()
     {
-        var fromContext = _state?.ReturnUrl;
+        var fromContext = HubState?.ReturnUrl;
         if (!string.IsNullOrWhiteSpace(fromContext))
             return fromContext;
 
@@ -275,11 +253,11 @@ AuthFailureReason.InvalidCredentials when remainingAttempts is > 0
         Snackbar.Add(message, Severity.Error);
     }
 
-    private string ResolveErrorMessage(string? errorKey)
+    private string ResolveErrorMessage(HubErrorCode? errorCode)
     {
-        if (errorKey == "invalid")
+        if (errorCode == HubErrorCode.InvalidCredentials)
         {
-            return "Login failed.";
+            return "Invalid credentials.";
         }
 
         return "Failed attempt.";
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs
index 0a1ba558..47a813c8 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs
@@ -12,7 +12,6 @@
 
 var builder = WebApplication.CreateBuilder(args);
 
-// Add services to the container.
 builder.Services.AddRazorComponents()
     .AddInteractiveServerComponents()
     .AddCircuitOptions(options =>
@@ -27,7 +26,6 @@
 
 builder.Services.AddScoped<DarkModeManager>();
 
-
 builder.Services.AddUltimateAuthServer(o => {
     o.Diagnostics.EnableRefreshDetails = true;
     //o.Session.MaxLifetime = TimeSpan.FromSeconds(32);
@@ -41,7 +39,7 @@
     o.Identifiers.AllowMultipleUsernames = true;
 })
     .AddUltimateAuthInMemory()
-    .AddUAuthHub(o => o.AllowedClientOrigins.Add("https://localhost:6130"));
+    .AddUAuthHub(o => o.AllowedClientOrigins.Add("https://localhost:6130")); // Client sample's URL
 
 builder.Services.AddUltimateAuthClientBlazor(o =>
 {
@@ -49,25 +47,11 @@
     o.Reauth.Behavior = ReauthBehavior.RaiseEvent;
 });
 
-//builder.Services.AddCors(options =>
-//{
-//    options.AddPolicy("UAuthHub", policy =>
-//    {
-//        policy
-//            .WithOrigins("https://localhost:6130")
-//            .AllowAnyHeader()
-//            .AllowAnyMethod()
-//            .AllowCredentials()
-//            .WithExposedHeaders("X-UAuth-Refresh"); // TODO: Add exposed headers globally
-//    });
-//});
-
 var app = builder.Build();
 
 if (!app.Environment.IsDevelopment())
 {
     app.UseExceptionHandler("/Error", createScopeForErrors: true);
-    // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
     app.UseHsts();
 }
 else
@@ -81,7 +65,6 @@
 }
 
 app.UseHttpsRedirection();
-app.UseCors("UAuthHub");
 
 app.UseUltimateAuthWithAspNetCore();
 app.UseAntiforgery();
@@ -94,13 +77,4 @@
     .AddInteractiveServerRenderMode()
     .AddUltimateAuthRoutes(UAuthAssemblies.BlazorClient());
 
-app.MapGet("/health", () =>
-{
-    return Results.Ok(new
-    {
-        service = "UAuthHub",
-        status = "ok"
-    });
-});
-
 app.Run();
diff --git a/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor b/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor
index 3ead18e9..f1d587c7 100644
--- a/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor
+++ b/samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Components/Pages/Login.razor
@@ -73,7 +73,7 @@
 
             <MudItem Class="order-0 order-sm-1" xs="12" sm="6">
                 <MudPaper Class="uauth-login-paper pa-8" Elevation="3">
-                    <UAuthLoginForm Identifier="@_username" Secret="@_password" SubmitMode="UAuthSubmitMode.TryAndCommit" OnTryResult="@HandleTry" ReturnUrl="@(ReturnUrl ?? "/home")">
+                    <UAuthLoginForm Identifier="@_username" Secret="@_password" OnTryResult="@HandleTry" ReturnUrl="@(ReturnUrl ?? "/home")">
                         <MudStack Class="mud-width-full">
                             <MudStack Row="true" AlignItems="AlignItems.Center">
                                 <UAuthLogo Size="48" ShieldColor="var(--mud-palette-primary)" KeyColor="white" />
diff --git a/samples/blazor-standalone-wasm/CodeBeam.UltimateAuth.Sample.BlazorStandaloneWasm/Pages/Login.razor b/samples/blazor-standalone-wasm/CodeBeam.UltimateAuth.Sample.BlazorStandaloneWasm/Pages/Login.razor
index c82f0e04..5c3245d9 100644
--- a/samples/blazor-standalone-wasm/CodeBeam.UltimateAuth.Sample.BlazorStandaloneWasm/Pages/Login.razor
+++ b/samples/blazor-standalone-wasm/CodeBeam.UltimateAuth.Sample.BlazorStandaloneWasm/Pages/Login.razor
@@ -86,7 +86,7 @@
                             Instead of use PKCE flow.
                             This section only demonstrates that direct login flow is working, but not suggested.
                         </MudAlert>
-                        <UAuthLoginForm Identifier="@_username" Secret="@_password" ReturnUrl="@(ReturnUrl ?? "/home")">
+                        <UAuthLoginForm Identifier="@_username" Secret="@_password" ReturnUrl="@(ReturnUrl ?? "/home")" OnTryResult="HandleLoginResult">
                             <MudStack Class="mud-width-full">
                                 <MudTextField @ref="@_usernameField" @bind-Value="@_username" Variant="Variant.Outlined" Label="Username" Required="true" Immediate="true" HelperText="@(_remainingAttempts != null ? $"Remaining Attempts: {_remainingAttempts}" : null)" />
                                 <MudPasswordField @bind-Value="@_password" Variant="Variant.Outlined" Label="Password" Required="true" Immediate="true" />
diff --git a/samples/blazor-standalone-wasm/CodeBeam.UltimateAuth.Sample.BlazorStandaloneWasm/Pages/Login.razor.cs b/samples/blazor-standalone-wasm/CodeBeam.UltimateAuth.Sample.BlazorStandaloneWasm/Pages/Login.razor.cs
index 459081f1..b644ee9a 100644
--- a/samples/blazor-standalone-wasm/CodeBeam.UltimateAuth.Sample.BlazorStandaloneWasm/Pages/Login.razor.cs
+++ b/samples/blazor-standalone-wasm/CodeBeam.UltimateAuth.Sample.BlazorStandaloneWasm/Pages/Login.razor.cs
@@ -99,6 +99,21 @@ private async Task ProgrammaticLogin()
         await UAuthClient.Flows.LoginAsync(request, ReturnUrl ?? "/home");
     }
 
+    private async Task HandleLoginResult(IUAuthTryResult result)
+    {
+        if (!result.Success)
+        {
+            if (result.Reason == AuthFailureReason.LockedOut && result.LockoutUntilUtc is { } until)
+            {
+                _lockoutUntil = until;
+                StartCountdown();
+            }
+
+            _remainingAttempts = result.RemainingAttempts;
+            ShowLoginError(result.Reason, result.RemainingAttempts);
+        }
+    }
+
     private async void StartCountdown()
     {
         if (_lockoutUntil is null)
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubErrorCode.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubErrorCode.cs
new file mode 100644
index 00000000..c185ab21
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubErrorCode.cs
@@ -0,0 +1,10 @@
+namespace CodeBeam.UltimateAuth.Core.Domain;
+
+public enum HubErrorCode
+{
+    None = 0,
+    InvalidCredentials,
+    LockedOut,
+    RequiresMfa,
+    Unknown
+}
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowArtifact.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowArtifact.cs
index 913b5220..1b9cd212 100644
--- a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowArtifact.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowArtifact.cs
@@ -14,7 +14,7 @@ public sealed class HubFlowArtifact : AuthArtifact
 
     public HubFlowPayload Payload { get; }
 
-    public string? Error { get; private set; }
+    public HubErrorCode? Error { get; private set; }
 
     public HubFlowArtifact(
         HubSessionId hubSessionId,
@@ -34,7 +34,7 @@ public HubFlowArtifact(
         Payload = payload;
     }
 
-    public void SetError(string error)
+    public void SetError(HubErrorCode error)
     {
         Error = error;
         RegisterAttempt();
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowState.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowState.cs
index f5e9fb25..691d7a57 100644
--- a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowState.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowState.cs
@@ -8,7 +8,7 @@ public sealed class HubFlowState
     public HubFlowType FlowType { get; init; }
     public UAuthClientProfile ClientProfile { get; init; }
     public string? ReturnUrl { get; init; }
-    public string? Error { get; init; }
+    public HubErrorCode? Error { get; init; }
     public int AttemptCount { get; init; }
 
     public bool IsActive { get; init; }
diff --git a/src/CodeBeam.UltimateAuth.Core/Runtime/IUAuthHubMarker.cs b/src/CodeBeam.UltimateAuth.Core/Runtime/IUAuthHubMarker.cs
index d91d578b..a8d869d3 100644
--- a/src/CodeBeam.UltimateAuth.Core/Runtime/IUAuthHubMarker.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Runtime/IUAuthHubMarker.cs
@@ -6,4 +6,5 @@
 /// </summary>
 public interface IUAuthHubMarker
 {
+    bool RequiresCors { get; }
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs b/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
index fbc686fb..d63341f0 100644
--- a/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
@@ -265,7 +265,7 @@ private async Task<IResult> RedirectToLoginWithErrorAsync(HttpContext ctx, AuthF
 
             if (artifact is HubFlowArtifact hub)
             {
-                hub.SetError("invalid");
+                hub.SetError(HubErrorCode.InvalidCredentials);
                 await _authStore.StoreAsync(key, hub);
 
                 return Results.Redirect($"{basePath}?hub={Uri.EscapeDataString(hubKey)}");
diff --git a/src/CodeBeam.UltimateAuth.Server/Extensions/EndpointRouteBuilderExtensions.cs b/src/CodeBeam.UltimateAuth.Server/Extensions/EndpointRouteBuilderExtensions.cs
index deb51630..cedcbdfe 100644
--- a/src/CodeBeam.UltimateAuth.Server/Extensions/EndpointRouteBuilderExtensions.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Extensions/EndpointRouteBuilderExtensions.cs
@@ -13,7 +13,8 @@ public static IEndpointRouteBuilder MapUltimateAuthEndpoints(this IEndpointRoute
     {
         var registrar = endpoints.ServiceProvider.GetRequiredService<IAuthEndpointRegistrar>();
         var options = endpoints.ServiceProvider.GetRequiredService<IOptions<UAuthServerOptions>>().Value;
-        var rootGroup = endpoints.MapGroup("");
+        var rootGroup = endpoints.MapGroup("")
+            .RequireCors("UAuthHub");
         registrar.MapEndpoints(rootGroup, options);
 
         if (endpoints is WebApplication app)
diff --git a/src/CodeBeam.UltimateAuth.Server/Extensions/UAuthApplicationBuilderExtensions.cs b/src/CodeBeam.UltimateAuth.Server/Extensions/UAuthApplicationBuilderExtensions.cs
index 5efccabe..23e99b20 100644
--- a/src/CodeBeam.UltimateAuth.Server/Extensions/UAuthApplicationBuilderExtensions.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Extensions/UAuthApplicationBuilderExtensions.cs
@@ -1,5 +1,8 @@
-using CodeBeam.UltimateAuth.Server.Middlewares;
+using CodeBeam.UltimateAuth.Core.Runtime;
+using CodeBeam.UltimateAuth.Server.Middlewares;
 using Microsoft.AspNetCore.Builder;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 
 namespace CodeBeam.UltimateAuth.Server.Extensions;
 
@@ -15,8 +18,23 @@ public static IApplicationBuilder UseUltimateAuth(this IApplicationBuilder app)
         return app;
     }
 
-    public static IApplicationBuilder UseUltimateAuthWithAspNetCore(this IApplicationBuilder app)
+    public static IApplicationBuilder UseUltimateAuthWithAspNetCore(this IApplicationBuilder app, bool? enableCors = null)
     {
+        var logger = app.ApplicationServices
+            .GetRequiredService<ILoggerFactory>()
+            .CreateLogger("UltimateAuth");
+
+        var marker = app.ApplicationServices.GetService<IUAuthHubMarker>();
+        var requiresCors = marker?.RequiresCors == true;
+
+        if (enableCors == true || (enableCors == null && requiresCors))
+            app.UseCors();
+
+        if (requiresCors && enableCors == false)
+        {
+            logger.LogWarning("UAuthHub requires CORS. Either call app.UseCors() or enable it via UseUltimateAuthWithAspNetCore(enableCors: true).");
+        }
+
         app.UseUltimateAuth();
         app.UseAuthentication();
         app.UseAuthorization();
diff --git a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/UAuthHubMarker.cs b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/UAuthHubMarker.cs
index d1888722..6944fc73 100644
--- a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/UAuthHubMarker.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/UAuthHubMarker.cs
@@ -4,4 +4,5 @@ namespace CodeBeam.UltimateAuth.Server.Infrastructure;
 
 public class UAuthHubMarker : IUAuthHubMarker
 {
+    public bool RequiresCors => true;
 }
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthHubPageBase.cs b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthHubPageBase.cs
new file mode 100644
index 00000000..2fc629d1
--- /dev/null
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthHubPageBase.cs
@@ -0,0 +1,44 @@
+using CodeBeam.UltimateAuth.Core.Abstractions;
+using CodeBeam.UltimateAuth.Core.Defaults;
+using CodeBeam.UltimateAuth.Core.Domain;
+using Microsoft.AspNetCore.Components;
+
+namespace CodeBeam.UltimateAuth.Client.Blazor;
+
+public abstract class UAuthHubPageBase : UAuthReactiveComponentBase
+{
+    [Inject] protected IHubFlowReader HubFlowReader { get; set; } = default!;
+    [Inject] protected NavigationManager Nav { get; set; } = default!;
+
+    [Parameter]
+    [SupplyParameterFromQuery(Name = UAuthConstants.Query.Hub)]
+    public string? HubKey { get; set; }
+
+    protected HubFlowState? HubState { get; private set; }
+
+    protected bool IsHubAuthorized => HubState is { Exists: true, IsActive: true };
+
+    protected override async Task OnParametersSetAsync()
+    {
+        await base.OnParametersSetAsync();
+        await ReloadState();
+    }
+
+    public async Task ReloadState()
+    {
+        if (string.IsNullOrWhiteSpace(HubKey))
+        {
+            HubState = null;
+            return;
+        }
+
+        if (HubSessionId.TryParse(HubKey, out var id))
+        {
+            HubState = await HubFlowReader.GetStateAsync(id);
+        }
+        else
+        {
+            HubState = null;
+        }
+    }
+}
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthAuthorizationClient.cs b/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthAuthorizationClient.cs
index 683db2bc..425a3f27 100644
--- a/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthAuthorizationClient.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthAuthorizationClient.cs
@@ -1,5 +1,4 @@
-using CodeBeam.UltimateAuth.Authorization;
-using CodeBeam.UltimateAuth.Authorization.Contracts;
+using CodeBeam.UltimateAuth.Authorization.Contracts;
 using CodeBeam.UltimateAuth.Client.Events;
 using CodeBeam.UltimateAuth.Client.Infrastructure;
 using CodeBeam.UltimateAuth.Client.Options;

From 5daa9acf3e7235b92b85cd60910e3a4e6cc116cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mehmet=20Can=20Karag=C3=B6z?= <m.cankaragoz@outlook.com>
Date: Tue, 24 Mar 2026 01:17:23 +0300
Subject: [PATCH 07/10] UAuthUserAgentParser and Complete DeviceContext
 Implementation on WASM

---
 .../Components/Layout/MainLayout.razor        | 38 ++++++++-
 .../Components/Pages/Home.razor               | 25 ------
 .../Abstractions/Device/IUserAgentParser.cs   |  8 ++
 .../Contracts/Pkce/PkceAuthorizeCommand.cs    |  5 +-
 .../Domain/Device/UserAgentInfo.cs            |  9 ++
 .../Domain/Hub/HubFlowArtifact.cs             |  3 +
 .../Extensions/ServiceCollectionExtensions.cs |  1 +
 .../Infrastructure/UAuthUserAgentParser.cs    | 85 +++++++++++++++++++
 .../Contracts/Hub/HubBeginRequest.cs          |  5 +-
 .../Endpoints/PkceEndpointHandler.cs          | 44 +++++++---
 .../Flows/Pkce/PkceAuthorizationValidator.cs  | 11 +--
 .../Flows/Pkce/PkceAuthorizeRequest.cs        |  6 +-
 .../Flows/Pkce/PkceContextSnapshot.cs         |  9 +-
 .../Infrastructure/Device/DeviceResolver.cs   | 79 ++++-------------
 .../Infrastructure/Hub/HandleHubEntry.cs      | 30 ++++++-
 .../Services/HubFlowService.cs                |  3 +-
 .../Services/PkceService.cs                   | 13 ++-
 .../{ => Base}/UAuthFlowPageBase.cs           |  0
 .../Base/UAuthHubLayoutComponentBase.cs       | 59 +++++++++++++
 .../Components/{ => Base}/UAuthHubPageBase.cs |  0
 .../{ => Base}/UAuthReactiveComponentBase.cs  |  0
 .../Extensions/ServiceCollectionExtensions.cs |  1 +
 .../Infrastructure/ClientDeviceProvider.cs    | 44 ++++++++++
 .../TScripts/uauth.js                         |  8 ++
 .../wwwroot/uauth.min.js                      |  2 +-
 .../Abstractions/IClientDeviceProvider.cs     |  8 ++
 .../Services/UAuthFlowClient.cs               | 18 ++--
 27 files changed, 380 insertions(+), 134 deletions(-)
 create mode 100644 src/CodeBeam.UltimateAuth.Core/Abstractions/Device/IUserAgentParser.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Core/Domain/Device/UserAgentInfo.cs
 create mode 100644 src/CodeBeam.UltimateAuth.Core/Infrastructure/UAuthUserAgentParser.cs
 rename src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/{ => Base}/UAuthFlowPageBase.cs (100%)
 create mode 100644 src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/Base/UAuthHubLayoutComponentBase.cs
 rename src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/{ => Base}/UAuthHubPageBase.cs (100%)
 rename src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/{ => Base}/UAuthReactiveComponentBase.cs (100%)
 create mode 100644 src/client/CodeBeam.UltimateAuth.Client.Blazor/Infrastructure/ClientDeviceProvider.cs
 create mode 100644 src/client/CodeBeam.UltimateAuth.Client/Abstractions/IClientDeviceProvider.cs

diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Layout/MainLayout.razor b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Layout/MainLayout.razor
index 8b7693b0..ac680f3b 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Layout/MainLayout.razor
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Layout/MainLayout.razor
@@ -1,8 +1,44 @@
-@inherits LayoutComponentBase
+@inherits UAuthHubLayoutComponentBase
 @inject IUAuthClient UAuthClient
 @inject ISnackbar Snackbar
 @inject NavigationManager Nav
 
+@if (!IsHubAuthorized)
+{
+    <MudAppBar Class="uauth-blur" Color="Color.Transparent" Dense="true" Elevation="0">
+        <UAuthLogo />
+        <MudText Class="ml-2 cursor-pointer" Style="user-select: none" @onclick="@(() => Nav.NavigateTo("/home", true))"><b>UltimateAuth</b></MudText>
+        <MudDivider Class="ml-3 mr-1" Vertical="true" />
+        <MudText Class="ml-2" Style="line-height: 14px" Typo="Typo.subtitle2">UAuthHub Sample</MudText>
+
+        <MudSpacer />
+
+        <MudIconButton Icon="@(DarkModeManager.IsDarkMode? Icons.Material.Filled.LightMode : Icons.Material.Filled.DarkMode)" OnClick="@(() => DarkModeManager.ToggleAsync())" />
+    </MudAppBar>
+
+    <MudPage Class="d-flex align-center justify-center" FullScreen="FullScreen.FullWithoutAppbar" Column="1" Row="1">
+        <MudPaper Class="pa-8" Elevation="4" Style="max-width: 520px; width: 100%;">
+            <MudStack Spacing="3" AlignItems="AlignItems.Center">
+                <UAuthLogo Size="72" />
+
+                <MudText Typo="Typo.h5"><b>Access Denied</b></MudText>
+
+                <MudText Typo="Typo.body2" Align="Align.Center">
+                    This page cannot be accessed directly.
+                    UAuthHub login flows can only be initiated by an authorized client application.
+                </MudText>
+
+                <MudDivider Class="my-2" />
+
+                <MudText Typo="Typo.caption" Color="Color.Secondary">
+                    UltimateAuth protects this resource based on your session and permissions.
+                </MudText>
+            </MudStack>
+        </MudPaper>
+    </MudPage>
+    return;
+}
+
 <MudLayout>
     <MudAppBar Class="uauth-blur" Color="Color.Transparent" Dense="true" Elevation="0">
         <UAuthLogo />
diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
index 9c26a4d9..b1720a39 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor
@@ -24,31 +24,6 @@
 @inject IDialogService DialogService
 @inject IOptions<UAuthClientOptions> Options
 
-@if (!IsHubAuthorized)
-{
-    <MudPage Class="d-flex align-center justify-center" FullScreen="FullScreen.FullWithoutAppbar" Column="1" Row="1">
-        <MudPaper Class="pa-8" Elevation="4" Style="max-width: 520px; width: 100%;">
-            <MudStack Spacing="3" AlignItems="AlignItems.Center">
-                <UAuthLogo Size="72" />
-
-                <MudText Typo="Typo.h5"><b>Access Denied</b></MudText>
-
-                <MudText Typo="Typo.body2" Align="Align.Center">
-                    This page cannot be accessed directly.
-                    UAuthHub login flows can only be initiated by an authorized client application.
-                </MudText>
-
-                <MudDivider Class="my-2" />
-
-                <MudText Typo="Typo.caption" Color="Color.Secondary">
-                    UltimateAuth protects this resource based on your session and permissions.
-                </MudText>
-            </MudStack>
-        </MudPaper>
-    </MudPage>
-    return;
-}
-
 <MudPage FullScreen="FullScreen.FullWithoutAppbar" Column="1" Row="1">
     <MudContainer Class="d-flex align-center justify-center" MaxWidth="MaxWidth.Medium" Gutters="false">
         <MudGrid Spacing="0">
diff --git a/src/CodeBeam.UltimateAuth.Core/Abstractions/Device/IUserAgentParser.cs b/src/CodeBeam.UltimateAuth.Core/Abstractions/Device/IUserAgentParser.cs
new file mode 100644
index 00000000..bd5c1d72
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Core/Abstractions/Device/IUserAgentParser.cs
@@ -0,0 +1,8 @@
+using CodeBeam.UltimateAuth.Core.Domain;
+
+namespace CodeBeam.UltimateAuth.Core.Abstractions;
+
+public interface IUserAgentParser
+{
+    UserAgentInfo Parse(string? userAgent);
+}
diff --git a/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceAuthorizeCommand.cs b/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceAuthorizeCommand.cs
index 31ce580a..bcb1e132 100644
--- a/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceAuthorizeCommand.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Contracts/Pkce/PkceAuthorizeCommand.cs
@@ -1,4 +1,5 @@
-using CodeBeam.UltimateAuth.Core.MultiTenancy;
+using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Core.MultiTenancy;
 using CodeBeam.UltimateAuth.Core.Options;
 
 namespace CodeBeam.UltimateAuth.Core.Contracts;
@@ -7,7 +8,7 @@ public sealed record PkceAuthorizeCommand
 {
     public string CodeChallenge { get; init; } = default!;
     public string ChallengeMethod { get; init; } = "S256";
-    public string? DeviceId { get; init; }
+    public required DeviceContext Device { get; init; }
     public string? RedirectUri { get; init; }
 
     public UAuthClientProfile ClientProfile { get; init; }
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Device/UserAgentInfo.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Device/UserAgentInfo.cs
new file mode 100644
index 00000000..88d61eb3
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Core/Domain/Device/UserAgentInfo.cs
@@ -0,0 +1,9 @@
+namespace CodeBeam.UltimateAuth.Core.Domain;
+
+public sealed class UserAgentInfo
+{
+    public string? DeviceType { get; init; }
+    public string? Platform { get; init; }
+    public string? OperatingSystem { get; init; }
+    public string? Browser { get; init; }
+}
diff --git a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowArtifact.cs b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowArtifact.cs
index 1b9cd212..e350d863 100644
--- a/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowArtifact.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Domain/Hub/HubFlowArtifact.cs
@@ -10,6 +10,7 @@ public sealed class HubFlowArtifact : AuthArtifact
 
     public UAuthClientProfile ClientProfile { get; }
     public TenantKey Tenant { get; }
+    public DeviceContext Device { get; }
     public string? ReturnUrl { get; }
 
     public HubFlowPayload Payload { get; }
@@ -21,6 +22,7 @@ public HubFlowArtifact(
         HubFlowType flowType,
         UAuthClientProfile clientProfile,
         TenantKey tenant,
+        DeviceContext device,
         string? returnUrl,
         HubFlowPayload payload,
         DateTimeOffset expiresAt)
@@ -30,6 +32,7 @@ public HubFlowArtifact(
         FlowType = flowType;
         ClientProfile = clientProfile;
         Tenant = tenant;
+        Device = device;
         ReturnUrl = returnUrl;
         Payload = payload;
     }
diff --git a/src/CodeBeam.UltimateAuth.Core/Extensions/ServiceCollectionExtensions.cs b/src/CodeBeam.UltimateAuth.Core/Extensions/ServiceCollectionExtensions.cs
index 779222b7..5cfc2f39 100644
--- a/src/CodeBeam.UltimateAuth.Core/Extensions/ServiceCollectionExtensions.cs
+++ b/src/CodeBeam.UltimateAuth.Core/Extensions/ServiceCollectionExtensions.cs
@@ -74,6 +74,7 @@ private static IServiceCollection AddUltimateAuthInternal(this IServiceCollectio
 
         services.AddSingleton<IUserIdConverterResolver, UAuthUserIdConverterResolver>();
         services.TryAddSingleton<IUAuthProductInfoProvider, UAuthProductInfoProvider>();
+        services.TryAddSingleton<IUserAgentParser, UAuthUserAgentParser>();
 
         return services;
     }
diff --git a/src/CodeBeam.UltimateAuth.Core/Infrastructure/UAuthUserAgentParser.cs b/src/CodeBeam.UltimateAuth.Core/Infrastructure/UAuthUserAgentParser.cs
new file mode 100644
index 00000000..9c3e3a58
--- /dev/null
+++ b/src/CodeBeam.UltimateAuth.Core/Infrastructure/UAuthUserAgentParser.cs
@@ -0,0 +1,85 @@
+using CodeBeam.UltimateAuth.Core.Abstractions;
+using CodeBeam.UltimateAuth.Core.Domain;
+
+namespace CodeBeam.UltimateAuth.Core.Infrastructure;
+
+internal sealed class UAuthUserAgentParser : IUserAgentParser
+{
+    public UserAgentInfo Parse(string? userAgent)
+    {
+        if (string.IsNullOrWhiteSpace(userAgent))
+            return new UserAgentInfo();
+
+        var ua = userAgent.ToLowerInvariant();
+
+        return new UserAgentInfo
+        {
+            DeviceType = ResolveDeviceType(ua),
+            Platform = ResolvePlatform(ua),
+            OperatingSystem = ResolveOperatingSystem(ua),
+            Browser = ResolveBrowser(ua)
+        };
+    }
+
+    private static string ResolveDeviceType(string ua)
+    {
+        if (ua.Contains("ipad") || ua.Contains("tablet"))
+            return "tablet";
+
+        if (ua.Contains("mobi") || ua.Contains("iphone") || ua.Contains("android"))
+            return "mobile";
+
+        return "desktop";
+    }
+
+    private static string ResolvePlatform(string ua)
+    {
+        if (ua.Contains("ipad") || ua.Contains("tablet"))
+            return "tablet";
+
+        if (ua.Contains("mobi") || ua.Contains("iphone") || ua.Contains("android"))
+            return "mobile";
+
+        return "desktop";
+    }
+
+    private static string ResolveOperatingSystem(string ua)
+    {
+        if (ua.Contains("android"))
+            return "android";
+
+        if (ua.Contains("iphone") || ua.Contains("ipad"))
+            return "ios";
+
+        if (ua.Contains("windows"))
+            return "windows";
+
+        if (ua.Contains("mac"))
+            return "macos";
+
+        if (ua.Contains("linux"))
+            return "linux";
+
+        return "unknown";
+    }
+
+    private static string ResolveBrowser(string ua)
+    {
+        if (ua.Contains("edg/"))
+            return "edge";
+
+        if (ua.Contains("opr/") || ua.Contains("opera"))
+            return "opera";
+
+        if (ua.Contains("chrome") && !ua.Contains("chromium"))
+            return "chrome";
+
+        if (ua.Contains("safari") && !ua.Contains("chrome"))
+            return "safari";
+
+        if (ua.Contains("firefox"))
+            return "firefox";
+
+        return "unknown";
+    }
+}
diff --git a/src/CodeBeam.UltimateAuth.Server/Contracts/Hub/HubBeginRequest.cs b/src/CodeBeam.UltimateAuth.Server/Contracts/Hub/HubBeginRequest.cs
index 5aa403c3..81c22c36 100644
--- a/src/CodeBeam.UltimateAuth.Server/Contracts/Hub/HubBeginRequest.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Contracts/Hub/HubBeginRequest.cs
@@ -1,4 +1,5 @@
-using CodeBeam.UltimateAuth.Core.MultiTenancy;
+using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Core.MultiTenancy;
 using CodeBeam.UltimateAuth.Core.Options;
 
 namespace CodeBeam.UltimateAuth.Server.Contracts;
@@ -15,5 +16,5 @@ public sealed record HubBeginRequest
 
     public string? PreviousHubSessionId { get; init; }
 
-    public string? DeviceId { get; init; }
+    public required DeviceContext Device { get; init; }
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs b/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
index d63341f0..2d096380 100644
--- a/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
@@ -1,16 +1,18 @@
 using CodeBeam.UltimateAuth.Core.Abstractions;
 using CodeBeam.UltimateAuth.Core.Contracts;
+using CodeBeam.UltimateAuth.Core.Defaults;
 using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Server.Abstractions;
 using CodeBeam.UltimateAuth.Server.Auth;
 using CodeBeam.UltimateAuth.Server.Extensions;
 using CodeBeam.UltimateAuth.Server.Flows;
 using CodeBeam.UltimateAuth.Server.Infrastructure;
-using CodeBeam.UltimateAuth.Server.Options;
 using CodeBeam.UltimateAuth.Server.Services;
 using CodeBeam.UltimateAuth.Server.Stores;
 using Microsoft.AspNetCore.Http;
-using Microsoft.Extensions.Options;
+using Microsoft.AspNetCore.WebUtilities;
+using System.Text;
+using System.Text.Json;
 
 namespace CodeBeam.UltimateAuth.Server.Endpoints;
 
@@ -61,7 +63,7 @@ public async Task<IResult> AuthorizeAsync(HttpContext ctx)
             {
                 CodeChallenge = request.CodeChallenge,
                 ChallengeMethod = request.ChallengeMethod,
-                DeviceId = request.DeviceId,
+                Device = request.Device,
                 RedirectUri = request.RedirectUri,
                 ClientProfile = auth.ClientProfile,
                 Tenant = auth.Tenant
@@ -108,7 +110,7 @@ public async Task<IResult> TryCompleteAsync(HttpContext ctx)
                 clientProfile: authContext.ClientProfile,
                 tenant: authContext.Tenant,
                 redirectUri: null,
-                deviceId: artifact.Context.DeviceId),
+                device: artifact.Context.Device),
             _clock.UtcNow);
 
         if (!validation.Success)
@@ -130,7 +132,7 @@ public async Task<IResult> TryCompleteAsync(HttpContext ctx)
         var execution = new AuthExecutionContext
         {
             EffectiveClientProfile = artifact.Context.ClientProfile,
-            Device = DeviceContext.Create(DeviceId.Create(artifact.Context.DeviceId))
+            Device = artifact.Context.Device
         };
 
         var preview = await _internalFlowService.LoginAsync(authContext, execution, loginRequest,
@@ -204,19 +206,41 @@ public async Task<IResult> CompleteAsync(HttpContext ctx)
 
         if (ctx.Request.HasFormContentType)
         {
-            var form = await ctx.Request.ReadFormAsync(ctx.RequestAborted);
+            var form = await ctx.GetCachedFormAsync();
 
             var codeChallenge = form["code_challenge"].ToString();
             var challengeMethod = form["challenge_method"].ToString();
             var redirectUri = form["redirect_uri"].ToString();
-            var deviceId = form["device_id"].ToString();
+
+            var deviceRaw = form["device"].FirstOrDefault();
+            DeviceContext? device = null;
+
+            if (!string.IsNullOrWhiteSpace(deviceRaw))
+            {
+                try
+                {
+                    var bytes = WebEncoders.Base64UrlDecode(deviceRaw);
+                    var json = Encoding.UTF8.GetString(bytes);
+                    device = JsonSerializer.Deserialize<DeviceContext>(json);
+                }
+                catch
+                {
+                    device = null;
+                }
+            }
+
+            if (device == null)
+            {
+                var info = await ctx.GetDeviceAsync();
+                device = DeviceContext.Create(info.DeviceId, info.DeviceType, info.Platform, info.OperatingSystem, info.Browser, info.IpAddress);
+            }
 
             return new PkceAuthorizeRequest
             {
                 CodeChallenge = codeChallenge,
                 ChallengeMethod = challengeMethod,
                 RedirectUri = string.IsNullOrWhiteSpace(redirectUri) ? null : redirectUri,
-                DeviceId = deviceId
+                Device = device
             };
         }
 
@@ -268,7 +292,7 @@ private async Task<IResult> RedirectToLoginWithErrorAsync(HttpContext ctx, AuthF
                 hub.SetError(HubErrorCode.InvalidCredentials);
                 await _authStore.StoreAsync(key, hub);
 
-                return Results.Redirect($"{basePath}?hub={Uri.EscapeDataString(hubKey)}");
+                return Results.Redirect($"{basePath}?{UAuthConstants.Query.Hub}={Uri.EscapeDataString(hubKey)}");
             }
         }
         return Results.Redirect(basePath);
@@ -276,7 +300,7 @@ private async Task<IResult> RedirectToLoginWithErrorAsync(HttpContext ctx, AuthF
 
     private async Task<string?> ResolveHubKeyAsync(HttpContext ctx)
     {
-        if (ctx.Request.Query.TryGetValue("hub", out var q) && !string.IsNullOrWhiteSpace(q))
+        if (ctx.Request.Query.TryGetValue(UAuthConstants.Query.Hub, out var q) && !string.IsNullOrWhiteSpace(q))
             return q.ToString();
 
         if (ctx.Request.HasFormContentType)
diff --git a/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceAuthorizationValidator.cs b/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceAuthorizationValidator.cs
index 1f1f22b2..e5e96256 100644
--- a/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceAuthorizationValidator.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceAuthorizationValidator.cs
@@ -11,8 +11,8 @@ public PkceValidationResult Validate(PkceAuthorizationArtifact artifact, string
         if (artifact.IsExpired(now))
             return PkceValidationResult.Fail(PkceValidationFailureReason.ArtifactExpired);
 
-        //if (!IsContextValid(artifact.Context, completionContext))
-            //return PkceValidationResult.Fail(PkceValidationFailureReason.ContextMismatch);
+        if (!IsContextValid(artifact.Context, completionContext))
+            return PkceValidationResult.Fail(PkceValidationFailureReason.ContextMismatch);
 
         if (artifact.ChallengeMethod != PkceChallengeMethod.S256)
             return PkceValidationResult.Fail(PkceValidationFailureReason.UnsupportedChallengeMethod);
@@ -25,8 +25,9 @@ public PkceValidationResult Validate(PkceAuthorizationArtifact artifact, string
 
     private static bool IsContextValid(PkceContextSnapshot original, PkceContextSnapshot completion)
     {
-        if (!original.ClientProfile.Equals(completion.ClientProfile))
-            return false;
+        // TODO: Fix this
+        //if (!original.ClientProfile.Equals(completion.ClientProfile))
+        //    return false;
 
         if (!string.Equals(original.Tenant, completion.Tenant, StringComparison.Ordinal))
             return false;
@@ -34,7 +35,7 @@ private static bool IsContextValid(PkceContextSnapshot original, PkceContextSnap
         if (!string.Equals(original.RedirectUri, completion.RedirectUri, StringComparison.Ordinal))
             return false;
 
-        if (!string.Equals(original.DeviceId, completion.DeviceId, StringComparison.Ordinal))
+        if (!Equals(original.Device, completion.Device))
             return false;
 
         return true;
diff --git a/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceAuthorizeRequest.cs b/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceAuthorizeRequest.cs
index 9b5d390b..2186a502 100644
--- a/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceAuthorizeRequest.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceAuthorizeRequest.cs
@@ -1,9 +1,11 @@
-namespace CodeBeam.UltimateAuth.Server.Flows;
+using CodeBeam.UltimateAuth.Core.Domain;
+
+namespace CodeBeam.UltimateAuth.Server.Flows;
 
 internal sealed class PkceAuthorizeRequest
 {
     public string CodeChallenge { get; init; } = default!;
     public string ChallengeMethod { get; init; } = default!;
     public string? RedirectUri { get; init; }
-    public string? DeviceId { get; init; }
+    public required DeviceContext Device { get; init; }
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceContextSnapshot.cs b/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceContextSnapshot.cs
index 37c10714..289d1b84 100644
--- a/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceContextSnapshot.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceContextSnapshot.cs
@@ -1,4 +1,5 @@
-using CodeBeam.UltimateAuth.Core.MultiTenancy;
+using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Core.MultiTenancy;
 using CodeBeam.UltimateAuth.Core.Options;
 
 namespace CodeBeam.UltimateAuth.Server.Flows;
@@ -14,12 +15,12 @@ public PkceContextSnapshot(
         UAuthClientProfile clientProfile,
         TenantKey tenant,
         string? redirectUri,
-        string? deviceId)
+        DeviceContext device)
     {
         ClientProfile = clientProfile;
         Tenant = tenant;
         RedirectUri = redirectUri;
-        DeviceId = deviceId;
+        Device = device;
     }
 
     /// <summary>
@@ -42,5 +43,5 @@ public PkceContextSnapshot(
     /// Optional device binding identifier.
     /// Enables future hard-binding of PKCE flows to devices.
     /// </summary>
-    public string? DeviceId { get; }
+    public DeviceContext Device { get; }
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Device/DeviceResolver.cs b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Device/DeviceResolver.cs
index 9748509e..8fa959b7 100644
--- a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Device/DeviceResolver.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Device/DeviceResolver.cs
@@ -1,4 +1,5 @@
-using CodeBeam.UltimateAuth.Core.Contracts;
+using CodeBeam.UltimateAuth.Core.Abstractions;
+using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Defaults;
 using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Server.Abstractions;
@@ -8,10 +9,16 @@
 
 namespace CodeBeam.UltimateAuth.Server.Infrastructure;
 
-// TODO: This is a very basic implementation.
-// Consider creating a seperate package with a library like UA Parser, WURFL or DeviceAtlas for more accurate device detection. (Add IDeviceInfoParser)
+// TODO: Consider creating a seperate package with a library like UA Parser, WURFL or DeviceAtlas for more accurate device detection.
 public sealed class DeviceResolver : IDeviceResolver
 {
+    private readonly IUserAgentParser _userAgentParser;
+
+    public DeviceResolver(IUserAgentParser userAgentParser)
+    {
+        _userAgentParser = userAgentParser;
+    }
+
     public async Task<DeviceInfo> ResolveAsync(HttpContext context)
     {
         var request = context.Request;
@@ -23,12 +30,15 @@ public async Task<DeviceInfo> ResolveAsync(HttpContext context)
         }
 
         var ua = request.Headers.UserAgent.ToString();
+        var parsed = _userAgentParser.Parse(ua);
+
         var deviceInfo = new DeviceInfo
         {
             DeviceId = deviceId,
-            Platform = ResolvePlatform(ua),
-            OperatingSystem = ResolveOperatingSystem(ua),
-            Browser = ResolveBrowser(ua),
+            DeviceType = parsed.DeviceType,
+            Platform = parsed.Platform,
+            OperatingSystem = parsed.OperatingSystem,
+            Browser = parsed.Browser,
             UserAgent = ua,
             IpAddress = ResolveIp(context)
         };
@@ -59,63 +69,6 @@ public async Task<DeviceInfo> ResolveAsync(HttpContext context)
         return null;
     }
 
-    private static string? ResolvePlatform(string ua)
-    {
-        var s = ua.ToLowerInvariant();
-
-        if (s.Contains("ipad") || s.Contains("tablet") || s.Contains("sm-t") /* bazı samsung tabletler */)
-            return "tablet";
-
-        if (s.Contains("mobi") || s.Contains("iphone") || s.Contains("android"))
-            return "mobile";
-
-        return "desktop";
-    }
-
-    private static string? ResolveOperatingSystem(string ua)
-    {
-        var s = ua.ToLowerInvariant();
-
-        if (s.Contains("iphone") || s.Contains("ipad") || s.Contains("cpu os") || s.Contains("ios"))
-            return "ios";
-
-        if (s.Contains("android"))
-            return "android";
-
-        if (s.Contains("windows nt"))
-            return "windows";
-
-        if (s.Contains("mac os x") || s.Contains("macintosh"))
-            return "macos";
-
-        if (s.Contains("linux"))
-            return "linux";
-
-        return "unknown";
-    }
-
-    private static string? ResolveBrowser(string ua)
-    {
-        var s = ua.ToLowerInvariant();
-
-        if (s.Contains("edg/"))
-            return "edge";
-
-        if (s.Contains("opr/") || s.Contains("opera"))
-            return "opera";
-
-        if (s.Contains("chrome/") && !s.Contains("chromium/"))
-            return "chrome";
-
-        if (s.Contains("safari/") && !s.Contains("chrome/") && !s.Contains("crios/"))
-            return "safari";
-
-        if (s.Contains("firefox/"))
-            return "firefox";
-
-        return "unknown";
-    }
-
     private static string? ResolveIp(HttpContext context)
     {
         var forwarded = context.Request.Headers["X-Forwarded-For"].FirstOrDefault();
diff --git a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/HandleHubEntry.cs b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/HandleHubEntry.cs
index 0b2805ec..9af186da 100644
--- a/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/HandleHubEntry.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Infrastructure/Hub/HandleHubEntry.cs
@@ -1,11 +1,15 @@
 using CodeBeam.UltimateAuth.Core.Abstractions;
+using CodeBeam.UltimateAuth.Core.Defaults;
 using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Core.Options;
 using CodeBeam.UltimateAuth.Server.Extensions;
 using CodeBeam.UltimateAuth.Server.Options;
 using CodeBeam.UltimateAuth.Server.Stores;
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Options;
+using System.Text;
+using System.Text.Json;
 
 namespace CodeBeam.UltimateAuth.Server.Infrastructure;
 
@@ -33,20 +37,42 @@ internal static async Task<IResult> HandleHubEntry(HttpContext ctx, IAuthStore s
         var payload = new HubFlowPayload();
         payload.Set("authorization_code", authorizationCode);
         payload.Set("code_verifier", codeVerifier);
-        payload.Set("device_id", deviceId);
 
         var tenant = ctx.GetTenant();
 
+        var deviceRaw = form["device"].FirstOrDefault();
+        DeviceContext device;
+
+        if (!string.IsNullOrWhiteSpace(deviceRaw))
+        {
+            try
+            {
+                var bytes = WebEncoders.Base64UrlDecode(deviceRaw);
+                var json = Encoding.UTF8.GetString(bytes);
+
+                device = JsonSerializer.Deserialize<DeviceContext>(json) ?? DeviceContext.Anonymous();
+            }
+            catch
+            {
+                device = DeviceContext.Anonymous();
+            }
+        }
+        else
+        {
+            device = DeviceContext.Anonymous();
+        }
+
         var artifact = new HubFlowArtifact(
             hubSessionId,
             HubFlowType.Login,
             clientProfile,
             tenant,
+            device,
             returnUrl,
             payload,
             clock.UtcNow.Add(options.Value.Hub.FlowLifetime));
 
         await store.StoreAsync(new AuthArtifactKey(hubSessionId.Value), artifact);
-        return Results.Redirect($"{options.Value.Hub.LoginPath}?hub={hubSessionId.Value}");
+        return Results.Redirect($"{options.Value.Hub.LoginPath}?{UAuthConstants.Query.Hub}={hubSessionId.Value}");
     }
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/HubFlowService.cs b/src/CodeBeam.UltimateAuth.Server/Services/HubFlowService.cs
index c9767792..6081eb86 100644
--- a/src/CodeBeam.UltimateAuth.Server/Services/HubFlowService.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Services/HubFlowService.cs
@@ -1,5 +1,4 @@
 using CodeBeam.UltimateAuth.Core.Abstractions;
-using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Server.Contracts;
 using CodeBeam.UltimateAuth.Server.Options;
@@ -36,13 +35,13 @@ public async Task<HubSessionResult> BeginLoginAsync(HubBeginRequest request, Can
         var payload = new HubFlowPayload();
         payload.Set("authorization_code", request.AuthorizationCode);
         payload.Set("code_verifier", request.CodeVerifier);
-        payload.Set("device_id", request.DeviceId);
 
         var artifact = new HubFlowArtifact(
             hubSessionId,
             HubFlowType.Login,
             request.ClientProfile,
             request.Tenant,
+            request.Device,
             request.ReturnUrl,
             payload,
             _clock.UtcNow.Add(_options.Hub.FlowLifetime));
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs b/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
index b3921bd8..321d9ba5 100644
--- a/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
@@ -42,7 +42,7 @@ public async Task<PkceAuthorizeResponse> AuthorizeAsync(PkceAuthorizeCommand com
             clientProfile: command.ClientProfile,
             tenant: command.Tenant,
             redirectUri: command.RedirectUri,
-            deviceId: command.DeviceId
+            device: command.Device
         );
 
         var expiresAt = _clock.UtcNow.AddSeconds(_options.Pkce.AuthorizationCodeLifetimeSeconds);
@@ -85,7 +85,7 @@ public async Task<PkceCompleteResult> CompleteAsync(AuthFlowContext auth, PkceCo
                 clientProfile: auth.ClientProfile,
                 tenant: auth.Tenant,
                 redirectUri: null,
-                deviceId: artifact.Context.DeviceId),
+                device: artifact.Context.Device),
             _clock.UtcNow);
 
         if (!validation.Success)
@@ -109,7 +109,7 @@ public async Task<PkceCompleteResult> CompleteAsync(AuthFlowContext auth, PkceCo
         var execution = new AuthExecutionContext
         {
             EffectiveClientProfile = artifact.Context.ClientProfile,
-            Device = DeviceContext.Create(DeviceId.Create(artifact.Context.DeviceId))
+            Device = artifact.Context.Device
         };
 
         var result = await _flow.LoginAsync(auth, execution, loginRequest, ct);
@@ -124,19 +124,16 @@ public async Task<PkceCompleteResult> CompleteAsync(AuthFlowContext auth, PkceCo
 
     public async Task<HubCredentials> RefreshAsync(HubFlowArtifact hub, CancellationToken ct = default)
     {
-        if (!hub.Payload.TryGet<string>("device_id", out var deviceId) || string.IsNullOrWhiteSpace(deviceId))
-            throw new InvalidOperationException("HubFlow missing device_id.");
-
         var verifier = CreateVerifier();
         var challenge = CreateChallenge(verifier);
-
+        var device = hub.Device;
         var authorizationCode = AuthArtifactKey.New();
 
         var snapshot = new PkceContextSnapshot(
             clientProfile: hub.ClientProfile,
             tenant: hub.Tenant,
             redirectUri: null,
-            deviceId: deviceId
+            device: device
         );
 
         var expiresAt = _clock.UtcNow.AddSeconds(_options.Pkce.AuthorizationCodeLifetimeSeconds);
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthFlowPageBase.cs b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/Base/UAuthFlowPageBase.cs
similarity index 100%
rename from src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthFlowPageBase.cs
rename to src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/Base/UAuthFlowPageBase.cs
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/Base/UAuthHubLayoutComponentBase.cs b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/Base/UAuthHubLayoutComponentBase.cs
new file mode 100644
index 00000000..48b248c3
--- /dev/null
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/Base/UAuthHubLayoutComponentBase.cs
@@ -0,0 +1,59 @@
+using CodeBeam.UltimateAuth.Core.Abstractions;
+using CodeBeam.UltimateAuth.Core.Defaults;
+using CodeBeam.UltimateAuth.Core.Domain;
+using Microsoft.AspNetCore.Components;
+
+namespace CodeBeam.UltimateAuth.Client.Blazor;
+
+public abstract class UAuthHubLayoutComponentBase : LayoutComponentBase
+{
+    [Inject] protected NavigationManager Navigation { get; set; } = default!;
+    [Inject] protected IHubFlowReader HubFlowReader { get; set; } = default!;
+
+    protected HubFlowState? HubState { get; private set; }
+
+    protected bool HasHub => HubState?.Exists == true;
+    protected bool IsHubAuthorized => HasHub && HubState?.IsActive == true;
+    protected bool IsExpired => HubState?.IsExpired == true;
+    protected HubErrorCode? Error => HubState?.Error;
+
+    private string? _lastHubKey;
+
+    protected override async Task OnParametersSetAsync()
+    {
+        await base.OnParametersSetAsync();
+
+        var hubKey = ResolveHubKey();
+
+        if (string.IsNullOrWhiteSpace(hubKey))
+        {
+            HubState = null;
+            return;
+        }
+
+        if (_lastHubKey == hubKey && HubState is not null)
+            return;
+
+        _lastHubKey = hubKey;
+
+        if (HubSessionId.TryParse(hubKey, out var hubId))
+        {
+            HubState = await HubFlowReader.GetStateAsync(hubId);
+        }
+        else
+        {
+            HubState = null;
+        }
+    }
+
+    protected virtual string? ResolveHubKey()
+    {
+        var uri = Navigation.ToAbsoluteUri(Navigation.Uri);
+        var query = Microsoft.AspNetCore.WebUtilities.QueryHelpers.ParseQuery(uri.Query);
+
+        if (query.TryGetValue(UAuthConstants.Query.Hub, out var hubValue))
+            return hubValue.ToString();
+
+        return null;
+    }
+}
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthHubPageBase.cs b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/Base/UAuthHubPageBase.cs
similarity index 100%
rename from src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthHubPageBase.cs
rename to src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/Base/UAuthHubPageBase.cs
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthReactiveComponentBase.cs b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/Base/UAuthReactiveComponentBase.cs
similarity index 100%
rename from src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthReactiveComponentBase.cs
rename to src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/Base/UAuthReactiveComponentBase.cs
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Extensions/ServiceCollectionExtensions.cs b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Extensions/ServiceCollectionExtensions.cs
index 1d3b84de..5a8f3d95 100644
--- a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Extensions/ServiceCollectionExtensions.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Extensions/ServiceCollectionExtensions.cs
@@ -50,6 +50,7 @@ private static IServiceCollection AddUltimateAuthClientBlazorInternal(this IServ
 
         services.AddScoped<IBrowserUAuthBridge, BrowserUAuthBridge>();
         services.AddScoped<IReturnUrlProvider, BlazorReturnUrlProvider>();
+        services.AddScoped<IClientDeviceProvider, ClientDeviceProvider>();
 
         services.AddAuthorizationCore();
 
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/Infrastructure/ClientDeviceProvider.cs b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Infrastructure/ClientDeviceProvider.cs
new file mode 100644
index 00000000..838ec578
--- /dev/null
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/Infrastructure/ClientDeviceProvider.cs
@@ -0,0 +1,44 @@
+using CodeBeam.UltimateAuth.Client.Abstractions;
+using CodeBeam.UltimateAuth.Core.Abstractions;
+using CodeBeam.UltimateAuth.Core.Domain;
+using Microsoft.JSInterop;
+
+namespace CodeBeam.UltimateAuth.Client.Blazor;
+
+internal sealed class ClientDeviceProvider : IClientDeviceProvider
+{
+    private readonly IJSRuntime _js;
+    private readonly IDeviceIdProvider _deviceIdProvider;
+    private readonly IUserAgentParser _userAgentParser;
+
+    public ClientDeviceProvider(IJSRuntime js, IDeviceIdProvider deviceIdProvider, IUserAgentParser userAgentParser)
+    {
+        _js = js;
+        _deviceIdProvider = deviceIdProvider;
+        _userAgentParser = userAgentParser;
+    }
+
+    public async Task<DeviceContext> GetAsync()
+    {
+        var deviceId = await _deviceIdProvider.GetOrCreateAsync();
+        var jsInfo = await _js.InvokeAsync<ClientDeviceJsInfo>("uauth.getDeviceInfo");
+        var ua = jsInfo.UserAgent;
+        var parsed = _userAgentParser.Parse(ua);
+
+        return DeviceContext.Create(
+            deviceId,
+            deviceType: parsed.DeviceType,
+            platform: parsed.Platform,
+            operatingSystem: parsed.OperatingSystem,
+            browser: parsed.Browser,
+            ipAddress: null
+        );
+    }
+
+    private sealed class ClientDeviceJsInfo
+    {
+        public string UserAgent { get; set; } = default!;
+        public string Platform { get; set; } = default!;
+        public string Language { get; set; } = default!;
+    }
+}
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/TScripts/uauth.js b/src/client/CodeBeam.UltimateAuth.Client.Blazor/TScripts/uauth.js
index a045e254..a1eddceb 100644
--- a/src/client/CodeBeam.UltimateAuth.Client.Blazor/TScripts/uauth.js
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/TScripts/uauth.js
@@ -234,3 +234,11 @@ window.uauth.postJson = async function (options) {
 window.uauth.setDeviceId = function (value) {
     window.uauth.deviceId = value;
 };
+
+window.uauth.getDeviceInfo = function () {
+    return {
+        userAgent: navigator.userAgent,
+        platform: navigator.platform,
+        language: navigator.language
+    };
+};
diff --git a/src/client/CodeBeam.UltimateAuth.Client.Blazor/wwwroot/uauth.min.js b/src/client/CodeBeam.UltimateAuth.Client.Blazor/wwwroot/uauth.min.js
index 190db2a7..28aff8b9 100644
--- a/src/client/CodeBeam.UltimateAuth.Client.Blazor/wwwroot/uauth.min.js
+++ b/src/client/CodeBeam.UltimateAuth.Client.Blazor/wwwroot/uauth.min.js
@@ -1 +1 @@
-window.uauth=window.uauth||{};window.uauth.storage={set:function(n,t,i){const r=n==="local"?window.localStorage:window.sessionStorage;r.setItem(t,i)},get:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;return i.getItem(t)},remove:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;i.removeItem(t)},exists:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;return i.getItem(t)!==null}};window.uauth.submitForm=function(n){if(n){if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");let t=n.querySelector("input[name='__uauth_device']");t||(t=document.createElement("input"),t.type="hidden",t.name="__uauth_device",n.appendChild(t));t.value=window.uauth.deviceId;n.submit()}};window.uauth.tryAndCommit=async function(n){const{tryUrl:f,commitUrl:e,data:i,clientProfile:r}=n,o=await window.uauth.postJson({url:f,payload:i,clientProfile:r});let t=o?.body;t||(t={});const u={success:t.success??!1,reason:t.reason??null,remainingAttempts:t.remainingAttempts??null,lockoutUntilUtc:t.lockoutUntilUtc??null,requiresMfa:t.requiresMfa??!1,retryWithNewPkce:t.retryWithNewPkce??!1};if(u.success){const n=document.createElement("form");n.method="POST";n.action=e;for(const t in i){const r=document.createElement("input");r.type="hidden";r.name=t;r.value=i[t]??"";n.appendChild(r)}const t=document.createElement("input");t.type="hidden";t.name="__uauth_client_profile";t.value=r??"";n.appendChild(t);const u=document.createElement("input");u.type="hidden";u.name="__uauth_device";u.value=window.uauth.deviceId;n.appendChild(u);document.body.appendChild(n);n.submit()}return u};window.uauth.post=async function(n){const{url:f,mode:s,data:t,clientProfile:e}=n;if(s==="navigate"){const n=document.createElement("form");n.method="POST";n.action=f;const i=document.createElement("input");i.type="hidden";i.name="__uauth_client_profile";i.value=e??"";n.appendChild(i);const r=document.createElement("input");if(r.type="hidden",r.name="__uauth_device",r.value=window.uauth.deviceId,n.appendChild(r),t)for(const i in t){const r=document.createElement("input");r.type="hidden";r.name=i;r.value=t[i];n.appendChild(r)}return document.body.appendChild(n),n.submit(),null}let r=null;if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");const o={"X-UDID":window.uauth.deviceId,"X-UAuth-ClientProfile":e,"X-Requested-With":"UAuth"};if(t){r=new URLSearchParams;for(const n in t)r.append(n,t[n]);o["Content-Type"]="application/x-www-form-urlencoded"}const i=await fetch(f,{method:"POST",credentials:"include",headers:o,body:r});let u=null;try{u=await i.json()}catch{u=null}return{ok:i.ok,status:i.status,refreshOutcome:i.headers.get("X-UAuth-Refresh"),body:u}};window.uauth.postJson=async function(n){const{url:u,payload:r,clientProfile:f}=n;if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");const e={"Content-Type":"application/json","X-UDID":window.uauth.deviceId,"X-UAuth-ClientProfile":f??"","X-Requested-With":"UAuth"},t=await fetch(u,{method:"POST",credentials:"include",headers:e,body:r?JSON.stringify(r):null});let i=null;try{i=await t.json()}catch{i=null}return{ok:t.ok,status:t.status,refreshOutcome:t.headers.get("X-UAuth-Refresh"),body:i}};window.uauth.setDeviceId=function(n){window.uauth.deviceId=n}
\ No newline at end of file
+window.uauth=window.uauth||{};window.uauth.storage={set:function(n,t,i){const r=n==="local"?window.localStorage:window.sessionStorage;r.setItem(t,i)},get:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;return i.getItem(t)},remove:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;i.removeItem(t)},exists:function(n,t){const i=n==="local"?window.localStorage:window.sessionStorage;return i.getItem(t)!==null}};window.uauth.submitForm=function(n){if(n){if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");let t=n.querySelector("input[name='__uauth_device']");t||(t=document.createElement("input"),t.type="hidden",t.name="__uauth_device",n.appendChild(t));t.value=window.uauth.deviceId;n.submit()}};window.uauth.tryAndCommit=async function(n){const{tryUrl:f,commitUrl:e,data:i,clientProfile:r}=n,o=await window.uauth.postJson({url:f,payload:i,clientProfile:r});let t=o?.body;t||(t={});const u={success:t.success??!1,reason:t.reason??null,remainingAttempts:t.remainingAttempts??null,lockoutUntilUtc:t.lockoutUntilUtc??null,requiresMfa:t.requiresMfa??!1,retryWithNewPkce:t.retryWithNewPkce??!1};if(u.success){const n=document.createElement("form");n.method="POST";n.action=e;for(const t in i){const r=document.createElement("input");r.type="hidden";r.name=t;r.value=i[t]??"";n.appendChild(r)}const t=document.createElement("input");t.type="hidden";t.name="__uauth_client_profile";t.value=r??"";n.appendChild(t);const u=document.createElement("input");u.type="hidden";u.name="__uauth_device";u.value=window.uauth.deviceId;n.appendChild(u);document.body.appendChild(n);n.submit()}return u};window.uauth.post=async function(n){const{url:f,mode:s,data:t,clientProfile:e}=n;if(s==="navigate"){const n=document.createElement("form");n.method="POST";n.action=f;const i=document.createElement("input");i.type="hidden";i.name="__uauth_client_profile";i.value=e??"";n.appendChild(i);const r=document.createElement("input");if(r.type="hidden",r.name="__uauth_device",r.value=window.uauth.deviceId,n.appendChild(r),t)for(const i in t){const r=document.createElement("input");r.type="hidden";r.name=i;r.value=t[i];n.appendChild(r)}return document.body.appendChild(n),n.submit(),null}let r=null;if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");const o={"X-UDID":window.uauth.deviceId,"X-UAuth-ClientProfile":e,"X-Requested-With":"UAuth"};if(t){r=new URLSearchParams;for(const n in t)r.append(n,t[n]);o["Content-Type"]="application/x-www-form-urlencoded"}const i=await fetch(f,{method:"POST",credentials:"include",headers:o,body:r});let u=null;try{u=await i.json()}catch{u=null}return{ok:i.ok,status:i.status,refreshOutcome:i.headers.get("X-UAuth-Refresh"),body:u}};window.uauth.postJson=async function(n){const{url:u,payload:r,clientProfile:f}=n;if(!window.uauth.deviceId)throw new Error("UAuth deviceId is not initialized.");const e={"Content-Type":"application/json","X-UDID":window.uauth.deviceId,"X-UAuth-ClientProfile":f??"","X-Requested-With":"UAuth"},t=await fetch(u,{method:"POST",credentials:"include",headers:e,body:r?JSON.stringify(r):null});let i=null;try{i=await t.json()}catch{i=null}return{ok:t.ok,status:t.status,refreshOutcome:t.headers.get("X-UAuth-Refresh"),body:i}};window.uauth.setDeviceId=function(n){window.uauth.deviceId=n};window.uauth.getDeviceInfo=function(){return{userAgent:navigator.userAgent,platform:navigator.platform,language:navigator.language}}
\ No newline at end of file
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Abstractions/IClientDeviceProvider.cs b/src/client/CodeBeam.UltimateAuth.Client/Abstractions/IClientDeviceProvider.cs
new file mode 100644
index 00000000..d307fbdc
--- /dev/null
+++ b/src/client/CodeBeam.UltimateAuth.Client/Abstractions/IClientDeviceProvider.cs
@@ -0,0 +1,8 @@
+using CodeBeam.UltimateAuth.Core.Domain;
+
+namespace CodeBeam.UltimateAuth.Client.Abstractions;
+
+public interface IClientDeviceProvider
+{
+    Task<DeviceContext> GetAsync();
+}
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs b/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
index e2aeb57e..da874cf6 100644
--- a/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
@@ -22,15 +22,17 @@ internal class UAuthFlowClient : IFlowClient
 {
     private readonly IUAuthRequestClient _post;
     private readonly IUAuthClientEvents _events;
+    private readonly IClientDeviceProvider _clientDeviceProvider;
     private readonly IDeviceIdProvider _deviceIdProvider;
     private readonly IReturnUrlProvider _returnUrlProvider;
     private readonly UAuthClientOptions _options;
     private readonly UAuthClientDiagnostics _diagnostics;
 
-    public UAuthFlowClient(IUAuthRequestClient post, IUAuthClientEvents events, IDeviceIdProvider deviceIdProvider, IReturnUrlProvider returnUrlProvider, IOptions<UAuthClientOptions> options, UAuthClientDiagnostics diagnostics)
+    public UAuthFlowClient(IUAuthRequestClient post, IUAuthClientEvents events, IClientDeviceProvider clientDeviceProvider, IDeviceIdProvider deviceIdProvider, IReturnUrlProvider returnUrlProvider, IOptions<UAuthClientOptions> options, UAuthClientDiagnostics diagnostics)
     {
         _post = post;
         _events = events;
+        _clientDeviceProvider = clientDeviceProvider;
         _deviceIdProvider = deviceIdProvider;
         _returnUrlProvider = returnUrlProvider;
         _options = options.Value;
@@ -198,7 +200,7 @@ public async Task<AuthValidationResult> ValidateAsync()
     public async Task BeginPkceAsync(string? returnUrl = null)
     {
         var pkce = _options.Pkce;
-        var deviceId = await _deviceIdProvider.GetOrCreateAsync();
+        var device = await _clientDeviceProvider.GetAsync();
 
         if (!pkce.Enabled)
             throw new InvalidOperationException("PKCE login is disabled by configuration.");
@@ -213,8 +215,7 @@ public async Task BeginPkceAsync(string? returnUrl = null)
             new Dictionary<string, string>
             {
                 ["code_challenge"] = challenge,
-                ["challenge_method"] = "S256",
-                ["device_id"] = deviceId.Value
+                ["challenge_method"] = "S256"
             });
 
         if (!raw.Ok || raw.Body is null)
@@ -237,7 +238,7 @@ public async Task BeginPkceAsync(string? returnUrl = null)
 
         if (pkce.AutoRedirect)
         {
-            await NavigateToHubLoginAsync(response.AuthorizationCode, verifier, resolvedReturnUrl, deviceId.Value);
+            await NavigateToHubLoginAsync(response.AuthorizationCode, verifier, resolvedReturnUrl, device);
         }
     }
 
@@ -411,17 +412,20 @@ private IDictionary<string, string> BuildPayload(LoginRequest request, string? r
         return payload;
     }
 
-    private Task NavigateToHubLoginAsync(string authorizationCode, string codeVerifier, string returnUrl, string deviceId)
+    private Task NavigateToHubLoginAsync(string authorizationCode, string codeVerifier, string returnUrl, DeviceContext device)
     {
         var hubLoginUrl = Url(_options.Endpoints.HubLoginPath);
 
+        var deviceJson = JsonSerializer.Serialize(device);
+        var deviceEncoded = Base64Url.Encode(Encoding.UTF8.GetBytes(deviceJson));
+
         var data = new Dictionary<string, string>
         {
             ["authorization_code"] = authorizationCode,
             ["code_verifier"] = codeVerifier,
             ["return_url"] = returnUrl,
             ["client_profile"] = _options.ClientProfile.ToString(),
-            ["device_id"] = deviceId
+            ["device"] = deviceEncoded
         };
 
         return _post.NavigateAsync(hubLoginUrl, data);

From 172a523bd9e50bea66f7d5f0f2c550d7b3a8dbfa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mehmet=20Can=20Karag=C3=B6z?= <m.cankaragoz@outlook.com>
Date: Tue, 24 Mar 2026 01:35:25 +0300
Subject: [PATCH 08/10] Fix PKCE Client Provile & RedirectUri Mismatch

---
 .../Endpoints/PkceEndpointHandler.cs                      | 6 +++---
 .../Flows/Pkce/PkceAuthorizationValidator.cs              | 5 ++---
 src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs  | 8 ++++----
 3 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs b/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
index 2d096380..1edfaf7c 100644
--- a/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
@@ -107,9 +107,9 @@ public async Task<IResult> TryCompleteAsync(HttpContext ctx)
             artifact,
             request.CodeVerifier,
             new PkceContextSnapshot(
-                clientProfile: authContext.ClientProfile,
-                tenant: authContext.Tenant,
-                redirectUri: null,
+                clientProfile: artifact.Context.ClientProfile,
+                tenant: artifact.Context.Tenant,
+                redirectUri: artifact.Context.RedirectUri,
                 device: artifact.Context.Device),
             _clock.UtcNow);
 
diff --git a/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceAuthorizationValidator.cs b/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceAuthorizationValidator.cs
index e5e96256..ac788f61 100644
--- a/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceAuthorizationValidator.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Flows/Pkce/PkceAuthorizationValidator.cs
@@ -25,9 +25,8 @@ public PkceValidationResult Validate(PkceAuthorizationArtifact artifact, string
 
     private static bool IsContextValid(PkceContextSnapshot original, PkceContextSnapshot completion)
     {
-        // TODO: Fix this
-        //if (!original.ClientProfile.Equals(completion.ClientProfile))
-        //    return false;
+        if (!original.ClientProfile.Equals(completion.ClientProfile))
+            return false;
 
         if (!string.Equals(original.Tenant, completion.Tenant, StringComparison.Ordinal))
             return false;
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs b/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
index 321d9ba5..e1d22fed 100644
--- a/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
@@ -82,9 +82,9 @@ public async Task<PkceCompleteResult> CompleteAsync(AuthFlowContext auth, PkceCo
             artifact,
             request.CodeVerifier,
             new PkceContextSnapshot(
-                clientProfile: auth.ClientProfile,
-                tenant: auth.Tenant,
-                redirectUri: null,
+                clientProfile: artifact.Context.ClientProfile,
+                tenant: artifact.Context.Tenant,
+                redirectUri: artifact.Context.RedirectUri,
                 device: artifact.Context.Device),
             _clock.UtcNow);
 
@@ -132,7 +132,7 @@ public async Task<HubCredentials> RefreshAsync(HubFlowArtifact hub, Cancellation
         var snapshot = new PkceContextSnapshot(
             clientProfile: hub.ClientProfile,
             tenant: hub.Tenant,
-            redirectUri: null,
+            redirectUri: hub.ReturnUrl,
             device: device
         );
 

From e773fa9a84b7489103cf74ecd3b2208c89cface1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mehmet=20Can=20Karag=C3=B6z?= <m.cankaragoz@outlook.com>
Date: Tue, 24 Mar 2026 12:35:48 +0300
Subject: [PATCH 09/10] Added PKCE Tests

---
 .../Endpoints/PkceEndpointHandler.cs          |  37 +++--
 .../Services/PkceService.cs                   |   5 +
 .../Services/UAuthFlowClient.cs               |   6 +
 .../Helpers/TestDevice.cs                     |   1 +
 .../Helpers/TestHubFactory.cs                 |  25 ++++
 .../Helpers/TestPkceFactory.cs                |  44 ++++++
 .../Server/LoginOrchestratorTests.cs          |  75 ++++++++++
 .../Server/PkceTests.cs                       | 129 ++++++++++++++++++
 .../Server/TryLoginTests.cs                   |  36 +++++
 9 files changed, 346 insertions(+), 12 deletions(-)
 create mode 100644 tests/CodeBeam.UltimateAuth.Tests.Unit/Helpers/TestHubFactory.cs
 create mode 100644 tests/CodeBeam.UltimateAuth.Tests.Unit/Helpers/TestPkceFactory.cs
 create mode 100644 tests/CodeBeam.UltimateAuth.Tests.Unit/Server/PkceTests.cs
 create mode 100644 tests/CodeBeam.UltimateAuth.Tests.Unit/Server/TryLoginTests.cs

diff --git a/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs b/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
index 1edfaf7c..9743e39e 100644
--- a/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Endpoints/PkceEndpointHandler.cs
@@ -2,6 +2,7 @@
 using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Defaults;
 using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Core.Errors;
 using CodeBeam.UltimateAuth.Server.Abstractions;
 using CodeBeam.UltimateAuth.Server.Auth;
 using CodeBeam.UltimateAuth.Server.Extensions;
@@ -208,11 +209,17 @@ public async Task<IResult> CompleteAsync(HttpContext ctx)
         {
             var form = await ctx.GetCachedFormAsync();
 
-            var codeChallenge = form["code_challenge"].ToString();
-            var challengeMethod = form["challenge_method"].ToString();
-            var redirectUri = form["redirect_uri"].ToString();
+            var codeChallenge = form?["code_challenge"].ToString();
+            var challengeMethod = form?["challenge_method"].ToString();
+            var redirectUri = form?["redirect_uri"].ToString();
 
-            var deviceRaw = form["device"].FirstOrDefault();
+            if (string.IsNullOrWhiteSpace(codeChallenge))
+                throw new UAuthValidationException("code_challenge is required");
+
+            if (string.IsNullOrWhiteSpace(challengeMethod))
+                throw new UAuthValidationException("challange_method is required");
+
+            var deviceRaw = form?["device"].FirstOrDefault();
             DeviceContext? device = null;
 
             if (!string.IsNullOrWhiteSpace(deviceRaw))
@@ -258,19 +265,25 @@ public async Task<IResult> CompleteAsync(HttpContext ctx)
         {
             var form = await ctx.GetCachedFormAsync();
 
-            var authorizationCode = form["authorization_code"].FirstOrDefault();
-            var codeVerifier = form["code_verifier"].FirstOrDefault();
-            var identifier = form["Identifier"].FirstOrDefault();
-            var secret = form["Secret"].FirstOrDefault();
-            var returnUrl = form["return_url"].FirstOrDefault();
+            var authorizationCode = form?["authorization_code"].FirstOrDefault();
+            var codeVerifier = form?["code_verifier"].FirstOrDefault();
+            var identifier = form?["Identifier"].FirstOrDefault();
+            var secret = form?["Secret"].FirstOrDefault();
+            var returnUrl = form?["return_url"].FirstOrDefault();
+
+            if (string.IsNullOrWhiteSpace(authorizationCode))
+                throw new UAuthValidationException("authorization_code is required");
+
+            if (string.IsNullOrWhiteSpace(codeVerifier))
+                throw new UAuthValidationException("code_verifier is required");
 
             return new PkceCompleteRequest
             {
                 AuthorizationCode = authorizationCode,
                 CodeVerifier = codeVerifier,
-                Identifier = identifier,
-                Secret = secret,
-                ReturnUrl = returnUrl
+                Identifier = identifier ?? string.Empty,
+                Secret = secret ?? string.Empty,
+                ReturnUrl = returnUrl ?? string.Empty
             };
         }
 
diff --git a/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs b/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
index e1d22fed..c64bff3e 100644
--- a/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
+++ b/src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs
@@ -124,6 +124,11 @@ public async Task<PkceCompleteResult> CompleteAsync(AuthFlowContext auth, PkceCo
 
     public async Task<HubCredentials> RefreshAsync(HubFlowArtifact hub, CancellationToken ct = default)
     {
+        if (hub.Payload.TryGet<string>("authorization_code", out var oldCode) && !string.IsNullOrWhiteSpace(oldCode))
+        {
+            await _authStore.ConsumeAsync(new AuthArtifactKey(oldCode), ct);
+        }
+
         var verifier = CreateVerifier();
         var challenge = CreateChallenge(verifier);
         var device = hub.Device;
diff --git a/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs b/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
index da874cf6..062de526 100644
--- a/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
+++ b/src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs
@@ -66,6 +66,9 @@ public async Task<TryLoginResult> TryLoginAsync(LoginRequest request, UAuthSubmi
                 {
                     var result = await _post.SendJsonAsync(tryUrl, request);
 
+                    if (result.Body is null)
+                        throw new UAuthProtocolException("Empty response body.");
+
                     var parsed = result.Body.Value.Deserialize<TryLoginResult>(
                         new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
 
@@ -278,6 +281,9 @@ public async Task<TryPkceLoginResult> TryCompletePkceLoginAsync(PkceCompleteRequ
                 {
                     var raw = await _post.SendJsonAsync(tryUrl, request);
 
+                    if (raw.Body is null)
+                        throw new UAuthProtocolException("Empty response body.");
+
                     var parsed = raw.Body.Value.Deserialize<TryPkceLoginResult>(
                         new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
 
diff --git a/tests/CodeBeam.UltimateAuth.Tests.Unit/Helpers/TestDevice.cs b/tests/CodeBeam.UltimateAuth.Tests.Unit/Helpers/TestDevice.cs
index 87daa2e2..5e4c9238 100644
--- a/tests/CodeBeam.UltimateAuth.Tests.Unit/Helpers/TestDevice.cs
+++ b/tests/CodeBeam.UltimateAuth.Tests.Unit/Helpers/TestDevice.cs
@@ -5,4 +5,5 @@ namespace CodeBeam.UltimateAuth.Tests.Unit.Helpers;
 internal static class TestDevice
 {
     public static DeviceContext Default() => DeviceContext.Create(DeviceId.Create("test-device-000-000-000-000-01"), null, null, null, null, null);
+    public static DeviceContext Alternative() => DeviceContext.Create(DeviceId.Create("test-device-000-000-000-000-alternative"), null, null, null, null, null);
 }
diff --git a/tests/CodeBeam.UltimateAuth.Tests.Unit/Helpers/TestHubFactory.cs b/tests/CodeBeam.UltimateAuth.Tests.Unit/Helpers/TestHubFactory.cs
new file mode 100644
index 00000000..e53df279
--- /dev/null
+++ b/tests/CodeBeam.UltimateAuth.Tests.Unit/Helpers/TestHubFactory.cs
@@ -0,0 +1,25 @@
+using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Server.Flows;
+
+namespace CodeBeam.UltimateAuth.Tests.Unit.Helpers;
+
+internal static class TestHubFactory
+{
+    public static HubFlowArtifact Create(PkceAuthorizationArtifact pkce)
+    {
+        var payload = new HubFlowPayload();
+        payload.Set("authorization_code", pkce.AuthorizationCode.Value);
+        payload.Set("code_verifier", "test");
+
+        return new HubFlowArtifact(
+            HubSessionId.New(),
+            HubFlowType.Login,
+            pkce.Context.ClientProfile,
+            pkce.Context.Tenant,
+            TestDevice.Default(),
+            "/",
+            payload,
+            DateTimeOffset.UtcNow.AddMinutes(5)
+        );
+    }
+}
diff --git a/tests/CodeBeam.UltimateAuth.Tests.Unit/Helpers/TestPkceFactory.cs b/tests/CodeBeam.UltimateAuth.Tests.Unit/Helpers/TestPkceFactory.cs
new file mode 100644
index 00000000..eeafc7da
--- /dev/null
+++ b/tests/CodeBeam.UltimateAuth.Tests.Unit/Helpers/TestPkceFactory.cs
@@ -0,0 +1,44 @@
+using CodeBeam.UltimateAuth.Core.Infrastructure;
+using CodeBeam.UltimateAuth.Core.MultiTenancy;
+using CodeBeam.UltimateAuth.Core.Options;
+using CodeBeam.UltimateAuth.Server.Flows;
+using CodeBeam.UltimateAuth.Server.Stores;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace CodeBeam.UltimateAuth.Tests.Unit.Helpers;
+
+internal static class TestPkceFactory
+{
+    public static (PkceAuthorizationArtifact Artifact, string Verifier) Create(
+        UAuthClientProfile profile = UAuthClientProfile.BlazorWasm,
+        TenantKey? tenant = null)
+    {
+        tenant ??= TenantKeys.Single;
+
+        var verifier = "test_verifier_123";
+
+        using var sha256 = SHA256.Create();
+        var hash = sha256.ComputeHash(Encoding.ASCII.GetBytes(verifier));
+        var challenge = Base64Url.Encode(hash);
+
+        var key = AuthArtifactKey.New();
+
+        var snapshot = new PkceContextSnapshot(
+            clientProfile: profile,
+            tenant: (TenantKey)tenant,
+            redirectUri: "/",
+            device: TestDevice.Default()
+        );
+
+        var artifact = new PkceAuthorizationArtifact(
+            authorizationCode: key,
+            codeChallenge: challenge,
+            challengeMethod: PkceChallengeMethod.S256,
+            expiresAt: DateTimeOffset.UtcNow.AddMinutes(5),
+            context: snapshot
+        );
+
+        return (artifact, verifier);
+    }
+}
diff --git a/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/LoginOrchestratorTests.cs b/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/LoginOrchestratorTests.cs
index 199ba153..8aeb4392 100644
--- a/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/LoginOrchestratorTests.cs
+++ b/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/LoginOrchestratorTests.cs
@@ -4,6 +4,10 @@
 using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Core.Events;
 using CodeBeam.UltimateAuth.Core.MultiTenancy;
+using CodeBeam.UltimateAuth.Core.Options;
+using CodeBeam.UltimateAuth.Server.Auth;
+using CodeBeam.UltimateAuth.Server.Flows;
+using CodeBeam.UltimateAuth.Server.Services;
 using CodeBeam.UltimateAuth.Tests.Unit.Helpers;
 using FluentAssertions;
 using Microsoft.Extensions.DependencyInjection;
@@ -357,4 +361,75 @@ public async Task Event_handler_exception_should_not_break_login_flow()
 
         result.IsSuccess.Should().BeTrue();
     }
+
+    [Fact]
+    public async Task Login_With_Execution_Context_Should_Create_Session_For_Overridden_Device()
+    {
+        var runtime = new TestAuthRuntime<string>();
+
+        using var scope = runtime.Services.CreateScope();
+
+        var flowService = scope.ServiceProvider.GetRequiredService<IUAuthFlowService>();
+        var sessionStoreFactory = scope.ServiceProvider.GetRequiredService<ISessionStoreFactory>();
+
+        var flow = await runtime.CreateLoginFlowAsync();
+        var overriddenDevice = TestDevice.Alternative();
+
+        var execution = new AuthExecutionContext
+        {
+            EffectiveClientProfile = UAuthClientProfile.BlazorWasm,
+            Device = overriddenDevice
+        };
+
+        var result = await flowService.LoginAsync(
+            flow,
+            execution,
+            new LoginRequest
+            {
+                Identifier = "user",
+                Secret = "user"
+            }, CancellationToken.None);
+
+        result.IsSuccess.Should().BeTrue();
+        result.SessionId.Should().NotBeNull();
+
+        var sessionStore = sessionStoreFactory.Create(TenantKeys.Single);
+        var session = await sessionStore.GetSessionAsync(result.SessionId!.Value);
+
+        session.Should().NotBeNull();
+        session!.Device.DeviceId.Should().Be(overriddenDevice.DeviceId);
+
+        var chainStore = sessionStoreFactory.Create(TenantKeys.Single);
+        var chain = await chainStore.GetChainByDeviceAsync(TestUsers.User, (DeviceId)overriddenDevice.DeviceId!);
+
+        chain.Should().NotBeNull();
+        chain!.Device.DeviceId.Should().Be(overriddenDevice.DeviceId);
+    }
+
+    [Fact]
+    public async Task Internal_Login_Should_Respect_LoginExecutionOptions()
+    {
+        var runtime = new TestAuthRuntime<string>();
+
+        using var scope = runtime.Services.CreateScope();
+
+        var service = scope.ServiceProvider.GetRequiredService<IUAuthInternalFlowService>();
+        var flow = await runtime.CreateLoginFlowAsync();
+
+        var options = new LoginExecutionOptions
+        {
+            
+        };
+
+        var result = await service.LoginAsync(
+            flow,
+            new LoginRequest
+            {
+                Identifier = "user",
+                Secret = "user"
+            },
+            options);
+
+        result.IsSuccess.Should().BeTrue();
+    }
 }
diff --git a/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/PkceTests.cs b/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/PkceTests.cs
new file mode 100644
index 00000000..702308a5
--- /dev/null
+++ b/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/PkceTests.cs
@@ -0,0 +1,129 @@
+using CodeBeam.UltimateAuth.Server.Flows;
+using CodeBeam.UltimateAuth.Server.Services;
+using CodeBeam.UltimateAuth.Server.Stores;
+using CodeBeam.UltimateAuth.Tests.Unit.Helpers;
+using FluentAssertions;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace CodeBeam.UltimateAuth.Tests.Unit;
+
+public class PkceTests
+{
+    [Fact]
+    public void Pkce_Should_Succeed_With_Valid_Data()
+    {
+        var validator = new PkceAuthorizationValidator();
+        var (artifact, verifier) = TestPkceFactory.Create();
+        var result = validator.Validate(artifact, verifier, artifact.Context, DateTimeOffset.UtcNow);
+
+        result.Success.Should().BeTrue();
+    }
+
+    [Fact]
+    public void Pkce_Should_Fail_With_Invalid_Verifier()
+    {
+        var validator = new PkceAuthorizationValidator();
+        var (artifact, _) = TestPkceFactory.Create();
+        var result = validator.Validate(artifact, "wrong_verifier", artifact.Context, DateTimeOffset.UtcNow);
+
+        result.Success.Should().BeFalse();
+        result.FailureReason.Should().Be(PkceValidationFailureReason.InvalidVerifier);
+    }
+
+    [Fact]
+    public void Pkce_Should_Fail_On_Device_Mismatch()
+    {
+        var validator = new PkceAuthorizationValidator();
+        var (artifact, verifier) = TestPkceFactory.Create();
+
+        var wrongContext = new PkceContextSnapshot(
+            artifact.Context.ClientProfile,
+            artifact.Context.Tenant,
+            artifact.Context.RedirectUri,
+            device: TestDevice.Alternative()
+        );
+
+        var result = validator.Validate(artifact, verifier, wrongContext, DateTimeOffset.UtcNow);
+
+        result.Success.Should().BeFalse();
+        result.FailureReason.Should().Be(PkceValidationFailureReason.ContextMismatch);
+    }
+
+    [Fact]
+    public async Task Refresh_Should_Generate_New_AuthorizationCode()
+    {
+        var runtime = new TestAuthRuntime<string>();
+
+        using var scope = runtime.Services.CreateScope();
+
+        var store = scope.ServiceProvider.GetRequiredService<IAuthStore>();
+        var pkceService = scope.ServiceProvider.GetRequiredService<IPkceService>();
+
+        var (artifact, _) = TestPkceFactory.Create();
+
+        await store.StoreAsync(artifact.AuthorizationCode, artifact);
+
+        var hub = TestHubFactory.Create(artifact);
+
+        var refreshed = await pkceService.RefreshAsync(hub);
+
+        refreshed.AuthorizationCode.Should().NotBe(artifact.AuthorizationCode.Value);
+    }
+
+    [Fact]
+    public async Task Refresh_Should_Store_New_PkceArtifact()
+    {
+        var runtime = new TestAuthRuntime<string>();
+
+        using var scope = runtime.Services.CreateScope();
+
+        var store = scope.ServiceProvider.GetRequiredService<IAuthStore>();
+        var pkceService = scope.ServiceProvider.GetRequiredService<IPkceService>();
+
+        var (artifact, _) = TestPkceFactory.Create();
+
+        await store.StoreAsync(artifact.AuthorizationCode, artifact);
+
+        var hub = TestHubFactory.Create(artifact);
+
+        var refreshed = await pkceService.RefreshAsync(hub);
+
+        var stored = await store.GetAsync(new AuthArtifactKey(refreshed.AuthorizationCode));
+
+        stored.Should().NotBeNull();
+    }
+
+    [Fact]
+    public async Task Refresh_Should_Invalidate_Old_Code()
+    {
+        var runtime = new TestAuthRuntime<string>();
+        using var scope = runtime.Services.CreateScope();
+        var store = scope.ServiceProvider.GetRequiredService<IAuthStore>();
+        var pkceService = scope.ServiceProvider.GetRequiredService<IPkceService>();
+
+        var (artifact, _) = TestPkceFactory.Create();
+        await store.StoreAsync(artifact.AuthorizationCode, artifact);
+        var hub = TestHubFactory.Create(artifact);
+        var refreshed = await pkceService.RefreshAsync(hub);
+        var old = await store.GetAsync(artifact.AuthorizationCode);
+
+        old.Should().BeNull();
+    }
+
+    [Fact]
+    public async Task Refresh_Should_Preserve_Context()
+    {
+        var runtime = new TestAuthRuntime<string>();
+        using var scope = runtime.Services.CreateScope();
+        var pkceService = scope.ServiceProvider.GetRequiredService<IPkceService>();
+
+        var (artifact, _) = TestPkceFactory.Create();
+        var hub = TestHubFactory.Create(artifact);
+        var refreshed = await pkceService.RefreshAsync(hub);
+
+        var store = scope.ServiceProvider.GetRequiredService<IAuthStore>();
+        var newArtifact = await store.GetAsync(new AuthArtifactKey(refreshed.AuthorizationCode)) as PkceAuthorizationArtifact;
+
+        newArtifact!.Context.Device.Should().BeEquivalentTo(artifact.Context.Device);
+    }
+}
diff --git a/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/TryLoginTests.cs b/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/TryLoginTests.cs
new file mode 100644
index 00000000..e337339b
--- /dev/null
+++ b/tests/CodeBeam.UltimateAuth.Tests.Unit/Server/TryLoginTests.cs
@@ -0,0 +1,36 @@
+using CodeBeam.UltimateAuth.Core.Contracts;
+using CodeBeam.UltimateAuth.Server.Flows;
+using CodeBeam.UltimateAuth.Tests.Unit.Helpers;
+using FluentAssertions;
+using Microsoft.Extensions.DependencyInjection;
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace CodeBeam.UltimateAuth.Tests.Unit.Server
+{
+    public class TryLoginTests
+    {
+        [Fact]
+        public async Task TryLogin_Should_Return_Preview_On_Failure()
+        {
+            var runtime = new TestAuthRuntime<string>();
+
+            using var scope = runtime.Services.CreateScope();
+
+            var flow = await runtime.CreateLoginFlowAsync();
+            var orchestrator = scope.ServiceProvider.GetRequiredService<ILoginOrchestrator>();
+
+            var result = await orchestrator.LoginAsync(flow, new LoginRequest
+            {
+                Identifier = "user",
+                Secret = "wrong"
+            });
+
+            result.Should().NotBeNull();
+            result.IsSuccess.Should().BeFalse();
+
+            result.RemainingAttempts.Should().NotBeNull();
+        }
+    }
+}

From 26d4e7351fc7ce0c2affa09fa22deb3bb4b87008 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mehmet=20Can=20Karag=C3=B6z?= <m.cankaragoz@outlook.com>
Date: Tue, 24 Mar 2026 18:06:34 +0300
Subject: [PATCH 10/10] Little Sample Change

---
 .../Components/Pages/Home.razor.cs                         | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
index b8cf4512..c3258e6a 100644
--- a/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
+++ b/samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs
@@ -39,13 +39,12 @@ protected override async Task OnAfterRenderAsync(bool firstRender)
 
         if (HubState is null || !HubState.Exists)
         {
-            await StartNewPkceAsync();
             return;
         }
 
         if (HubState.IsExpired)
         {
-            await StartNewPkceAsync();
+            await ContinuePkceAsync();
             return;
         }
 
@@ -154,10 +153,6 @@ private async Task<string> ResolveReturnUrlAsync()
                 return flow.ReturnUrl!;
         }
 
-        // Config default (recommend adding to options)
-        //if (!string.IsNullOrWhiteSpace(_options.Login.DefaultReturnUrl))
-        //    return _options.Login.DefaultReturnUrl!;
-
         return Nav.Uri;
     }