Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide a set of Blazor authentication components in the Blazor project template #48786

Closed
Tracked by #47286
mkArtakMSFT opened this issue Jun 13, 2023 · 3 comments
Closed
Tracked by #47286
Assignees
Labels
area-identity Includes: Identity and providers enhancement This issue represents an ask for new feature or an enhancement to an existing one feature-token-identity
Milestone

Comments

@mkArtakMSFT
Copy link
Member

In .NET 8 we plan to have a set of authentication components (Login / Register / Reset Password / ...) as part of the Blazor project template when individual authentication option is used.
Because those components will be in the template, customizing those will be simple and completely under developer's control.

@mkArtakMSFT mkArtakMSFT added enhancement This issue represents an ask for new feature or an enhancement to an existing one area-identity Includes: Identity and providers labels Jun 13, 2023
@mkArtakMSFT mkArtakMSFT added this to the 8.0-rc1 milestone Jun 13, 2023
@JeremyLikness
Copy link
Member

This is our current server-scaffolded Identity UI for reference.

graph LR

A[Register] --> B[Login]
B --> C[Confirm Email]
C --> D[Forgot Password]
D --> E[Reset Password]
B --> F[External Login]
F --> G[External Provider]
G --> B
B --> H[Two-Factor Authentication]
H --> I[Recovery Code]
I --> J[Verify Phone]
H --> K[Setup Authenticator]
K --> L[QR Code]
K --> M[Manual Entry]
H --> N[Reset Authenticator]
N --> O[New Authenticator]
O --> K
B --> P[Lockout]
P --> Q[Unlock Account]
B --> R[Remember Me]
B --> S[Logout]
S --> T[Post Logout]
T --> B
Loading
  • Register: The page where new users can create an account by providing their details.
  • Login: The page where users can enter their credentials to authenticate and log in.
  • Confirm Email: This page allows users to confirm their email address by clicking on a verification link sent to their registered email.
  • Forgot Password: Users can enter their email address on this page to receive a password reset link via email.
  • Reset Password: After clicking the password reset link, users land on this page to enter a new password.
  • External Login: This page provides options for users to log in using external providers (e.g., Google, Facebook).
  • External Provider: Represents the external provider (e.g., Google, Facebook) that handles the authentication process.
  • Two-Factor Authentication: This page enables users to set up and manage two-factor authentication for their account.
  • Recovery Code: Users can generate and manage recovery codes on this page for two-factor authentication.
  • Verify Phone: This page allows users to verify their phone number for two-factor authentication.
  • Setup Authenticator: Users can set up an authenticator app (e.g., Google Authenticator) for two-factor authentication.
  • QR Code: This page displays a QR code that users can scan using an authenticator app for setup.
  • Manual Entry: Users can manually enter a code from the authenticator app for setup.
  • Reset Authenticator: This page allows users to reset their authenticator app and set up a new one.
  • New Authenticator: Users can set up a new authenticator app after resetting the previous one.
  • Lockout: If there are failed login attempts, this page displays a lockout message to the user.
  • Unlock Account: This page allows users to unlock their account if it has been locked due to excessive failed login attempts.
  • Remember Me: Users can choose to have their login session persisted by selecting the "Remember Me" option.
  • Logout: Clicking on the logout button directs users to log out from the application.
  • Post Logout: This page is shown after successful logout, indicating that the user has been logged out.

@dvtkrlbs
Copy link

dvtkrlbs commented Jul 6, 2023

Will these components use the bootstrap for the scaffolding like existing razor pages do. Or are you planning to use something like fluent ui for these pages ?

@idea-lei
Copy link

idea-lei commented Aug 5, 2023

Will these components be available for blazor server? (due to WebSocket and SignInManager)

@mkArtakMSFT mkArtakMSFT modified the milestones: 8.0-rc1, 8.0-rc2 Aug 9, 2023
mkArtakMSFT pushed a commit that referenced this issue Sep 22, 2023
# Add Identity Components to Blazor template

## Description

This adds the option to add Identity Razor Components (`*.razor` files) when using the Blazor project template. This supports the same feature set as the Identity Razor Pages (`*.cshtml` files). We've already done an accessibility pass over these newly added components and this PR includes all the fixes for Accessibility too. As with the Identity Razor Pages, this supports local authentication (with the option to configure external login providers) and Identity management using EF Core.

Fixes #48786

## Customer Impact

These Identity Razor Components have been a common request for years as noted above, because it allows Blazor developers to use Identity without needing to add Razor Pages infrastructure which would otherwise be unnecessary and doesn't integrate well with the rest of the app. For example, the Identity Razor Pages to a Blazor app would use a different layout that doesn't match the look and feel of the Razor Components that make up the rest of the app.

## Regression?

- [ ] Yes
- [x] No

## Risk

- [ ] High
- [ ] Medium
- [x] Low

These are template only changes that only affect the brand new Blazor project template. It should have no impact on the project template output unless you opt-in to the individual auth option (other than a [small fix](5462e42) to make the `--empty` option produce compileable output with all `InteractivityPlatform` options.)

## Verification

- [x] Manual (required)
- [x] Automated

We're also adding new validation scenarios for vendors to validate periodically.

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [x] N/A

----

- [x] Finish user management components for 2fa, external login, personal data, etc...
- [x] Add signout link
- [x] Verify RegisterOnPersisting gets invoked as expected with the changes from #50625
- [x] Render ShowRecoveryCodes.razor inline rather than via a redirect.
- [x] Add baseline tests
- [x] Fix BOMs
- [x] Validate the template in VS
javiercn added a commit that referenced this issue Sep 28, 2023
* [release/8.0-rc2] [Blazor] Make auto components prefer the existing render mode (#50851)

# Make auto components prefer the existing render mode

Ensures that if interactive components exist on the page and they all use a single render mode, components with the "Auto" render mode will also use that render mode.

## Description

It's a common requirement for state to be shared between interactive root components. For example, the `<HeadOutlet>` component, which allows updating content in the HTML `<head>`, renders content specified by a `<HeadContent>` component, if it exists. However, this only works if the `<HeadOutlet>` and `<HeadContent>` components use the same interactive render mode.

The Auto render mode lets Blazor select a "best" render mode (either Server or WebAssembly) at runtime, primarily depending on whether Blazor WebAssembly resources are cached in the browser. However, previously it did this without taking into consideration the render mode used by existing components on the page.

For example, suppose a `<HeadOutlet>` with an Auto render mode gets added to the page before WebAssembly resources have been loaded and cached, so it uses Blazor Server. Later, a `<HeadContent>` component, also with an Auto render mode, gets added to the page. But at this point, WebAssembly resources have loaded completely, so the `<HeadContent>` component uses Blazor WebAssembly. In this example, the content in the `<head>` does not update, because the `<HeadOutlet>` and `<HeadContent>` use different render modes.

This PR updates the auto render mode decision making logic to the following:
* If WebAssembly components exist on the page, use WebAssembly
* Otherwise, if Server components exist on the page, use Server
* Otherwise, if WebAssembly resources are cached, use WebAssembly
* Otherwise, use Server

Fixes #50686

## Customer Impact

Medium/high. We've seen multiple reports of the existing behavior causing problems in customer apps, and there isn't a workaround.

## Regression?

- [ ] Yes
- [X] No

This behavior has existed since the Auto render mode was introduced in an earlier .NET 8 preview release.

## Risk

- [ ] High
- [ ] Medium
- [X] Low

This PR is a small change to the Auto mode logic. It's unlikely that customers were already relying on the existing behavior.

## Verification

- [X] Manual (required)
- [X] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [X] N/A

* Add Identity Components to Blazor template (#50722)

# Add Identity Components to Blazor template

## Description

This adds the option to add Identity Razor Components (`*.razor` files) when using the Blazor project template. This supports the same feature set as the Identity Razor Pages (`*.cshtml` files). We've already done an accessibility pass over these newly added components and this PR includes all the fixes for Accessibility too. As with the Identity Razor Pages, this supports local authentication (with the option to configure external login providers) and Identity management using EF Core.

Fixes #48786

## Customer Impact

These Identity Razor Components have been a common request for years as noted above, because it allows Blazor developers to use Identity without needing to add Razor Pages infrastructure which would otherwise be unnecessary and doesn't integrate well with the rest of the app. For example, the Identity Razor Pages to a Blazor app would use a different layout that doesn't match the look and feel of the Razor Components that make up the rest of the app.

## Regression?

- [ ] Yes
- [x] No

## Risk

- [ ] High
- [ ] Medium
- [x] Low

These are template only changes that only affect the brand new Blazor project template. It should have no impact on the project template output unless you opt-in to the individual auth option (other than a [small fix](5462e42) to make the `--empty` option produce compileable output with all `InteractivityPlatform` options.)

## Verification

- [x] Manual (required)
- [x] Automated

We're also adding new validation scenarios for vendors to validate periodically.

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [x] N/A

----

- [x] Finish user management components for 2fa, external login, personal data, etc...
- [x] Add signout link
- [x] Verify RegisterOnPersisting gets invoked as expected with the changes from #50625
- [x] Render ShowRecoveryCodes.razor inline rather than via a redirect.
- [x] Add baseline tests
- [x] Fix BOMs
- [x] Validate the template in VS

* Add logging to Http.Sys tests (#50883)

* Skip failing tests (#50917)

* Avoid re-running routing for implicit middlewares and remove implicit anti-forgery (#50864)

## Description

Avoid running routing eagerly in implicit middlewares to prevents the `EndpointFeature` from being set and causing unexpected reactions in other middlewares, like the static file middleware.

We also remove the implicit registration of the anti-forgery middleware to avoid unintended collisions with authentication in Blazor.

Fixes #50818, #50815, #50844

## Customer Impact

Without this change, the anti-forgery middleware in Blazor apps runs too early and is not able to examine authentication state in the application. Requiring the middleware to be registered explicitly ensures that the correct ordering is applied.

Without this change, users will run into difficult to resolve issues with building applications that include forms with Blazor web apps.

## Regression?

- [X] Yes
- [ ] No

This is a regression that was introduced to middleware routing in .NET 8 Preview 7.

## Risk

- [ ] High
- [X] Medium
- [ ] Low

**Medium risk** because:
- We are reverting a change that was originally applied to resolve #49654. This means that the original bug will impact users, specifically those who are calling `UseRouting` explicitly without calling `UseAuthentication` and `UseAuthorization` if they are not available. There is a workaround that we plan to document this behavior for users.
- Apps deployed in .NET 8 RC 1 will break because we no longer automatically enable the anti-forgery middleware. Users will receive an exception at startup notifying them of the code changes to make in order to get things working correctly.

## Verification

- [X] Manual (required)
- [X] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [X] N/A

* [release/8.0] Update dependencies from dotnet/runtime (#50957)

* Update dependencies from https://github.com/dotnet/runtime build 20230926.15

Microsoft.Bcl.AsyncInterfaces , Microsoft.Bcl.TimeProvider , Microsoft.Extensions.Caching.Abstractions , Microsoft.Extensions.Caching.Memory , Microsoft.Extensions.Configuration , Microsoft.Extensions.Configuration.Abstractions , Microsoft.Extensions.Configuration.Binder , Microsoft.Extensions.Configuration.CommandLine , Microsoft.Extensions.Configuration.EnvironmentVariables , Microsoft.Extensions.Configuration.FileExtensions , Microsoft.Extensions.Configuration.Ini , Microsoft.Extensions.Configuration.Json , Microsoft.Extensions.Configuration.UserSecrets , Microsoft.Extensions.Configuration.Xml , Microsoft.Extensions.DependencyInjection , Microsoft.Extensions.DependencyInjection.Abstractions , Microsoft.Extensions.DependencyModel , Microsoft.Extensions.Diagnostics , Microsoft.Extensions.Diagnostics.Abstractions , Microsoft.Extensions.FileProviders.Abstractions , Microsoft.Extensions.FileProviders.Composite , Microsoft.Extensions.FileProviders.Physical , Microsoft.Extensions.FileSystemGlobbing , Microsoft.Extensions.HostFactoryResolver.Sources , Microsoft.Extensions.Hosting , Microsoft.Extensions.Hosting.Abstractions , Microsoft.Extensions.Http , Microsoft.Extensions.Logging , Microsoft.Extensions.Logging.Abstractions , Microsoft.Extensions.Logging.Configuration , Microsoft.Extensions.Logging.Console , Microsoft.Extensions.Logging.Debug , Microsoft.Extensions.Logging.EventLog , Microsoft.Extensions.Logging.EventSource , Microsoft.Extensions.Logging.TraceSource , Microsoft.Extensions.Options , Microsoft.Extensions.Options.ConfigurationExtensions , Microsoft.Extensions.Options.DataAnnotations , Microsoft.Extensions.Primitives , Microsoft.Internal.Runtime.AspNetCore.Transport , Microsoft.NET.Runtime.MonoAOTCompiler.Task , Microsoft.NET.Runtime.WebAssembly.Sdk , Microsoft.NETCore.App.Ref , Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm , Microsoft.NETCore.App.Runtime.win-x64 , Microsoft.NETCore.BrowserDebugHost.Transport , Microsoft.NETCore.Platforms , System.Collections.Immutable , System.Composition , System.Configuration.ConfigurationManager , System.Diagnostics.DiagnosticSource , System.Diagnostics.EventLog , System.Diagnostics.PerformanceCounter , System.DirectoryServices.Protocols , System.IO.Hashing , System.IO.Pipelines , System.Net.Http.Json , System.Net.Http.WinHttpHandler , System.Reflection.Metadata , System.Resources.Extensions , System.Runtime.Caching , System.Security.Cryptography.Pkcs , System.Security.Cryptography.Xml , System.Security.Permissions , System.ServiceProcess.ServiceController , System.Text.Encodings.Web , System.Text.Json , System.Threading.AccessControl , System.Threading.Channels , System.Threading.RateLimiting , Microsoft.SourceBuild.Intermediate.runtime.linux-x64
 From Version 8.0.0-rtm.23475.7 -> To Version 8.0.0-rtm.23476.15

* Update node version

---------

Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: jacalvar <jacalvar@microsoft.com>

* [Blazor] Antiforgery fix (#50946)

# Ensure antiforgery token flows to Blazor WebAssembly

The change makes sure that we persist the Antiforgery token during prerendering so that it is available to WebAssembly components.

## Description

* When using cookie authentication it is necessary to use antiforgery protection to prevent cross-site request forgery attacks.
* Blazor Webassembly interactive components must get access to the request antiforgery token to attach it to any outgoing API call.
* The antiforgery request token was not flowing from the server to the client correctly.
* This change enables calling APIs from web assembly to the server safely.
Fixes #50900

## Customer Impact

.NET 8.0 customers who have created Blazor Web Apps will fail to call APIs from webassembly components, as they won't be able to attach the required antiforgery token.

## Regression?

- [ ] Yes
- [X] No

[If yes, specify the version the behavior has regressed from]

## Risk

- [ ] High
- [ ] Medium
- [X] Low

The fix is simple and we added an E2E test to cover the scenario.

## Verification

- [ ] Manual (required)
- [X] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [X] N/A

----

## When servicing release/2.1

- [ ] Make necessary changes in eng/PatchConfig.props

* Update dependencies from https://github.com/dotnet/runtime build 20230927.9 (#50977)

Microsoft.Bcl.AsyncInterfaces , Microsoft.Bcl.TimeProvider , Microsoft.Extensions.Caching.Abstractions , Microsoft.Extensions.Caching.Memory , Microsoft.Extensions.Configuration , Microsoft.Extensions.Configuration.Abstractions , Microsoft.Extensions.Configuration.Binder , Microsoft.Extensions.Configuration.CommandLine , Microsoft.Extensions.Configuration.EnvironmentVariables , Microsoft.Extensions.Configuration.FileExtensions , Microsoft.Extensions.Configuration.Ini , Microsoft.Extensions.Configuration.Json , Microsoft.Extensions.Configuration.UserSecrets , Microsoft.Extensions.Configuration.Xml , Microsoft.Extensions.DependencyInjection , Microsoft.Extensions.DependencyInjection.Abstractions , Microsoft.Extensions.DependencyModel , Microsoft.Extensions.Diagnostics , Microsoft.Extensions.Diagnostics.Abstractions , Microsoft.Extensions.FileProviders.Abstractions , Microsoft.Extensions.FileProviders.Composite , Microsoft.Extensions.FileProviders.Physical , Microsoft.Extensions.FileSystemGlobbing , Microsoft.Extensions.HostFactoryResolver.Sources , Microsoft.Extensions.Hosting , Microsoft.Extensions.Hosting.Abstractions , Microsoft.Extensions.Http , Microsoft.Extensions.Logging , Microsoft.Extensions.Logging.Abstractions , Microsoft.Extensions.Logging.Configuration , Microsoft.Extensions.Logging.Console , Microsoft.Extensions.Logging.Debug , Microsoft.Extensions.Logging.EventLog , Microsoft.Extensions.Logging.EventSource , Microsoft.Extensions.Logging.TraceSource , Microsoft.Extensions.Options , Microsoft.Extensions.Options.ConfigurationExtensions , Microsoft.Extensions.Options.DataAnnotations , Microsoft.Extensions.Primitives , Microsoft.Internal.Runtime.AspNetCore.Transport , Microsoft.NET.Runtime.MonoAOTCompiler.Task , Microsoft.NET.Runtime.WebAssembly.Sdk , Microsoft.NETCore.App.Ref , Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm , Microsoft.NETCore.App.Runtime.win-x64 , Microsoft.NETCore.BrowserDebugHost.Transport , Microsoft.NETCore.Platforms , System.Collections.Immutable , System.Composition , System.Configuration.ConfigurationManager , System.Diagnostics.DiagnosticSource , System.Diagnostics.EventLog , System.Diagnostics.PerformanceCounter , System.DirectoryServices.Protocols , System.IO.Hashing , System.IO.Pipelines , System.Net.Http.Json , System.Net.Http.WinHttpHandler , System.Reflection.Metadata , System.Resources.Extensions , System.Runtime.Caching , System.Security.Cryptography.Pkcs , System.Security.Cryptography.Xml , System.Security.Permissions , System.ServiceProcess.ServiceController , System.Text.Encodings.Web , System.Text.Json , System.Threading.AccessControl , System.Threading.Channels , System.Threading.RateLimiting , Microsoft.SourceBuild.Intermediate.runtime.linux-x64
 From Version 8.0.0-rtm.23476.15 -> To Version 8.0.0-rtm.23477.9

Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>

---------

Co-authored-by: Mackinnon Buck <mackinnon.buck@gmail.com>
Co-authored-by: Stephen Halter <halter73@gmail.com>
Co-authored-by: Brennan <brecon@microsoft.com>
Co-authored-by: William Godbe <wigodbe@microsoft.com>
Co-authored-by: Safia Abdalla <safia@microsoft.com>
Co-authored-by: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: jacalvar <jacalvar@microsoft.com>
javiercn added a commit that referenced this issue Sep 28, 2023
* [release/8.0-rc2] [Blazor] Make auto components prefer the existing render mode (#50851)

# Make auto components prefer the existing render mode

Ensures that if interactive components exist on the page and they all use a single render mode, components with the "Auto" render mode will also use that render mode.

## Description

It's a common requirement for state to be shared between interactive root components. For example, the `<HeadOutlet>` component, which allows updating content in the HTML `<head>`, renders content specified by a `<HeadContent>` component, if it exists. However, this only works if the `<HeadOutlet>` and `<HeadContent>` components use the same interactive render mode.

The Auto render mode lets Blazor select a "best" render mode (either Server or WebAssembly) at runtime, primarily depending on whether Blazor WebAssembly resources are cached in the browser. However, previously it did this without taking into consideration the render mode used by existing components on the page.

For example, suppose a `<HeadOutlet>` with an Auto render mode gets added to the page before WebAssembly resources have been loaded and cached, so it uses Blazor Server. Later, a `<HeadContent>` component, also with an Auto render mode, gets added to the page. But at this point, WebAssembly resources have loaded completely, so the `<HeadContent>` component uses Blazor WebAssembly. In this example, the content in the `<head>` does not update, because the `<HeadOutlet>` and `<HeadContent>` use different render modes.

This PR updates the auto render mode decision making logic to the following:
* If WebAssembly components exist on the page, use WebAssembly
* Otherwise, if Server components exist on the page, use Server
* Otherwise, if WebAssembly resources are cached, use WebAssembly
* Otherwise, use Server

Fixes #50686

## Customer Impact

Medium/high. We've seen multiple reports of the existing behavior causing problems in customer apps, and there isn't a workaround.

## Regression?

- [ ] Yes
- [X] No

This behavior has existed since the Auto render mode was introduced in an earlier .NET 8 preview release.

## Risk

- [ ] High
- [ ] Medium
- [X] Low

This PR is a small change to the Auto mode logic. It's unlikely that customers were already relying on the existing behavior.

## Verification

- [X] Manual (required)
- [X] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [X] N/A

* Add Identity Components to Blazor template (#50722)

# Add Identity Components to Blazor template

## Description

This adds the option to add Identity Razor Components (`*.razor` files) when using the Blazor project template. This supports the same feature set as the Identity Razor Pages (`*.cshtml` files). We've already done an accessibility pass over these newly added components and this PR includes all the fixes for Accessibility too. As with the Identity Razor Pages, this supports local authentication (with the option to configure external login providers) and Identity management using EF Core.

Fixes #48786

## Customer Impact

These Identity Razor Components have been a common request for years as noted above, because it allows Blazor developers to use Identity without needing to add Razor Pages infrastructure which would otherwise be unnecessary and doesn't integrate well with the rest of the app. For example, the Identity Razor Pages to a Blazor app would use a different layout that doesn't match the look and feel of the Razor Components that make up the rest of the app.

## Regression?

- [ ] Yes
- [x] No

## Risk

- [ ] High
- [ ] Medium
- [x] Low

These are template only changes that only affect the brand new Blazor project template. It should have no impact on the project template output unless you opt-in to the individual auth option (other than a [small fix](5462e42) to make the `--empty` option produce compileable output with all `InteractivityPlatform` options.)

## Verification

- [x] Manual (required)
- [x] Automated

We're also adding new validation scenarios for vendors to validate periodically.

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [x] N/A

----

- [x] Finish user management components for 2fa, external login, personal data, etc...
- [x] Add signout link
- [x] Verify RegisterOnPersisting gets invoked as expected with the changes from #50625
- [x] Render ShowRecoveryCodes.razor inline rather than via a redirect.
- [x] Add baseline tests
- [x] Fix BOMs
- [x] Validate the template in VS

* Add logging to Http.Sys tests (#50883)

* Skip failing tests (#50917)

* Avoid re-running routing for implicit middlewares and remove implicit anti-forgery (#50864)

## Description

Avoid running routing eagerly in implicit middlewares to prevents the `EndpointFeature` from being set and causing unexpected reactions in other middlewares, like the static file middleware.

We also remove the implicit registration of the anti-forgery middleware to avoid unintended collisions with authentication in Blazor.

Fixes #50818, #50815, #50844

## Customer Impact

Without this change, the anti-forgery middleware in Blazor apps runs too early and is not able to examine authentication state in the application. Requiring the middleware to be registered explicitly ensures that the correct ordering is applied.

Without this change, users will run into difficult to resolve issues with building applications that include forms with Blazor web apps.

## Regression?

- [X] Yes
- [ ] No

This is a regression that was introduced to middleware routing in .NET 8 Preview 7.

## Risk

- [ ] High
- [X] Medium
- [ ] Low

**Medium risk** because:
- We are reverting a change that was originally applied to resolve #49654. This means that the original bug will impact users, specifically those who are calling `UseRouting` explicitly without calling `UseAuthentication` and `UseAuthorization` if they are not available. There is a workaround that we plan to document this behavior for users.
- Apps deployed in .NET 8 RC 1 will break because we no longer automatically enable the anti-forgery middleware. Users will receive an exception at startup notifying them of the code changes to make in order to get things working correctly.

## Verification

- [X] Manual (required)
- [X] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [X] N/A

* [release/8.0] Update dependencies from dotnet/runtime (#50957)

* Update dependencies from https://github.com/dotnet/runtime build 20230926.15

Microsoft.Bcl.AsyncInterfaces , Microsoft.Bcl.TimeProvider , Microsoft.Extensions.Caching.Abstractions , Microsoft.Extensions.Caching.Memory , Microsoft.Extensions.Configuration , Microsoft.Extensions.Configuration.Abstractions , Microsoft.Extensions.Configuration.Binder , Microsoft.Extensions.Configuration.CommandLine , Microsoft.Extensions.Configuration.EnvironmentVariables , Microsoft.Extensions.Configuration.FileExtensions , Microsoft.Extensions.Configuration.Ini , Microsoft.Extensions.Configuration.Json , Microsoft.Extensions.Configuration.UserSecrets , Microsoft.Extensions.Configuration.Xml , Microsoft.Extensions.DependencyInjection , Microsoft.Extensions.DependencyInjection.Abstractions , Microsoft.Extensions.DependencyModel , Microsoft.Extensions.Diagnostics , Microsoft.Extensions.Diagnostics.Abstractions , Microsoft.Extensions.FileProviders.Abstractions , Microsoft.Extensions.FileProviders.Composite , Microsoft.Extensions.FileProviders.Physical , Microsoft.Extensions.FileSystemGlobbing , Microsoft.Extensions.HostFactoryResolver.Sources , Microsoft.Extensions.Hosting , Microsoft.Extensions.Hosting.Abstractions , Microsoft.Extensions.Http , Microsoft.Extensions.Logging , Microsoft.Extensions.Logging.Abstractions , Microsoft.Extensions.Logging.Configuration , Microsoft.Extensions.Logging.Console , Microsoft.Extensions.Logging.Debug , Microsoft.Extensions.Logging.EventLog , Microsoft.Extensions.Logging.EventSource , Microsoft.Extensions.Logging.TraceSource , Microsoft.Extensions.Options , Microsoft.Extensions.Options.ConfigurationExtensions , Microsoft.Extensions.Options.DataAnnotations , Microsoft.Extensions.Primitives , Microsoft.Internal.Runtime.AspNetCore.Transport , Microsoft.NET.Runtime.MonoAOTCompiler.Task , Microsoft.NET.Runtime.WebAssembly.Sdk , Microsoft.NETCore.App.Ref , Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm , Microsoft.NETCore.App.Runtime.win-x64 , Microsoft.NETCore.BrowserDebugHost.Transport , Microsoft.NETCore.Platforms , System.Collections.Immutable , System.Composition , System.Configuration.ConfigurationManager , System.Diagnostics.DiagnosticSource , System.Diagnostics.EventLog , System.Diagnostics.PerformanceCounter , System.DirectoryServices.Protocols , System.IO.Hashing , System.IO.Pipelines , System.Net.Http.Json , System.Net.Http.WinHttpHandler , System.Reflection.Metadata , System.Resources.Extensions , System.Runtime.Caching , System.Security.Cryptography.Pkcs , System.Security.Cryptography.Xml , System.Security.Permissions , System.ServiceProcess.ServiceController , System.Text.Encodings.Web , System.Text.Json , System.Threading.AccessControl , System.Threading.Channels , System.Threading.RateLimiting , Microsoft.SourceBuild.Intermediate.runtime.linux-x64
 From Version 8.0.0-rtm.23475.7 -> To Version 8.0.0-rtm.23476.15

* Update node version

---------

Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: jacalvar <jacalvar@microsoft.com>

* [Blazor] Antiforgery fix (#50946)

# Ensure antiforgery token flows to Blazor WebAssembly

The change makes sure that we persist the Antiforgery token during prerendering so that it is available to WebAssembly components.

## Description

* When using cookie authentication it is necessary to use antiforgery protection to prevent cross-site request forgery attacks.
* Blazor Webassembly interactive components must get access to the request antiforgery token to attach it to any outgoing API call.
* The antiforgery request token was not flowing from the server to the client correctly.
* This change enables calling APIs from web assembly to the server safely.
Fixes #50900

## Customer Impact

.NET 8.0 customers who have created Blazor Web Apps will fail to call APIs from webassembly components, as they won't be able to attach the required antiforgery token.

## Regression?

- [ ] Yes
- [X] No

[If yes, specify the version the behavior has regressed from]

## Risk

- [ ] High
- [ ] Medium
- [X] Low

The fix is simple and we added an E2E test to cover the scenario.

## Verification

- [ ] Manual (required)
- [X] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [X] N/A

----

## When servicing release/2.1

- [ ] Make necessary changes in eng/PatchConfig.props

* Update dependencies from https://github.com/dotnet/runtime build 20230927.9 (#50977)

Microsoft.Bcl.AsyncInterfaces , Microsoft.Bcl.TimeProvider , Microsoft.Extensions.Caching.Abstractions , Microsoft.Extensions.Caching.Memory , Microsoft.Extensions.Configuration , Microsoft.Extensions.Configuration.Abstractions , Microsoft.Extensions.Configuration.Binder , Microsoft.Extensions.Configuration.CommandLine , Microsoft.Extensions.Configuration.EnvironmentVariables , Microsoft.Extensions.Configuration.FileExtensions , Microsoft.Extensions.Configuration.Ini , Microsoft.Extensions.Configuration.Json , Microsoft.Extensions.Configuration.UserSecrets , Microsoft.Extensions.Configuration.Xml , Microsoft.Extensions.DependencyInjection , Microsoft.Extensions.DependencyInjection.Abstractions , Microsoft.Extensions.DependencyModel , Microsoft.Extensions.Diagnostics , Microsoft.Extensions.Diagnostics.Abstractions , Microsoft.Extensions.FileProviders.Abstractions , Microsoft.Extensions.FileProviders.Composite , Microsoft.Extensions.FileProviders.Physical , Microsoft.Extensions.FileSystemGlobbing , Microsoft.Extensions.HostFactoryResolver.Sources , Microsoft.Extensions.Hosting , Microsoft.Extensions.Hosting.Abstractions , Microsoft.Extensions.Http , Microsoft.Extensions.Logging , Microsoft.Extensions.Logging.Abstractions , Microsoft.Extensions.Logging.Configuration , Microsoft.Extensions.Logging.Console , Microsoft.Extensions.Logging.Debug , Microsoft.Extensions.Logging.EventLog , Microsoft.Extensions.Logging.EventSource , Microsoft.Extensions.Logging.TraceSource , Microsoft.Extensions.Options , Microsoft.Extensions.Options.ConfigurationExtensions , Microsoft.Extensions.Options.DataAnnotations , Microsoft.Extensions.Primitives , Microsoft.Internal.Runtime.AspNetCore.Transport , Microsoft.NET.Runtime.MonoAOTCompiler.Task , Microsoft.NET.Runtime.WebAssembly.Sdk , Microsoft.NETCore.App.Ref , Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm , Microsoft.NETCore.App.Runtime.win-x64 , Microsoft.NETCore.BrowserDebugHost.Transport , Microsoft.NETCore.Platforms , System.Collections.Immutable , System.Composition , System.Configuration.ConfigurationManager , System.Diagnostics.DiagnosticSource , System.Diagnostics.EventLog , System.Diagnostics.PerformanceCounter , System.DirectoryServices.Protocols , System.IO.Hashing , System.IO.Pipelines , System.Net.Http.Json , System.Net.Http.WinHttpHandler , System.Reflection.Metadata , System.Resources.Extensions , System.Runtime.Caching , System.Security.Cryptography.Pkcs , System.Security.Cryptography.Xml , System.Security.Permissions , System.ServiceProcess.ServiceController , System.Text.Encodings.Web , System.Text.Json , System.Threading.AccessControl , System.Threading.Channels , System.Threading.RateLimiting , Microsoft.SourceBuild.Intermediate.runtime.linux-x64
 From Version 8.0.0-rtm.23476.15 -> To Version 8.0.0-rtm.23477.9

Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>

* [release/8.0] Update dependencies from dotnet/efcore dotnet/extensions (#50671)

[release/8.0] Update dependencies from dotnet/efcore dotnet/extensions


 - Merge branch 'release/8.0' into darc-release/8.0-67c2f3d0-02d1-4633-b986-2922ed8a04d7

 - Update versions

 - Merge branch 'release/8.0' into darc-release/8.0-67c2f3d0-02d1-4633-b986-2922ed8a04d7

 - Merge branch 'release/8.0' into darc-release/8.0-67c2f3d0-02d1-4633-b986-2922ed8a04d7

 - Merge branch 'release/8.0' into darc-release/8.0-67c2f3d0-02d1-4633-b986-2922ed8a04d7

 - Merge branch 'release/8.0' into darc-release/8.0-67c2f3d0-02d1-4633-b986-2922ed8a04d7

 - React to namespace changes

 - More namespace changes

 - Fix up namespaces

---------

Co-authored-by: Mackinnon Buck <mackinnon.buck@gmail.com>
Co-authored-by: Stephen Halter <halter73@gmail.com>
Co-authored-by: Brennan <brecon@microsoft.com>
Co-authored-by: William Godbe <wigodbe@microsoft.com>
Co-authored-by: Safia Abdalla <safia@microsoft.com>
Co-authored-by: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: jacalvar <jacalvar@microsoft.com>
@ghost ghost locked as resolved and limited conversation to collaborators Oct 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area-identity Includes: Identity and providers enhancement This issue represents an ask for new feature or an enhancement to an existing one feature-token-identity
Projects
None yet
Development

No branches or pull requests

5 participants