Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

[Breaking change]: Updates to Authentication in webassembly applications #497

Open
1 of 3 tasks
javiercn opened this issue Oct 19, 2022 · 0 comments
Open
1 of 3 tasks
Labels
7.0.0 Breaking change Documented The breaking change has been published to the .NET Core docs

Comments

@javiercn
Copy link
Member

Description

We updated our support for authentication in Blazor Webassembly applications to rely on the history state instead of query strings in the URL. As a result of that, existing applications passing the return URL through the query string will fail to redirect back to the original page after a successful login.

Existing applications should use the new NavigateToLogin extension method as it is able to flow the data to the login page corectly.

Version

.NET 7 RC 1

Previous behavior

The return URL would be specified in the query string as ?returnUrl=<<return-url>>.

New behavior

The return URL along other parameters passed to the authentication/# page are passed via the history.state entry of the page.

Type of breaking change

  • Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
  • Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.
  • Behavioral change: Existing code and binaries may experience different run-time behavior.

Reason for change

We decided to switch to using history.state instead of the query string as it simplifies the implementation and removes the surface attack area associated with passing data through the query string.

Recommended action

Most apps have a RedirectToLogin.razor file in them that can be updated as follows:

@inject NavigationManager Navigation
@using Microsoft.AspNetCore.Components.WebAssembly.Authentication
@using Microsoft.Extensions.Options

@inject IOptionsSnapshot<RemoteAuthenticationOptions<ApiAuthorizationProviderOptions>> Options
@code {

    protected override void OnInitialized()
    {
        Navigation.NavigateToLogin(Options.Get(Microsoft.Extensions.Options.Options.DefaultName).AuthenticationPaths.LogInPath);
    }
}

Affected APIs

As part of this change SignOutSessionStateManager has been obsoleted in favor of NavigationManager.NavigateToLogout

@ghost ghost locked as resolved and limited conversation to collaborators Oct 19, 2022
@gewarren gewarren added the Documented The breaking change has been published to the .NET Core docs label Oct 21, 2022
@guardrex guardrex added the 7.0.0 label Nov 14, 2023
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Labels
7.0.0 Breaking change Documented The breaking change has been published to the .NET Core docs
Projects
None yet
Development

No branches or pull requests

3 participants