Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Breaking change]: Updates to Authentication in webassembly applications #497

Open
1 of 3 tasks
javiercn opened this issue Oct 19, 2022 · 0 comments
Open
1 of 3 tasks

[Breaking change]: Updates to Authentication in webassembly applications #497

javiercn opened this issue Oct 19, 2022 · 0 comments
Labels
7.0.0 Breaking change Documented The breaking change has been published to the .NET Core docs

Comments

@javiercn
Copy link
Member

Description

We updated our support for authentication in Blazor Webassembly applications to rely on the history state instead of query strings in the URL. As a result of that, existing applications passing the return URL through the query string will fail to redirect back to the original page after a successful login.

Existing applications should use the new NavigateToLogin extension method as it is able to flow the data to the login page corectly.

Version

.NET 7 RC 1

Previous behavior

The return URL would be specified in the query string as ?returnUrl=<<return-url>>.

New behavior

The return URL along other parameters passed to the authentication/login page are passed via the history.state entry of the page.

Type of breaking change

  • Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
  • Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.
  • Behavioral change: Existing code and binaries may experience different run-time behavior.

Reason for change

We decided to switch to using history.state instead of the query string as it simplifies the implementation and removes the surface attack area associated with passing data through the query string.

Recommended action

Most apps have a RedirectToLogin.razor file in them that can be updated as follows:

@inject NavigationManager Navigation
@using Microsoft.AspNetCore.Components.WebAssembly.Authentication
@using Microsoft.Extensions.Options

@inject IOptionsSnapshot<RemoteAuthenticationOptions<ApiAuthorizationProviderOptions>> Options
@code {

    protected override void OnInitialized()
    {
        Navigation.NavigateToLogin(Options.Get(Microsoft.Extensions.Options.Options.DefaultName).AuthenticationPaths.LogInPath);
    }
}

Affected APIs

As part of this change SignOutSessionStateManager has been obsoleted in favor of NavigationManager.NavigateToLogout
@ghost ghost locked as resolved and limited conversation to collaborators Oct 19, 2022
@gewarren gewarren added the Documented The breaking change has been published to the .NET Core docs label Oct 21, 2022
@guardrex guardrex added the 7.0.0 label Nov 14, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
7.0.0 Breaking change Documented The breaking change has been published to the .NET Core docs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@guardrex @javiercn @gewarren