Build in AuthenticationStateProviders from project templates by halter73 · Pull Request #55821 · dotnet/aspnetcore

halter73 · 2024-05-21T16:01:45Z

This automatically registers a client AuthenticationStateProvider's similar to the PersistentAuthenticationStateProvider added by the "Individual Auth" option in the Blazor Web project templates.

This feature must be opted in by calling AddAuthenticationStateSerialization() on the server's IRazorComponentsBuilder and AddAuthenticationStateDeserialization() on the client's IServiceCollection. These methods are defined in Microsoft.AspNetCore.Components.WebAssembly.Server and Microsoft.AspNetCore.Components.WebAssembly.Authentication assemblies respectively, so they should only be available to applications using WebAssembly interactivity.

Even if you do opt-in to authentication state serialization/deserialization, you must further opt-in to serializing all claims by setting AuthenticationStateSerializationOptions.SerializeAllClaims or registering a custom SerializationCallback. Otherwise, only the name and role claims will be serialized.

Rather than override the server's AuthenticationStateProvider like the project template's PersistingServerAuthenticationStateProvider, this registers an AuthenticationStateSerializer which does not implement AuthenticationStateProvider. This allows EndpointHtmlRenderer to flow authentication state from a custom server-side AuthenticationStateProvider to the serializer which is registered directly as IHostEnvironmentAuthenticationStateProvider by AddAuthenticationStateSerialization().

In order to increase the consistency of using AddAuthenticationStateSerialization() with and without server interactivity, ServerAuthenticationStateProvider was type forwarded to Microsoft.AspNetCore.Components.Endpoints and registered by default by AddRazorComponents. This is also helpful for auth in completely non-interactive Blazor web projects.

Fixes #52769

- Use JSImports instead of DefaultWebAssemblyJSRuntime - Remove unnecessary exclusions from template.json - Remove UserInfo from the template client template - Remove AddAuthorizationCore from AddRazorComponents

javiercn · 2024-05-22T15:45:09Z

+Microsoft.AspNetCore.Components.Server.ServerAuthenticationStateProvider
+Microsoft.AspNetCore.Components.Server.ServerAuthenticationStateProvider.ServerAuthenticationStateProvider() -> void
+Microsoft.AspNetCore.Components.Server.ServerAuthenticationStateProvider.SetAuthenticationState(System.Threading.Tasks.Task<Microsoft.AspNetCore.Components.Authorization.AuthenticationState!>! authenticationStateTask) -> void
+override Microsoft.AspNetCore.Components.Server.ServerAuthenticationStateProvider.GetAuthenticationStateAsync() -> System.Threading.Tasks.Task<Microsoft.AspNetCore.Components.Authorization.AuthenticationState!>!


Is this public because of layering?

Or because we want it to be extendable

I mention this in the PR description:

In order to increase the consistency of using AddAuthenticationStateSerialization() with and without server interactivity, ServerAuthenticationStateProvider was type forwarded to Microsoft.AspNetCore.Components.Endpoints and registered by default by AddRazorComponents. This is also helpful for auth in completely non-interactive Blazor web projects.

This change isn't strictly necessary for this PR, but I do think it helps with the general usability AddRazorComponents without AddInteractiveServerComponents. I could have used an internal AuthenticationStateProvider that's functionally equivalent to the ServerAuthenticationStateProvider without the type forwarding to achieve the same thing, but I figured we might as well reduce duplication.

javiercn · 2024-05-22T15:47:58Z

+*REMOVED*Microsoft.AspNetCore.Components.Server.ServerAuthenticationStateProvider
+*REMOVED*Microsoft.AspNetCore.Components.Server.ServerAuthenticationStateProvider.ServerAuthenticationStateProvider() -> void
+*REMOVED*Microsoft.AspNetCore.Components.Server.ServerAuthenticationStateProvider.SetAuthenticationState(System.Threading.Tasks.Task<Microsoft.AspNetCore.Components.Authorization.AuthenticationState!>! authenticationStateTask) -> void
+*REMOVED*override Microsoft.AspNetCore.Components.Server.ServerAuthenticationStateProvider.GetAuthenticationStateAsync() -> System.Threading.Tasks.Task<Microsoft.AspNetCore.Components.Authorization.AuthenticationState!>!


Isn't this breaking? (For libraries for example).

The [assembly: TypeForwardedTo(typeof(Microsoft.AspNetCore.Components.Server.ServerAuthenticationStateProvider))] should make it non-breaking.

javiercn

I have some more comments, but I don't want to block on them. I'll chat with you offline

Rick-Anderson · 2024-05-22T21:21:39Z

+/// If this is implemented by the host's <see cref="AuthenticationStateProvider"/>, it will receive authentication state from the HttpContext.
+/// Or if this implemented service that is registered directly as an <see cref="IHostEnvironmentAuthenticationStateProvider"/>,
+/// it will receive the <see cref="AuthenticationState"/> returned by <see cref="AuthenticationStateProvider.GetAuthenticationStateAsync"/> 


Suggested change

/// If this is implemented by the host's <see cref="AuthenticationStateProvider"/>, it will receive authentication state from the HttpContext.

/// Or if this implemented service that is registered directly as an <see cref="IHostEnvironmentAuthenticationStateProvider"/>,

/// it will receive the <see cref="AuthenticationState"/> returned by <see cref="AuthenticationStateProvider.GetAuthenticationStateAsync"/>

/// If this is implemented by the host's <see cref="AuthenticationStateProvider"/>, it receives authentication state from the HttpContext.

/// If this implemented service that is registered directly as an <see cref="IHostEnvironmentAuthenticationStateProvider"/>,

/// it receives the <see cref="AuthenticationState"/> returned by <see cref="AuthenticationStateProvider.GetAuthenticationStateAsync"/>

Rick-Anderson · 2024-05-22T21:26:44Z

+namespace Microsoft.AspNetCore.Components.WebAssembly.Server;
+
+/// <summary>
+/// Provides options for configuring the JSON serialization of the <see cref="AuthenticationState"/> provided by the server's <see cref="AuthenticationStateProvider"/>


Feel free to reject this but the sentence is too long and difficult to machine translate.

Suggested change

/// Provides options for configuring the JSON serialization of the <see cref="AuthenticationState"/> provided by the server's <see cref="AuthenticationStateProvider"/>

/// Provides options for configuring the JSON serialization of the <see cref="AuthenticationState"/>. Provided by the server's <see cref="AuthenticationStateProvider"/>

Rick-Anderson · 2024-05-22T21:27:53Z

+    }
+
+    /// <summary>
+    /// If <see langword="true"/>, the default <see cref="SerializationCallback"/> will serialize all claims; otherwise, it will only serialize


Suggested change

/// If <see langword="true"/>, the default <see cref="SerializationCallback"/> will serialize all claims; otherwise, it will only serialize

/// If <see langword="true"/>, the default <see cref="SerializationCallback"/> serializes all claims; otherwise, it only serializes

Rick-Anderson · 2024-05-22T21:34:58Z

+    /// Default implementation for converting the server's <see cref="AuthenticationState"/> to an <see cref="AuthenticationStateData"/> object
+    /// for JSON serialization to the client using <see cref="PersistentComponentState"/>."/>


Suggested change

/// Default implementation for converting the server's <see cref="AuthenticationState"/> to an <see cref="AuthenticationStateData"/> object

/// for JSON serialization to the client using <see cref="PersistentComponentState"/>."/>

/// Default implementation for converting the server's <see cref="AuthenticationState"/> to an <see cref="AuthenticationStateData"/> object.

/// This conversion is intended for JSON serialization to the client using <see cref="PersistentComponentState"/>."/>

Rick-Anderson · 2024-05-22T21:38:21Z

+    /// Serializes the <see cref="AuthenticationState"/> returned by the server-side <see cref="AuthenticationStateProvider"/> using <see cref="PersistentComponentState"/>
+    /// for use by interactive WebAssembly components via a deserializing client-side <see cref="AuthenticationStateProvider"/> which can be added by calling
+    /// AddAuthenticationStateDeserialization from the Microsoft.AspNetCore.Components.WebAssembly.Authentication package in the client project.


Suggested change

/// Serializes the <see cref="AuthenticationState"/> returned by the server-side <see cref="AuthenticationStateProvider"/> using <see cref="PersistentComponentState"/>

/// for use by interactive WebAssembly components via a deserializing client-side <see cref="AuthenticationStateProvider"/> which can be added by calling

/// AddAuthenticationStateDeserialization from the Microsoft.AspNetCore.Components.WebAssembly.Authentication package in the client project.

/// Serializes the <see cref="AuthenticationState"/> returned by the server-side <see cref="AuthenticationStateProvider"/> using <see cref="PersistentComponentState"/>.

/// Intended for use by interactive WebAssembly components via a deserializing client-side <see cref="AuthenticationStateProvider"/>. The WebAssembly can be added by calling

/// AddAuthenticationStateDeserialization from the Microsoft.AspNetCore.Components.WebAssembly.Authentication package in the client project.

Rick-Anderson · 2024-05-22T21:57:59Z

+    /// Default implementation for converting the <see cref="AuthenticationStateData"/> that was JSON deserialized from the server
+    /// using <see cref="PersistentComponentState"/> to an <see cref="AuthenticationState"/> object to be returned by the WebAssembly


Suggested change

/// Default implementation for converting the <see cref="AuthenticationStateData"/> that was JSON deserialized from the server

/// using <see cref="PersistentComponentState"/> to an <see cref="AuthenticationState"/> object to be returned by the WebAssembly

/// Default implementation for converting the <see cref="AuthenticationStateData"/> that was JSON deserialized from the server.

/// This conversion is performed using <see cref="PersistentComponentState"/> to an <see cref="AuthenticationState"/> object.

// This object is then returned by the WebAssembly client's <see

@tdykstra why no rich diff?

I don't know, but your new line 21 is missing one slash at the start.

halter73 added 2 commits May 21, 2024 08:50

Build in AuthenticationStateProviders from project templates

21884d3

Update Blazor project templates to use built-in providers

f47e14c

halter73 requested a review from a team as a code owner May 21, 2024 16:01

ghost added the area-blazor Includes: Blazor, Razor Components label May 21, 2024

Fix tests

ec8ae2e

- Use JSImports instead of DefaultWebAssemblyJSRuntime - Remove unnecessary exclusions from template.json - Remove UserInfo from the template client template - Remove AddAuthorizationCore from AddRazorComponents

javiercn reviewed May 22, 2024

View reviewed changes

javiercn approved these changes May 22, 2024

View reviewed changes

Rick-Anderson mentioned this pull request May 22, 2024

Review AuthenticationStateProviders API dotnet/AspNetCore.Docs#32636

Closed

halter73 merged commit 5f792ae into main May 22, 2024

halter73 deleted the halter73/52769 branch May 22, 2024 21:52

dotnet-policy-service Bot added this to the 9.0-preview5 milestone May 22, 2024

Rick-Anderson suggested changes May 22, 2024

View reviewed changes

This was referenced May 31, 2024

Update ref source links to Blazor security API dotnet/AspNetCore.Docs#32711

Merged

Blazor .NET 9 tracking issue dotnet/AspNetCore.Docs#31909

Closed

guardrex mentioned this pull request Jun 10, 2024

Build in AuthenticationStateProviders from project templates dotnet/AspNetCore.Docs#32797

Closed

halter73 mentioned this pull request Jul 18, 2024

Add ClaimData for AuthenticationStateData and fix overtrimming #56878

Merged

	/// Provides options for configuring the JSON serialization of the <see cref="AuthenticationState"/> provided by the server's <see cref="AuthenticationStateProvider"/>
	/// Provides options for configuring the JSON serialization of the <see cref="AuthenticationState"/>. Provided by the server's <see cref="AuthenticationStateProvider"/>

	/// If <see langword="true"/>, the default <see cref="SerializationCallback"/> will serialize all claims; otherwise, it will only serialize
	/// If <see langword="true"/>, the default <see cref="SerializationCallback"/> serializes all claims; otherwise, it only serializes

		/// Default implementation for converting the server's <see cref="AuthenticationState"/> to an <see cref="AuthenticationStateData"/> object
		/// for JSON serialization to the client using <see cref="PersistentComponentState"/>."/>

		/// Default implementation for converting the <see cref="AuthenticationStateData"/> that was JSON deserialized from the server
		/// using <see cref="PersistentComponentState"/> to an <see cref="AuthenticationState"/> object to be returned by the WebAssembly

-    /// Default implementation for converting the <see cref="AuthenticationStateData"/> that was JSON deserialized from the server
-    /// using <see cref="PersistentComponentState"/> to an <see cref="AuthenticationState"/> object to be returned by the WebAssembly
+    /// Default implementation for converting the <see cref="AuthenticationStateData"/> that was JSON deserialized from the server.
+    /// This conversion is performed using <see cref="PersistentComponentState"/> to an <see cref="AuthenticationState"/> object.
+    // This object is then returned by the WebAssembly client's <see

Conversation

halter73 commented May 21, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

halter73 May 22, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

javiercn left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

halter73 commented May 21, 2024 •

edited

Loading

halter73 May 22, 2024 •

edited

Loading