Blazor project tracking 2025

[guardrex]

2025

For .NET 11

Per #36162, the https://learn.microsoft.com/en-us/aspnet/core/security/authentication/configure-jwt-bearer-authentication?view=aspnetcore-9.0#handling-access-tokens section makes a remark about a future release having automatic token refresh with SaveTokens enabled.

History

• Blazor project tracking 2024 (dotnet/AspNetCore.Docs #31423)
• Blazor project tracking 2023 (dotnet/AspNetCore.Docs #28001)
• Blazor project tracking 2022 (dotnet/AspNetCore.Docs #24615)
• Blazor project tracking 2021 (dotnet/AspNetCore.Docs #19286)

.NET 10

• .NET 10: File Upload work: File uploads (writing to memory/Autofac content) #33357, Multiple files upload hangs the process in a blazor server app aspnetcore#47301

Doc ideas

Not ALL of these will be worked. This is an idea list/check list that don't rise to the level of opening an issue at this time.

• Code styling for all environment name mentions in the text. Update HTTP request pipeline config remarks #36421 (comment)
• Overhaul tracking ideas from Wade: [10.0] Update Blazor node article dates for release #36326 (comment)
• [PersistentState] must be a public property (and other framework-based properties, e.g., [CascadingParameter]) should be public): [Blazor] PersistentState design question aspnetcore#63329 (comment)
• Current user coverage: Reduce boiler plate code for getting the current user in a Blazor component aspnetcore#55327 (comment)
• Dogfood the passkeys implementation guidance for existing apps. There wasn't time when the content came over to do it.
• I think there are a couple of uses of "repo." I'm probably going to change them to "repository," which is the usual word of choice for GitHub repos.
• Where "{PACKAGE} package" is used, move "package" into the link text.
• https://github.com/natemcmaster/dotnet-serve is useful for quick, local runs of a published Blazor WASM app. Consider covering it in the Host & Deploy WASM overview. It might just be an 'additional resource.'
• WRT Add RedirectToLogin configured login path #35988, take a look at customization of paths guidance because it isn't only about the login path. When other paths are hard-coded into the app (template), they either have to be changed to match what's going to be used or RemoteAuthenticationOptions should be used to obtain them.
• What about moving the Razor syntax article out of the MVC views folder?
• PWA notifications article possibly to have a section on how to get a cert from AKV for the public/private key bits. Rejected for work to resolve Manage crypto keys with AKV in the PWA Push Notifications article #35747 because I was too busy with high priority work for several months out.
• Per Version Swashbuckle/Swagger remarks #35839, we can add a visual UI/endpoint tester for web API samples/articles.
• Show the non-factory approach in https://learn.microsoft.com/en-us/aspnet/core/blazor/call-web-api?view=aspnetcore-9.0#server-side-scenarios-for-calling-external-web-apis.
• Blazor-related MSBuild properties and items quick reference with cross-links article?
• Published the BWA+WinAuth with the fallback policy. Halter will need to troubleshoot a recursive page loading problem after authentication, and then we can update the sample and article showing both approaches. BWA with WinAuth article #34708 (comment)
• "the entire State Management page could simply be a list of approaches with links to other pages that explain each feature in detail" Cascading values+params for state management #34779
• Do we need more coverage on Azure Static Web Apps and Blazor deployments? https://learn.microsoft.com/en-us/aspnet/core/blazor/host-and-deploy/webassembly?view=aspnetcore-9.0#azure-static-web-apps
• Do we want a tutorial on adding Aspire to a Blazor project? https://www.youtube.com/live/hM4ifrqF_lQ?si=BzoYljhdDLLqrRxd&t=12903
• Do we want to roll account confirmation with PW recovery and 2FA/TOTP into the WASM+Identity sample app, probably with them in a configurable state for enabling the features so that they don't break casual use of the sample without setting up an email provider. 2FA/TOTP coverage for WASM+Identity #34189 (comment)
• Do we want to add app roles, Azure Admin roles, and Azure security groups to our BWA+Entra article+sample? Can I just cross-link an existing BWA-Graph sample in either Graph or Identity docs? Either way, the Application roles for apps registered with Microsoft Entra (ME-ID) section of the BWA+OIDC article will have a cross-link or different guidance based on how this is handled.
• See Blazor - Wasm pre-rendering (without server interactivity) - MSAL Auth on client side only not working aspnetcore#58833 for coverage in the Security and Identity overview and note it in prerendering coverage at https://learn.microsoft.com/en-us/aspnet/core/blazor/components/prerender?view=aspnetcore-8.0#prerendering-guidance ... and note that https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/additional-scenarios?view=aspnetcore-8.0#prerendering-with-authentication is broken (at least for the 8.0 release).
• For the BWA acct conf + PW recovery article, confirm that the wiring up of just the acct conf is enough to also activate the PW recovery part, which I don't recall if I tested or not at the time. It should just light up 💡 ... I think 🤔.
• For early 2025, get the FileUpload2 example (CSR) fully working for BWA and WASM samples. For BWA, the component is present, but there's no server controller to hit. For WASM, the component is in the WASM sample app but really should be moved to the new Call web API sample, where it can be made to work.
• Replace in-text (usually non-working) examples with dotnet/blazor-samples-based, fully working, cut-'n-paste examples. Might be best to create a list on an issue first, then I can work down the list.
• Apply form beautification 🌷 to the 8.0 sample app forms.
• Review Dynamic and extensible authentication requests for coverage opportunities [Blazor][Wasm] Dynamic and extensible authentication requests aspnetcore#42580 [Blazor] Dynamic authentication requests aspnetcore#42692
• To show and explain anti-request forgery in the File Uploads topic, use some commented-out text held there to enable controller services with AddControllersAndViews and pass the anti-forgery token to the Blazor app (<8.0) or obtain it from the anti-forgery feature (>=8.0) for the POST.
• With <NotFound> going away for BWA at 8.0, I think a dedicated bit in the Error handling topic on processing 404s via built-in server middleware makes sense (i.e., UseStatusCodePagesWithRedirects). Be sure to search for it because a cross-link is required in at least one case where I left a NOTE about BWAs not using the Not Found content template any longer.
• Root-level cascading values followup items: Root-level cascading values 8.0 #30095
• Custom ICU creation for WASM didn't make the cut for 8.0 or 9.0. It's scheduled for 10.0 now. [browser][icu] Automate custom icu creation runtime#82908
• I wasn't able to resolve Provide examples/references to avoid unauthorized content display during prerendering #29448 with Provide examples of recommendations #29449 because I can't see how the implementation should be applied in the reader's example app to avoid the reported behavior. Will circle around to this subject with Javier after .NET 8 releases.
• Revert content (Live content) to a cross-link when Azure Static Web Apps docs get a tutorial/tooling guidance for the new publish from VS gesture. Tracking on Azure docs issue: https://github.com/MicrosoftDocs/azure-docs/issues/112013 UPDATE (9/25/24): DR said he'd follow up with them because they closed the issue as a won't-fix.
• Although I'm working the Security node passes in February/March, I'm going to handle one item separately after the passes are finished pertaining to handling refresh tokens from Razor components when a request fails (e.g., Give more info about RefreshToken  #26086). Javier said, "... it involves sending a request to the token endpoint of the OIDC/OAuth provider in the same way you do in a web application." The refresh token is available to components via TokenProvider in the current guidance, so it seems that the component calls a server API to hit up the IdP to renew (and get a new refresh token) with an update to the TokenProvider with the new tokens. The component continues processing transparently (re-initiates the web API call that it was making in the first place) after the server-side work. Cross-refs: Miss a strategy to handle the refresh of tokens #19797 (comment)
  • Especially: How to refresh updated Claims without login out #22405 (comment)
  • ... and because it was never built-into the scaffolder to change the default logout page for Blazor Server: Scaffold different logout for Blazor Server Scaffolding#1423 ... OR, alternatively ...
  • XSRF antiforgery token content exists and the component can pass it to the endpoint because I don't think we want to tell devs to decorate server-side endpoints with @attribute [IgnoreAntiforgeryToken], including for logout. The coverage is at: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/scaffold-identity?view=aspnetcore-7.0&tabs=visual-studio#pass-an-xsrf-token-to-the-app
• Per Steve's .NET Conf talk, shouldn't we briefly cover FileSystem API use in Blazor apps?
• Let's run through the testassets pieces in the framework to see what might be helpful for devs to see in docs. It's a large task tho because there's so much there. This probably can't be worked in 23H1, possibly for 23Q3 tho.
• It would probably be nice to create a QuickGrid example that opens and closes a detail record component without losing the page and scroll position of the grid. For context, see Blazor database example's list page is reloaded when coming back from a details page blazor-samples#58.
• Do we want a cascading param state management example? https://learn.microsoft.com/en-us/aspnet/core/blazor/state-management?view=aspnetcore-6.0&pivots=webassembly#additional-approaches-wasm Blazor: In-memory state container as cascading parameter #27296
• Best to have PU 🐈 look over the SignalR-Blazor enhancements for SignalR config (in the SignalR doc and the WASM/Server Host and Deploy docs) and SignalR client logging (in the Logging doc).
• Place element attributes in alphabetical order.
• The section https://learn.microsoft.com/en-us/aspnet/core/blazor/fundamentals/signalr?view=aspnetcore-9.0#websocket-compression-for-interactive-server-components wasn't reviewed ... no one was available to look.
• Confirm language on interactive SSR components in the Pages folder of the .Client project. Removed on Remove remarks #34050 per DR's request. A PU issue where Javier says that it's correct: Blazor Web App Template Global Interactivity location causes Not Found issue when navigate to the page/component in Server project. aspnetcore#58944 (comment)
• Put an 👁️ on one line in particular in the prerendering with JS interop INCLUDE file: An infinite loop isn't created because StateHasChanged is only called when scrollPosition is null.
• Review of the new section on custom input components at https://learn.microsoft.com/en-us/aspnet/core/blazor/forms/binding?view=aspnetcore-8.0#custom-input-components.
• Review of https://learn.microsoft.com/en-us/aspnet/core/blazor/images-and-documents
• Confirm addHandlers module FN approach for wiring up event handlers.
• When he's free, check on the param expression bit added by Bound field or property expression convention #32511.
• The framework does what we say devs aren't supposed to do on transient disposables for IHttpClientFactory/HttpClient.
• Check on the "In components derived from the base class" bit in the DI topic. It doesn't make sense. It might be incorrect.
• Review of the new example at Fundamentals > DI > Utility base component classes to manage a DI scope section.
• The WHY aspects on MSBuild properties for hosted deployment options #26620 (comment). I'd like to know why the RID works with the MSBuild prop (/p:RuntimeIdentifier={RID} but the self-contained setting doesn't (/p:SelfContained=false).
• Review the code for streaming <textarea> content in a form of Message size limit enhancements #29541. Live
• Ask about https://docs.microsoft.com/en-us/aspnet/core/blazor/components/dynamiccomponent?view=aspnetcore-6.0 per Update event callback approach #26557. Is this the best way to showcase event callbacks with dynamic components?
• In UserClaims components (and perhaps a few other spots) the code for a collection displayed in the UI can can have the collection be assigned an empty value or left nullable with an additional Razor nullable check. Which is best? There's a text file on the desktop with the code either way.
• Do we need to assess all Blazor examples where tasks are awaited looking for spots where it would be more appropriate to avoid resuming with the context (ConfigureAwait(false))?
• Ask about the Task method without async and await keywords ... https://github.com/dotnet/blazor-samples/blob/main/8.0/BlazorWebAppEFCore/Components/ContactForm.razor#L111-L116

Resolved

• Cover PAR for Blazor OIDC articles+samples? Document what's new in ASP.NET Core for .NET 9 Preview 7 #33031 (comment) Resolved by Add PAR support configuration #35073.
• For the Static Files article, consider a section on build-time tooling for Blazor WASM fingerprinting. Discussed at No guidance for CSP #34351 (comment). Covered by new .NET 10 feature, so no action required.
• Check on [EditorRequired] coverage and do we need more 🍖 for guidance on its value-add to a param? No changes needed. The coverage is nice (cross-reference).
• As of C# 11 (.NET 7), triple-quote JSON strings with @using System.Diagnostics.CodeAnalysis: [StringSyntax(StringSyntaxAttribute.Json)] private const string data = """[{"key":"key 1","value":"value 1"},{"key":"key 2","value":"value 2"}]"""; Resolved by Add JSON raw string literal example #34908 and Use JSON raw string literal syntax for PATCH op blazor-samples#481.
• Check for lost issues assigned to myself. Checked on 3/6/25.
• Improve GH Pages coverage. Include config based on Steve's approaches: https://github.com/SteveSandersonMS/BlazorOnGitHubPages Update GitHub Pages guidance #34493
• GDPR article for Blazor? Blazor GDPR article #34499
• I like this section https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-enable-qrcodes?view=aspnetcore-9.0&branch=pr-en-us-34298#totp-client-and-server-time-skew for both of the Blazor 2FA/TOTP articles. TOTP time skew section #34501
• Check on the namespace section in the Components overview. Looks good! No changes.
• IntelliSense is saying that these should be auto properties ... https://github.com/dotnet/blazor-samples/blob/main/8.0/BlazorWebAppEFCore/Components/ContactRow.razor#L50-L61 AND https://github.com/dotnet/blazor-samples/blob/main/8.0/BlazorWebAppEFCore/Components/Pages/Home.razor#L98-L106 Doesn't matter b/c this sample is being dropped per Drop sample from EF Core-Blazor article #34482.
• Blazor Server and EF Core — Consider using the QuickGrid now that it's a supported part of the framework. Doesn't matter b/c this sample is being dropped per Drop sample from EF Core-Blazor article #34482.
• Script loading via control of <head> content. Scripts loaded via <head> content #34503
• In the PU repo's project templates, the app settings JSON files don't have a LF on the last line of the file. Seems resolved by the PU.
• WasmBrowserApp: IntelliSense is saying to use local functions for the listener functions. WASMBrowserApp code updates blazor-samples#451
• Updating <script> tag placement guidance on Update script tag location guidance #34346; but in the context of [Blazor] Remove blazor script check razor#8744 and the original language, it isn't clear what "updated dynamically" means or "not do what they expect." Enhance location of <script> tags coverage #34528
• new() and new[] { } for simplification []. Some done on Blazor code example updates #33786 ... more to come. Collection simplification #34531
• In the Event Handling article we just say that returning a task from an event handler is supported. Let's say that Blazor web examples do it, and fix one async void delegate event handler. Remark on async delegate event handler examples #34549
• "SSR" interpretation in the framework code+comments isn't "static server rendering." Discuss further, including earlier remarks that the terminology choices weren't what was expected. Rejected for coverage by DR on [Blazor] Inconsistence in usage of "SSR" abbreviation #33843.
• Need to keep an 👁️ on WebSockets with Azure Front Door remark in this section. Not supported today, but they might have something 23H1 roll out per https://github.com/MicrosoftDocs/architecture-center/issues/1891#issuecomment-1284754716 and https://feedback.azure.com/d365community/idea/c8b1d257-8a26-ec11-b6e6-000d3a4f0789. Addressed in Drop remarks on lack of WebSockets support in AFD #34551.
• In the WASM+Identity sample app and article, adopt EditForm and DA in the Login and Register components. Sample work: Login+Register pages with EditForms+DA blazor-samples#459 Closed article issue (no changes needed): Upgrade WASM+Identity Login+Register pages to use EditForms with DA #34556
• After Add Key Vault approach for client secret #33934 and WASM+Identity acct conf and PW recovery #33976 merge, add the key vault approach for the email provider API key to both of the acct conf+PW articles. Done on Add AKV approach #34583.

PU review items

Steve:

• API of last paragraph in https://learn.microsoft.com/en-us/aspnet/core/blazor/components/render-components-outside-of-aspnetcore?view=aspnetcore-8.0.

Halter:

• Halter to review this section.
• Confirm scope and authority guidance in the BWA+OIDC article that was added on 3/26 on Update scope/authority guidance in BWA+OIDC article #32149.
• The following went in without review because they sat for weeks without response and without answers to email requests for review:
  • https://learn.microsoft.com/en-us/aspnet/core/blazor/security/blazor-web-app-with-entra?view=aspnetcore-9.0#azure-key-vault
  • https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery?view=aspnetcore-9.0

Javier:

• Ask Javier about https://github.com/dotnet/aspnetcore/blob/main/src/Components/test/testassets/BasicTestApp/MarkupBlockComponent.razor#L37C21-L37C37 because we say in the Threat Mitigation topic not to use builder.AddMarkupContent(0, someUserSuppliedString) because it can create an XSS vulnerability.

UE pass tracking

• Security and Identity - The node (overview at least) has become messy. Time for a UE pass! Cross-ref: Inconsistent docs on securing Blazor WebAssembly App with Entra #34743 (comment)
• Debug WebAssembly — Resolve 👉 Something is missing in this instructions on how to debug a Blazor Webassembly hosted. #23373 ... and we'll probably need to show full files everywhere we refer to tasks.json/launch.json due to Errors when running .net generate assets to build .vscode folder vscode-csharp#4542. See 👉 small clarification #23777
• WebAssembly native dependencies Done on WASM Native Dependencies article UE pass #34553.
• Test components - Specifically, let's consider hosting example component tests for WASM and Server (TestServer). Missing example on how to use TestServer with ASP.NET 6 #25263
• Host and deploy: Apache for hosted WASM/sub-app scenarios might need more work. See 👉 Blazor Linux hosting #24519 (comment).
  • Overview — Perhaps for Routing, too, but clarify the navigation behavior of NavigationManager.NavigateTo. See 👉 Use relative path in NavigateTo #22146 (comment).
  • Move overview App base path coverage into its own article.
  • Break out sections into articles in two primary nodes (folders) for server-side Blazor and Blazor WebAssembly. Feedback in this vein: Topic needs to be restructured to be easier to understand and use #35047
  • Blazor Server — See 👉 Publishing Blazor to IIS from Visual Studio #21226
  • Blazor WebAssembly — See 👉 Revert to minified Google Brotli script in Blazor WASM hosting #19979 and Virus Detected! #21829 (comment) and validate web.config post PR Remove .wasm file extension before redefining it #24950 and in light of discussion on https://stackoverflow.com/a/69888016 and https://stackoverflow.com/a/70967738. Probably add a tagged SO filter link: https://stackoverflow.com/questions/tagged/blazor+iis+compression
  • WebAssembly deployment layout

Other articles that could benefit from the 🦖 Rex Treatment™ 🦖 ...

• Blazor Server and EF Core
• Call web API topic: I'd like to divorce this from the main doc set's web API article in favor of a small Minimal APIs-based web API app for the experiences in the topic. I think churn on the main doc set article may have broken the cut-'n-paste, fully working examples that I have. I either need to update the examples to match the latest guidance in the web API article or place a dedicated app example in this topic, and I favor the latter because of on-going web API article churn ... this is a fragile 💥 setup because I don't maintain both articles. Need to analyze the coverage on calling a web API securely to see if the Call web API article should have more information on it (or even just cross-links) and see if more work needs to be done in the Security and Identity node, especially the Additional scenarios article.
• File Uploads article
• File Downloads article
• Test article
• PWA article
• Performance best practices article
• State Management article
• Virtualization article: Blazor Virtualize Docs Are Confusing #27537
• Blazor Hybrid
  • Overview
  • Tutorials
    • Overview
    • .NET MAUI
    • Windows Forms
    • WPF
  • Routing and navigation
  • Static files
  • Dev Tools
  • Reuse components
• New articles at 8.0 ...
  • ASP.NET Core Razor class libraries (RCLs) with static server-side rendering (static SSR)
  • Integrate ASP.NET Core Razor components into ASP.NET Core apps
  • Prerender ASP.NET Core Razor components
  • Render Razor components outside of ASP.NET Core
  • ASP.NET Core Blazor render modes
  • ASP.NET Core Blazor sections
  • Troubleshoot ASP.NET Core Blazor Hybrid
  • ASP.NET Core Blazor JavaScript with static server-side rendering (static SSR)
  • Threat mitigation guidance for ASP.NET Core Blazor static server-side rendering
  • Secure ASP.NET Core Blazor WebAssembly with ASP.NET Core Identity