From 440ef6255cf80a717eaa8ba6a21928789d7283af Mon Sep 17 00:00:00 2001 From: Robert Haken Date: Thu, 7 Nov 2024 02:19:22 +0100 Subject: [PATCH 1/7] [Blazor] Security - Server - Additional security abstractions section rework --- aspnetcore/blazor/security/server/index.md | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md index 2f7bde826708..052faed541e0 100644 --- a/aspnetcore/blazor/security/server/index.md +++ b/aspnetcore/blazor/security/server/index.md @@ -20,7 +20,7 @@ The authentication context is only established when the app starts, which is whe If the app must capture users for custom services or react to updates to the user, see . -Blazor differs from a traditional server-rendered web apps that make new HTTP requests with cookies on every page navigation. Authentication is checked during navigation events. However, cookies aren't involved. Cookies are only sent when making an HTTP request to a server, which isn't what happens when the user navigates in a Blazor app. During navigation, the user's authentication state is checked within the Blazor circuit, which you can update at any time on the server using the [`RevalidatingAuthenticationStateProvider` abstraction](#additional-security-abstractions). +Blazor differs from a traditional server-rendered web apps that make new HTTP requests with cookies on every page navigation. Authentication is checked during navigation events. However, cookies aren't involved. Cookies are only sent when making an HTTP request to a server, which isn't what happens when the user navigates in a Blazor app. During navigation, the user's authentication state is checked within the Blazor circuit, which you can update at any time on the server using the [`RevalidatingAuthenticationStateProvider` abstraction](#supporting-authentication-state-providers). > [!IMPORTANT] > Implementing a custom `NavigationManager` to achieve authentication validation during navigation isn't recommended. If the app must execute custom authentication state logic during navigation, use a [custom `AuthenticationStateProvider`](xref:blazor/security/authentication-state#implement-a-custom-authenticationstateprovider). @@ -447,19 +447,13 @@ Authentication uses the same ASP.NET Core Identity authentication as Razor Pages For guidance on general state management outside of ASP.NET Core Identity, see . -## Additional security abstractions +## Supporting authentication state providers -Two additional abstractions participate in managing authentication state: +Two additional classes derived from help with managing authentication state on server: -* ([reference source](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Endpoints/src/DependencyInjection/ServerAuthenticationStateProvider.cs)): An used by the Blazor framework to obtain authentication state from the server. +* ([reference source](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Endpoints/src/DependencyInjection/ServerAuthenticationStateProvider.cs)): A default used by the Blazor framework to manage authentication state on the server, when a more specific provider is not registered. -* ([reference source](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Server/src/Circuits/RevalidatingServerAuthenticationStateProvider.cs)): A base class for services used by the Blazor framework to receive an authentication state from the host environment and revalidate it at regular intervals. - - The default 30 minute revalidation interval can be adjusted in [`RevalidatingIdentityAuthenticationStateProvider` (`Areas/Identity/RevalidatingIdentityAuthenticationStateProvider.cs`)](https://github.com/dotnet/aspnetcore/blob/release/7.0/src/ProjectTemplates/Web.ProjectTemplates/content/BlazorServerWeb-CSharp/Areas/Identity/RevalidatingIdentityAuthenticationStateProvider.cs). The following example shortens the interval to 20 minutes: - - ```csharp - protected override TimeSpan RevalidationInterval => TimeSpan.FromMinutes(20); - ``` +* ([reference source](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Server/src/Circuits/RevalidatingServerAuthenticationStateProvider.cs)): A base class for services that receive an authentication state from the host environment and revalidate it at regular intervals. [!INCLUDE[](~/includes/aspnetcore-repo-ref-source-links.md)] From 5723498b9cc752c5b5ea581993a68acb89467107 Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Thu, 7 Nov 2024 07:06:36 -0500 Subject: [PATCH 2/7] Update aspnetcore/blazor/security/server/index.md --- aspnetcore/blazor/security/server/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md index 052faed541e0..7589f99d6677 100644 --- a/aspnetcore/blazor/security/server/index.md +++ b/aspnetcore/blazor/security/server/index.md @@ -451,7 +451,7 @@ For guidance on general state management outside of ASP.NET Core Identity, see < Two additional classes derived from help with managing authentication state on server: -* ([reference source](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Endpoints/src/DependencyInjection/ServerAuthenticationStateProvider.cs)): A default used by the Blazor framework to manage authentication state on the server, when a more specific provider is not registered. +* ([reference source](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Endpoints/src/DependencyInjection/ServerAuthenticationStateProvider.cs)): A default used by the Blazor framework to manage authentication state on the server, when a more specific provider isn't registered. * ([reference source](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Server/src/Circuits/RevalidatingServerAuthenticationStateProvider.cs)): A base class for services that receive an authentication state from the host environment and revalidate it at regular intervals. From d19913c7d2dc8f6ba9d3459dd7730f9272cf96aa Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Thu, 7 Nov 2024 07:07:07 -0500 Subject: [PATCH 3/7] Update aspnetcore/blazor/security/server/index.md --- aspnetcore/blazor/security/server/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md index 7589f99d6677..26ac079e2e73 100644 --- a/aspnetcore/blazor/security/server/index.md +++ b/aspnetcore/blazor/security/server/index.md @@ -447,7 +447,7 @@ Authentication uses the same ASP.NET Core Identity authentication as Razor Pages For guidance on general state management outside of ASP.NET Core Identity, see . -## Supporting authentication state providers +## Additional authentication state providers Two additional classes derived from help with managing authentication state on server: From 1eaafb99e0b6fd8baf7f3f44cdfe859b12d2458b Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Thu, 7 Nov 2024 07:09:00 -0500 Subject: [PATCH 4/7] Update aspnetcore/blazor/security/server/index.md --- aspnetcore/blazor/security/server/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md index 26ac079e2e73..965e15ac9b71 100644 --- a/aspnetcore/blazor/security/server/index.md +++ b/aspnetcore/blazor/security/server/index.md @@ -20,7 +20,7 @@ The authentication context is only established when the app starts, which is whe If the app must capture users for custom services or react to updates to the user, see . -Blazor differs from a traditional server-rendered web apps that make new HTTP requests with cookies on every page navigation. Authentication is checked during navigation events. However, cookies aren't involved. Cookies are only sent when making an HTTP request to a server, which isn't what happens when the user navigates in a Blazor app. During navigation, the user's authentication state is checked within the Blazor circuit, which you can update at any time on the server using the [`RevalidatingAuthenticationStateProvider` abstraction](#supporting-authentication-state-providers). +Blazor differs from a traditional server-rendered web apps that make new HTTP requests with cookies on every page navigation. Authentication is checked during navigation events. However, cookies aren't involved. Cookies are only sent when making an HTTP request to a server, which isn't what happens when the user navigates in a Blazor app. During navigation, the user's authentication state is checked within the Blazor circuit, which you can update at any time on the server using a revalidating `AuthenticationStateProvider`](#additional-authentication-state-providers). > [!IMPORTANT] > Implementing a custom `NavigationManager` to achieve authentication validation during navigation isn't recommended. If the app must execute custom authentication state logic during navigation, use a [custom `AuthenticationStateProvider`](xref:blazor/security/authentication-state#implement-a-custom-authenticationstateprovider). From 088d32eec7d0c16f8df1c047f55402c0031a5f62 Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Thu, 7 Nov 2024 07:12:15 -0500 Subject: [PATCH 5/7] Update aspnetcore/blazor/security/server/index.md --- aspnetcore/blazor/security/server/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md index 965e15ac9b71..4aa562bc02c4 100644 --- a/aspnetcore/blazor/security/server/index.md +++ b/aspnetcore/blazor/security/server/index.md @@ -449,7 +449,7 @@ For guidance on general state management outside of ASP.NET Core Identity, see < ## Additional authentication state providers -Two additional classes derived from help with managing authentication state on server: +Two additional classes derived from help with managing authentication state on the server: * ([reference source](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Endpoints/src/DependencyInjection/ServerAuthenticationStateProvider.cs)): A default used by the Blazor framework to manage authentication state on the server, when a more specific provider isn't registered. From d692217b09b70d9645c88abc93dd0f88e94542b3 Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Thu, 7 Nov 2024 07:25:00 -0500 Subject: [PATCH 6/7] Apply suggestions from code review --- aspnetcore/blazor/security/server/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md index 4aa562bc02c4..e554e896c316 100644 --- a/aspnetcore/blazor/security/server/index.md +++ b/aspnetcore/blazor/security/server/index.md @@ -451,9 +451,9 @@ For guidance on general state management outside of ASP.NET Core Identity, see < Two additional classes derived from help with managing authentication state on the server: -* ([reference source](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Endpoints/src/DependencyInjection/ServerAuthenticationStateProvider.cs)): A default used by the Blazor framework to manage authentication state on the server, when a more specific provider isn't registered. +* ([reference source](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Endpoints/src/DependencyInjection/ServerAuthenticationStateProvider.cs)): A default used by the Blazor framework to manage authentication state on the server when a more specific provider isn't registered. -* ([reference source](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Server/src/Circuits/RevalidatingServerAuthenticationStateProvider.cs)): A base class for services that receive an authentication state from the host environment and revalidate it at regular intervals. +* ([reference source](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Server/src/Circuits/RevalidatingServerAuthenticationStateProvider.cs)): A base class for services that receive an authentication state from the host environment and revalidate it at regular intervals. [!INCLUDE[](~/includes/aspnetcore-repo-ref-source-links.md)] From 801002d655c94db1f03cf2189fc35f58556956e8 Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Thu, 7 Nov 2024 07:33:51 -0500 Subject: [PATCH 7/7] Update index.md --- aspnetcore/blazor/security/server/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md index e554e896c316..075f80c64c5c 100644 --- a/aspnetcore/blazor/security/server/index.md +++ b/aspnetcore/blazor/security/server/index.md @@ -453,7 +453,7 @@ Two additional classes derived from ([reference source](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Endpoints/src/DependencyInjection/ServerAuthenticationStateProvider.cs)): A default used by the Blazor framework to manage authentication state on the server when a more specific provider isn't registered. -* ([reference source](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Server/src/Circuits/RevalidatingServerAuthenticationStateProvider.cs)): A base class for services that receive an authentication state from the host environment and revalidate it at regular intervals. +* ([reference source](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Server/src/Circuits/RevalidatingServerAuthenticationStateProvider.cs)): A base class for services that receive an authentication state from the host environment and revalidate it at regular intervals. See the [Blazor Web App project template](https://github.com/dotnet/aspnetcore/blob/main/src/ProjectTemplates/Web.ProjectTemplates/content/BlazorWeb-CSharp/BlazorWeb-CSharp/Components/Account/IdentityRevalidatingAuthenticationStateProvider.cs) for an example implementation. Override to change the default 30 minute revalidation interval. [!INCLUDE[](~/includes/aspnetcore-repo-ref-source-links.md)]