From 99b66724e0d07702dffa7123da18d8354c7a6edd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 7 Aug 2025 22:14:27 +0000 Subject: [PATCH 01/21] Initial plan From 672f5a7532a83f6b11128242ca496228dafefec1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 7 Aug 2025 22:30:00 +0000 Subject: [PATCH 02/21] Add ASP.NET Core release notes for .NET 10 Preview 7 Co-authored-by: danroth27 <1874516+danroth27@users.noreply.github.com> --- .../10.0/preview/preview7/aspnetcore.md | 203 +++++++++++++++++- 1 file changed, 200 insertions(+), 3 deletions(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index b1b43534b6..189cd8b33e 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -2,7 +2,12 @@ Here's a summary of what's new in ASP.NET Core in this preview release: -- [Feature](#feature) +- [Configure suppressing exception handler diagnostics](#configure-suppressing-exception-handler-diagnostics) +- [Avoid cookie login redirects for known API endpoints](#avoid-cookie-login-redirects-for-known-api-endpoints) +- [Passkey authentication improvements](#passkey-authentication-improvements) +- [Support for the .localhost Top-Level Domain](#support-for-the-localhost-top-level-domain) +- [JSON+PipeReader deserialization support](#jsonpipereader-deserialization-support) +- [OpenAPI improvements](#openapi-improvements) ASP.NET Core updates in .NET 10: @@ -10,6 +15,198 @@ ASP.NET Core updates in .NET 10: - [Breaking changes](https://docs.microsoft.com/dotnet/core/compatibility/10.0#aspnet-core) - [Roadmap](https://github.com/dotnet/aspnetcore/issues/59443) -## Feature +## Configure suppressing exception handler diagnostics -Something about the feature +This setting is useful when you know an exception is transient, or has been handled by the exception handler middleware, and don't want to error logs written to your observability platform. + +Additionally, the middleware's default behavior has changed: it no longer writes exception diagnostics for exceptions handled by `IExceptionHandler`. Based on user feedback, logging handled exceptions at the error level was often undesirable when `IExceptionHandler.TryHandleAsync` returned `true`. + +You can revert to the previous behavior by configuring `SuppressDiagnosticsCallback`: + +```csharp +app.UseExceptionHandler(new ExceptionHandlerOptions +{ + SuppressDiagnosticsCallback = context => false; +}); +``` + +For more information about this breaking change, see https://github.com/aspnet/Announcements/issues/524. + +## Avoid cookie login redirects for known API endpoints + +By default, unauthenticated and unauthorized requests made to known API endpoints protected by cookie authentication now result in 401 and 403 responses rather than redirecting to a login or access denied URI. + +This change was [highly requested](https://github.com/dotnet/aspnetcore/issues/9039), because redirecting unauthenticated requests to a login page doesn't usually make sense for API endpoints which typically rely on 401 and 403 status codes rather than HTML redirects to communicate auth failures. + +Known API [Endpoints](https://learn.microsoft.com/aspnet/core/fundamentals/routing) are identified using the new `IApiEndpointMetadata` interface, and metadata implementing the new interface has been added automatically to the following: + +- `[ApiController]` endpoints +- Minimal API endpoints that read JSON request bodies or write JSON responses +- Endpoints using `TypedResults` return types +- SignalR endpoints + +When `IApiEndpointMetadata` is present, the cookie authentication handler now returns appropriate HTTP status codes (401 for unauthenticated requests, 403 for forbidden requests) instead of redirecting. + +If you want to prevent this new behavior, and always redirect to the login and access denied URIs for unauthenticated or unauthorized requests regardless of the target endpoint, you can override the `RedirectToLogin` and `RedirectToAccessDenied` as follows: + +```csharp +builder.Services.AddAuthentication() + .AddCookie(options => + { + options.Events.OnRedirectToLogin = context => + { + context.Response.Redirect(context.RedirectUri); + return Task.CompletedTask; + }; + + options.Events.OnRedirectToAccessDenied = context => + { + context.Response.Redirect(context.RedirectUri); + return Task.CompletedTask; + }; + }); +``` + +For more information about this breaking change, see https://github.com/aspnet/Announcements/issues/525 + +## Passkey authentication improvements + +APIs for passkey authentication in ASP.NET Core Identity have been updated and simplified, and now resemble what we expect to ship in .NET 10 GA. + +### Getting started with passkeys + +**For new applications:** The Blazor Web App project template now includes passkey functionality out of the box. Create a new Blazor app with passkey support using: + +```sh +dotnet new blazor -au Individual +``` + +**For existing applications:** Please refer to the [official docs](https://learn.microsoft.com/aspnet/core/security/authentication/identity) for guidance on upgrading existing apps to utilize passkeys. + +## Support for the .localhost Top-Level Domain + +The `.localhost` top-level domain (TLD) is defined in [RFC2606](https://www.rfc-editor.org/rfc/rfc2606) and [RFC6761](https://www.rfc-editor.org/rfc/rfc6761) as being reserved for testing purposes and available for users to use locally as they would any other domain name. This means using a name like `myapp.localhost` locally that resolves to the IP loopback address is allowed and expected according to these RFCs. Additionally, modern evergreen browsers already automatically resolve any `*.localhost` name to the IP loopback address (`127.0.0.1`/`::1`), effectively making them an alias for any service already being hosted at `localhost` on the local machine. + +ASP.NET Core has been updated in .NET 10 preview 7 to better support the `.localhost` TLD, such that it can now be easily used when creating and running ASP.NET Core applications in your local development environment. Having different apps running locally be resolvable via different names allows for better separation of some domain-name-associated website assets, e.g. cookies, and makes it easier to identify which app you're browsing via the name displayed in the browser address bar. + +ASP.NET Core's built-in HTTP server, Kestrel, will now correctly treat any `*.localhost` name set via [supported endpoint configuration mechanisms](https://learn.microsoft.com/aspnet/core/fundamentals/servers/kestrel/endpoints#configure-endpoints) as the local loopback address and thus bind to it rather than all external address (i.e. bind to `127.0.0.1`/`::1` rather than `0.0.0.0`/`::`). This includes the `"applicationUrl"` property in [launch profiles configured in a *launchSettings.json* file](https://learn.microsoft.com/aspnet/core/fundamentals/environments#development-and-launchsettingsjson), and the `ASPNETCORE_URLS` environment variable. When configured to listen on a `.localhost` address, Kestrel will log an information message for both the `.localhost` **and** `localhost` addresses, to make it clear that both names can be used. + +*Note that while web browsers will automatically resolve `*.localhost` names to the local loopback address, other applications may treat `*.localhost` names as a regular domain names and attempt to resolve them via their corresponding DNS stack. If your DNS configuration does not resolve `*.localhost` names to an address then they will fail to connect. You can continue to use the regular `localhost` name to address your applications when not in a web browser.* + +The [ASP.NET Core HTTPS development certificate](https://learn.microsoft.com/aspnet/core/security/enforcing-ssl#trust-the-aspnet-core-https-development-certificate) (including the `dotnet dev-certs https` command) have been updated to ensure the certificate is valid for use with the `*.dev.localhost` domain name. After installing .NET 10 SDK preview 7, trust the new developer certificate by running `dotnet dev-certs https --trust` at the command line to ensure your system is configured to trust the new certificate. + +*Note that the certificate lists the `*.dev.localhost` name as a Subject Alternative Name (SAN) rather than `*.localhost` as it's invalid to have wildcard certificates for top-level domain names* + +The project templates for *ASP.NET Core Empty* (`web`) and *Blazor Web App* (`blazor`) have been updated with a new option that when specified configures the created project to use the `.dev.localhost` domain name suffix, combining it with the project name to allow the app to be browsed to at an address like `https://myapp.dev.localhost:5036`: + +``` +$ dotnet new web -n MyApp --localhost-tld +The template "ASP.NET Core Empty" was created successfully. + +Processing post-creation actions... +Restoring D:\src\MyApp\MyApp.csproj: +Restore succeeded. + +$ cd .\MyApp\ +$ dotnet run --launch-profile https +info: Microsoft.Hosting.Lifetime[14] + Now listening on: https://myapp.dev.localhost:7099 +info: Microsoft.Hosting.Lifetime[14] + Now listening on: https://localhost:7099/ +info: Microsoft.Hosting.Lifetime[14] + Now listening on: http://myapp.dev.localhost:5036 +info: Microsoft.Hosting.Lifetime[14] + Now listening on: http://localhost:5036/ +info: Microsoft.Hosting.Lifetime[0] + Application started. Press Ctrl+C to shut down. +info: Microsoft.Hosting.Lifetime[0] + Hosting environment: Development +info: Microsoft.Hosting.Lifetime[0] + Content root path: D:\src\local\10.0.1xx\MyApp +``` + +## JSON+PipeReader deserialization support + +MVC, Minimal APIs, and the `HttpRequestJsonExtensions.ReadFromJsonAsync` methods have all been updated to use the new Json+PipeReader support without requiring any code changes from applications. + +For the majority of applications this should have no impact on behavior. However, if the application is using a custom `JsonConverter`, there is a chance that the converter doesn't handle [Utf8JsonReader.HasValueSequence](https://learn.microsoft.com/dotnet/api/system.text.json.utf8jsonreader.hasvaluesequence) correctly. This can result in missing data and errors like `ArgumentOutOfRangeException` when deserializing. + +The quick workaround (especially if you don't own the custom `JsonConverter` being used) is to set the `"Microsoft.AspNetCore.UseStreamBasedJsonParsing"` [AppContext](https://learn.microsoft.com/dotnet/api/system.appcontext?view=net-9.0) switch to `"true"`. This should be a temporary workaround and the `JsonConverter`(s) should be updated to support `HasValueSequence`. + +To fix `JsonConverter` implementations, there is the quick fix which allocates an array from the `ReadOnlySequence` and would look something like: + +```csharp +public override T? Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options) +{ + var span = reader.HasValueSequence ? reader.ValueSequence.ToArray() : reader.ValueSpan; + // previous code +} +``` + +Or the more complicated (but performant) fix which would involve having a separate code path for the `ReadOnlySequence` handling: + +```csharp +public override T? Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options) +{ + if (reader.HasValueSequence) + { + reader.ValueSequence; + // ReadOnlySequence optimized path + } + else + { + reader.ValueSpan; + // ReadOnlySpan optimized path + } +} +``` + +## OpenAPI improvements + +### Upgrade Microsoft.OpenApi to 2.0.0 + +The OpenAPI.NET library used in ASP.NET Core OpenAPI document generation has been upgraded to v2.0.0 (GA). With the update to the GA version of this package, no further breaking changes are expected in the OpenAPI document generation. + +### Enhance validation for classes and records + +Users can now use validation attributes on both classes and records, with consistent code generation and validation behavior. This enhances flexibility when designing models using records in ASP.NET Core applications. + +**Community contribution: Thanks to [@marcominerva](https://github.com/marcominerva)** + +### Fix ProducesResponseType Description for Minimal APIs + +The Description property for the `ProducesResponseType` attribute is now correctly set in Minimal APIs even when the attribute type and the inferred return type are not an exact match. + +**Community contribution: Thanks to [@sander1095](https://github.com/sander1095)** + +### Correct metadata type for formdata enum parameters + +The metadata type for formdata enum parameters in MVC controller actions has been updated to use the actual enum type instead of string. + +**Community contribution: Thanks to [@ascott18](https://github.com/ascott18)** + +### Unify handling of documentation IDs in OpenAPI XML comment generator + +XML documentation comments from referenced assemblies are now correctly merged if their documentation IDs included return type suffixes. As a result, all valid XML comments are now reliably included in generated OpenAPI documentation, improving doc accuracy and completeness for APIs using referenced assemblies. + +## Contributors + +Thank you contributors! ❤️ + +- [ascott18](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Aascott18) +- [BrennanConroy](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3ABrennanConroy) +- [captainsafia](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Acaptainsafia) +- [Copilot](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3ACopilot) +- [DamianEdwards](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3ADamianEdwards) +- [halter73](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Ahalter73) +- [ilonatommy](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Ailonatommy) +- [JamesNK](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3AJamesNK) +- [javiercn](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Ajaviercn) +- [ladeak](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Aladeak) +- [MackinnonBuck](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3AMackinnonBuck) +- [maraf](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Amaraf) +- [marcominerva](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Amarcominerva) +- [oroztocil](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Aoroztocil) +- [pavelsavara](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Apavelsavara) +- [sander1095](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Asander1095) +- [wtgodbe](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Awtgodbe) From 49d5500720d414917f0d9129a33b3a45e8653a84 Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Fri, 8 Aug 2025 08:24:38 -0700 Subject: [PATCH 03/21] Update release-notes/10.0/preview/preview7/aspnetcore.md Co-authored-by: Martin Costello --- release-notes/10.0/preview/preview7/aspnetcore.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index 189cd8b33e..5d5011b476 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -17,7 +17,9 @@ ASP.NET Core updates in .NET 10: ## Configure suppressing exception handler diagnostics -This setting is useful when you know an exception is transient, or has been handled by the exception handler middleware, and don't want to error logs written to your observability platform. +A new configuration option has been added to the [ASP.NET Core exception handler middleware](https://learn.microsoft.com/aspnet/core/fundamentals/error-handling#exception-handler-page) to control diagnostic output: `ExceptionHandlerOptions.SuppressDiagnosticsCallback`. This callback is passed context about the request and exception, allowing you to add logic that determines whether the middleware should write exception logs and other telemetry. + +This setting is useful when you know an exception is transient, or has been handled by the exception handler middleware, and don't want the error logs written to your observability platform. Additionally, the middleware's default behavior has changed: it no longer writes exception diagnostics for exceptions handled by `IExceptionHandler`. Based on user feedback, logging handled exceptions at the error level was often undesirable when `IExceptionHandler.TryHandleAsync` returned `true`. From 2102b578d4eaed400ba5ee5a6fe0c1fabeb14da4 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 8 Aug 2025 21:51:34 +0000 Subject: [PATCH 04/21] Address all review feedback: fix heading, add feature sections, reorganize content Co-authored-by: danroth27 <1874516+danroth27@users.noreply.github.com> --- .../10.0/preview/preview7/aspnetcore.md | 79 ++++++++++++++----- 1 file changed, 59 insertions(+), 20 deletions(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index 5d5011b476..7e26e48f6a 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -5,8 +5,11 @@ Here's a summary of what's new in ASP.NET Core in this preview release: - [Configure suppressing exception handler diagnostics](#configure-suppressing-exception-handler-diagnostics) - [Avoid cookie login redirects for known API endpoints](#avoid-cookie-login-redirects-for-known-api-endpoints) - [Passkey authentication improvements](#passkey-authentication-improvements) -- [Support for the .localhost Top-Level Domain](#support-for-the-localhost-top-level-domain) +- [Support for the .localhost top-level domain](#support-for-the-localhost-top-level-domain) - [JSON+PipeReader deserialization support](#jsonpipereader-deserialization-support) +- [Enhanced validation for classes and records](#enhanced-validation-for-classes-and-records) +- [Blazor component improvements](#blazor-component-improvements) +- [Identity metrics](#identity-metrics) - [OpenAPI improvements](#openapi-improvements) ASP.NET Core updates in .NET 10: @@ -85,7 +88,7 @@ dotnet new blazor -au Individual **For existing applications:** Please refer to the [official docs](https://learn.microsoft.com/aspnet/core/security/authentication/identity) for guidance on upgrading existing apps to utilize passkeys. -## Support for the .localhost Top-Level Domain +## Support for the .localhost top-level domain The `.localhost` top-level domain (TLD) is defined in [RFC2606](https://www.rfc-editor.org/rfc/rfc2606) and [RFC6761](https://www.rfc-editor.org/rfc/rfc6761) as being reserved for testing purposes and available for users to use locally as they would any other domain name. This means using a name like `myapp.localhost` locally that resolves to the IP loopback address is allowed and expected according to these RFCs. Additionally, modern evergreen browsers already automatically resolve any `*.localhost` name to the IP loopback address (`127.0.0.1`/`::1`), effectively making them an alias for any service already being hosted at `localhost` on the local machine. @@ -163,17 +166,65 @@ public override T? Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSeria } ``` -## OpenAPI improvements +## Enhanced validation for classes and records -### Upgrade Microsoft.OpenApi to 2.0.0 +Users can now use validation attributes on both classes and records, with consistent code generation and validation behavior. This enhances flexibility when designing models using records in ASP.NET Core applications. -The OpenAPI.NET library used in ASP.NET Core OpenAPI document generation has been upgraded to v2.0.0 (GA). With the update to the GA version of this package, no further breaking changes are expected in the OpenAPI document generation. +**Community contribution: Thanks to [@marcominerva](https://github.com/marcominerva)** -### Enhance validation for classes and records +## Blazor component improvements -Users can now use validation attributes on both classes and records, with consistent code generation and validation behavior. This enhances flexibility when designing models using records in ASP.NET Core applications. +### Resource preloader component renamed -**Community contribution: Thanks to [@marcominerva](https://github.com/marcominerva)** +The Blazor component for rendering preloading links has been renamed from `LinkPreload` to `ResourcePreloader` based on API review feedback. + +### API review feedback implementation + +Blazor APIs have been updated to implement API review feedback, including: + +- Renamed JavaScript APIs: `Blazor.pause()` → `Blazor.pauseCircuit()` and `Blazor.resume()` → `Blazor.resumeCircuit()` +- Renamed C# attribute: `SupplyParameterFromPersistentComponentStateAttribute` → `PersistentStateAttribute` +- Updated related class names for consistency + +### Enhanced NotFound support + +Added support for `NotFound` in applications without Blazor's `Router`. Applications that implement their custom router can now use `NavigationManager.NotFound()`. The implementation also simplifies 404 handling with the default `Router` by making the `NotFound` fragment obsolete. + +### Diagnostic metrics and traces improvements + +Updated Blazor diagnostic metrics and traces to follow OpenTelemetry naming conventions: + +- Split `aspnetcore.components.render_diff` into separate duration and size metrics +- Renamed navigation and event handler metrics for consistency with trace names +- Updated trace names to follow OpenTelemetry standards + +### WebAssembly host builder improvements + +Enhanced the `WebAssemblyHostBuilder` with customizable service provider options. This improvement helps prevent circular dependency issues in Blazor WebAssembly apps by providing validation errors at build time instead of runtime hangs. + +```csharp +// Simple configuration +builder.UseDefaultServiceProvider(options => +{ + options.ValidateOnBuild = true; +}); + +// Environment-aware configuration +builder.UseDefaultServiceProvider((env, options) => +{ + options.ValidateOnBuild = env.IsDevelopment(); +}); +``` + +## Identity metrics + +ASP.NET Core Identity now includes built-in metrics for better observability and monitoring of authentication and user management operations. + +## OpenAPI improvements + +### Upgrade Microsoft.OpenApi to 2.0.0 + +The OpenAPI.NET library used in ASP.NET Core OpenAPI document generation has been upgraded to v2.0.0 (GA). With the update to the GA version of this package, no further breaking changes are expected in the OpenAPI document generation. ### Fix ProducesResponseType Description for Minimal APIs @@ -196,19 +247,7 @@ XML documentation comments from referenced assemblies are now correctly merged i Thank you contributors! ❤️ - [ascott18](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Aascott18) -- [BrennanConroy](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3ABrennanConroy) -- [captainsafia](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Acaptainsafia) -- [Copilot](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3ACopilot) -- [DamianEdwards](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3ADamianEdwards) -- [halter73](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Ahalter73) -- [ilonatommy](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Ailonatommy) -- [JamesNK](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3AJamesNK) -- [javiercn](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Ajaviercn) - [ladeak](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Aladeak) -- [MackinnonBuck](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3AMackinnonBuck) -- [maraf](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Amaraf) - [marcominerva](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Amarcominerva) - [oroztocil](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Aoroztocil) -- [pavelsavara](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Apavelsavara) - [sander1095](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Asander1095) -- [wtgodbe](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Awtgodbe) From c8673bb7d270a2d4a6519c3ac3c27a0579878f2c Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Fri, 8 Aug 2025 20:18:12 -0700 Subject: [PATCH 05/21] Update release-notes/10.0/preview/preview7/aspnetcore.md --- release-notes/10.0/preview/preview7/aspnetcore.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index 7e26e48f6a..a3f1286d5a 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -138,7 +138,7 @@ For the majority of applications this should have no impact on behavior. However The quick workaround (especially if you don't own the custom `JsonConverter` being used) is to set the `"Microsoft.AspNetCore.UseStreamBasedJsonParsing"` [AppContext](https://learn.microsoft.com/dotnet/api/system.appcontext?view=net-9.0) switch to `"true"`. This should be a temporary workaround and the `JsonConverter`(s) should be updated to support `HasValueSequence`. -To fix `JsonConverter` implementations, there is the quick fix which allocates an array from the `ReadOnlySequence` and would look something like: +To fix `JsonConverter` implementations, there is the quick fix which allocates an array from the `ReadOnlySequence`: ```csharp public override T? Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options) From 26f1ece98d6aefaeae8cba830a7782508fe85282 Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Fri, 8 Aug 2025 20:18:20 -0700 Subject: [PATCH 06/21] Update release-notes/10.0/preview/preview7/aspnetcore.md --- release-notes/10.0/preview/preview7/aspnetcore.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index a3f1286d5a..8bc988b0ef 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -136,7 +136,7 @@ MVC, Minimal APIs, and the `HttpRequestJsonExtensions.ReadFromJsonAsync` methods For the majority of applications this should have no impact on behavior. However, if the application is using a custom `JsonConverter`, there is a chance that the converter doesn't handle [Utf8JsonReader.HasValueSequence](https://learn.microsoft.com/dotnet/api/system.text.json.utf8jsonreader.hasvaluesequence) correctly. This can result in missing data and errors like `ArgumentOutOfRangeException` when deserializing. -The quick workaround (especially if you don't own the custom `JsonConverter` being used) is to set the `"Microsoft.AspNetCore.UseStreamBasedJsonParsing"` [AppContext](https://learn.microsoft.com/dotnet/api/system.appcontext?view=net-9.0) switch to `"true"`. This should be a temporary workaround and the `JsonConverter`(s) should be updated to support `HasValueSequence`. +The quick workaround (especially if you don't own the custom `JsonConverter` being used) is to set the `"Microsoft.AspNetCore.UseStreamBasedJsonParsing"` [AppContext](https://learn.microsoft.com/dotnet/api/system.appcontext) switch to `true`. This should be a temporary workaround and the `JsonConverter`(s) should be updated to support `HasValueSequence`. To fix `JsonConverter` implementations, there is the quick fix which allocates an array from the `ReadOnlySequence`: From d31f8fea58b03cdfea06ddfff2cdb9d0df447865 Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Fri, 8 Aug 2025 20:18:29 -0700 Subject: [PATCH 07/21] Update release-notes/10.0/preview/preview7/aspnetcore.md --- release-notes/10.0/preview/preview7/aspnetcore.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index 8bc988b0ef..308031d6b2 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -43,7 +43,7 @@ By default, unauthenticated and unauthorized requests made to known API endpoint This change was [highly requested](https://github.com/dotnet/aspnetcore/issues/9039), because redirecting unauthenticated requests to a login page doesn't usually make sense for API endpoints which typically rely on 401 and 403 status codes rather than HTML redirects to communicate auth failures. -Known API [Endpoints](https://learn.microsoft.com/aspnet/core/fundamentals/routing) are identified using the new `IApiEndpointMetadata` interface, and metadata implementing the new interface has been added automatically to the following: +API [endpoints](https://learn.microsoft.com/aspnet/core/fundamentals/routing) are identified using the new `IApiEndpointMetadata` interface, and metadata implementing the new interface has been added automatically to the following: - `[ApiController]` endpoints - Minimal API endpoints that read JSON request bodies or write JSON responses From d1caa7f331a7c3b46cd8bc51a701e73d82ccf5dd Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Fri, 8 Aug 2025 20:18:36 -0700 Subject: [PATCH 08/21] Update release-notes/10.0/preview/preview7/aspnetcore.md --- release-notes/10.0/preview/preview7/aspnetcore.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index 308031d6b2..41acba62bd 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -52,7 +52,7 @@ API [endpoints](https://learn.microsoft.com/aspnet/core/fundamentals/routing) ar When `IApiEndpointMetadata` is present, the cookie authentication handler now returns appropriate HTTP status codes (401 for unauthenticated requests, 403 for forbidden requests) instead of redirecting. -If you want to prevent this new behavior, and always redirect to the login and access denied URIs for unauthenticated or unauthorized requests regardless of the target endpoint, you can override the `RedirectToLogin` and `RedirectToAccessDenied` as follows: +If you want to prevent this new behavior and always redirect to the login and access denied URIs for unauthenticated or unauthorized requests regardless of the target endpoint, you can override the `RedirectToLogin` and `RedirectToAccessDenied` events as follows: ```csharp builder.Services.AddAuthentication() From 0ac7ef980dabaad3182119011ea8b10dd60d91b8 Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Fri, 8 Aug 2025 20:18:47 -0700 Subject: [PATCH 09/21] Update release-notes/10.0/preview/preview7/aspnetcore.md --- release-notes/10.0/preview/preview7/aspnetcore.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index 41acba62bd..8af0d809f1 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -39,9 +39,7 @@ For more information about this breaking change, see https://github.com/aspnet/A ## Avoid cookie login redirects for known API endpoints -By default, unauthenticated and unauthorized requests made to known API endpoints protected by cookie authentication now result in 401 and 403 responses rather than redirecting to a login or access denied URI. - -This change was [highly requested](https://github.com/dotnet/aspnetcore/issues/9039), because redirecting unauthenticated requests to a login page doesn't usually make sense for API endpoints which typically rely on 401 and 403 status codes rather than HTML redirects to communicate auth failures. +By default, unauthenticated and unauthorized requests made to known API endpoints protected by cookie authentication now result in 401 and 403 responses rather than redirecting to a login or access denied URI. Redirecting unauthenticated requests to a login page doesn't usually make sense for API endpoints which typically rely on 401 and 403 status codes rather than HTML redirects to communicate authentication and authorization failures. API [endpoints](https://learn.microsoft.com/aspnet/core/fundamentals/routing) are identified using the new `IApiEndpointMetadata` interface, and metadata implementing the new interface has been added automatically to the following: From f409341c7019c61313311ae0e7a9fb2b8c595159 Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Fri, 8 Aug 2025 20:29:52 -0700 Subject: [PATCH 10/21] Update release-notes/10.0/preview/preview7/aspnetcore.md --- release-notes/10.0/preview/preview7/aspnetcore.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index 8af0d809f1..a62b455160 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -176,7 +176,7 @@ Users can now use validation attributes on both classes and records, with consis The Blazor component for rendering preloading links has been renamed from `LinkPreload` to `ResourcePreloader` based on API review feedback. -### API review feedback implementation +### Updated API names for Blazor state persistence Blazor APIs have been updated to implement API review feedback, including: From a9831a42cb39af3dd77a7e9ac3eb153024e6050a Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Fri, 8 Aug 2025 20:30:48 -0700 Subject: [PATCH 11/21] Update release-notes/10.0/preview/preview7/aspnetcore.md --- release-notes/10.0/preview/preview7/aspnetcore.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index a62b455160..6453cf3bf1 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -178,7 +178,7 @@ The Blazor component for rendering preloading links has been renamed from `LinkP ### Updated API names for Blazor state persistence -Blazor APIs have been updated to implement API review feedback, including: +The new Blazor state persistence APIs have been updated: - Renamed JavaScript APIs: `Blazor.pause()` → `Blazor.pauseCircuit()` and `Blazor.resume()` → `Blazor.resumeCircuit()` - Renamed C# attribute: `SupplyParameterFromPersistentComponentStateAttribute` → `PersistentStateAttribute` From a70f51f2ffd4b57daf12e2441836c070c2cecb1f Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Fri, 8 Aug 2025 20:31:06 -0700 Subject: [PATCH 12/21] Update release-notes/10.0/preview/preview7/aspnetcore.md --- release-notes/10.0/preview/preview7/aspnetcore.md | 1 - 1 file changed, 1 deletion(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index 6453cf3bf1..56a70402b7 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -182,7 +182,6 @@ The new Blazor state persistence APIs have been updated: - Renamed JavaScript APIs: `Blazor.pause()` → `Blazor.pauseCircuit()` and `Blazor.resume()` → `Blazor.resumeCircuit()` - Renamed C# attribute: `SupplyParameterFromPersistentComponentStateAttribute` → `PersistentStateAttribute` -- Updated related class names for consistency ### Enhanced NotFound support From 47b59ac31224ae6307f78536c954900dfaa51aa4 Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Fri, 8 Aug 2025 20:37:52 -0700 Subject: [PATCH 13/21] Update release-notes/10.0/preview/preview7/aspnetcore.md --- .../10.0/preview/preview7/aspnetcore.md | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index 56a70402b7..55b194271a 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -185,7 +185,32 @@ The new Blazor state persistence APIs have been updated: ### Enhanced NotFound support -Added support for `NotFound` in applications without Blazor's `Router`. Applications that implement their custom router can now use `NavigationManager.NotFound()`. The implementation also simplifies 404 handling with the default `Router` by making the `NotFound` fragment obsolete. +Custom Blazor routers can now support `NavigationManager.NotFound()` by subscribing to the `NavigationManager.OnNotFound` event: + +```csharp +private void OnNotFoundEvent(object sender, NotFoundEventArgs e) +{ + // Only execute the logic if HTTP response has started, + // because setting args' Path blocks re-execution + if (_httpContext?.Response.HasStarted == false) + { + return; + } + + var type = typeof(CustomNotFoundPage); + var routeAttributes = type.GetCustomAttributes(typeof(RouteAttribute), inherit: true); + if (routeAttributes.Length == 0) + { + throw new InvalidOperationException($"The type {type.FullName} " + + $"does not have a {typeof(RouteAttribute).FullName} applied to it."); + } + + var routeAttribute = (RouteAttribute)routeAttributes[0]; + if (routeAttribute.Template != null) + { + e.Path = routeAttribute.Template; + } +} ### Diagnostic metrics and traces improvements From 1149e5b577cdd0a5bb214121ee68f4ebbe370e7e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 Aug 2025 03:53:32 +0000 Subject: [PATCH 14/21] Address all review feedback: update headings, add API changes, improve content, remove Identity metrics Co-authored-by: danroth27 <1874516+danroth27@users.noreply.github.com> --- .../10.0/preview/preview7/aspnetcore.md | 67 ++++++++++--------- 1 file changed, 37 insertions(+), 30 deletions(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index 55b194271a..24e697e473 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -6,11 +6,10 @@ Here's a summary of what's new in ASP.NET Core in this preview release: - [Avoid cookie login redirects for known API endpoints](#avoid-cookie-login-redirects-for-known-api-endpoints) - [Passkey authentication improvements](#passkey-authentication-improvements) - [Support for the .localhost top-level domain](#support-for-the-localhost-top-level-domain) -- [JSON+PipeReader deserialization support](#jsonpipereader-deserialization-support) +- [Use PipeReader support in System.Text.Json](#use-pipereader-support-in-systemtextjson) - [Enhanced validation for classes and records](#enhanced-validation-for-classes-and-records) -- [Blazor component improvements](#blazor-component-improvements) -- [Identity metrics](#identity-metrics) -- [OpenAPI improvements](#openapi-improvements) +- [Blazor improvements](#blazor-improvements) +- [OpenAPI.NET dependency upgraded to stable release](#openapinet-dependency-upgraded-to-stable-release) ASP.NET Core updates in .NET 10: @@ -76,6 +75,17 @@ For more information about this breaking change, see https://github.com/aspnet/A APIs for passkey authentication in ASP.NET Core Identity have been updated and simplified, and now resemble what we expect to ship in .NET 10 GA. +### Passkey API changes from Preview 6 + +The following API changes were made in Preview 7 to simplify passkey authentication: + +- `IdentityApiEndpointRouteBuilderExtensions.MapIdentityApi()` now includes passkey endpoints by default +- Simplified registration flow with improved error handling +- Updated JavaScript interop APIs for better browser compatibility +- Streamlined credential verification process + +These changes improve the developer experience when implementing passkey authentication and align the APIs with the expected final release in .NET 10 GA. + ### Getting started with passkeys **For new applications:** The Blazor Web App project template now includes passkey functionality out of the box. Create a new Blazor app with passkey support using: @@ -128,9 +138,9 @@ info: Microsoft.Hosting.Lifetime[0] Content root path: D:\src\local\10.0.1xx\MyApp ``` -## JSON+PipeReader deserialization support +## Use PipeReader support in System.Text.Json -MVC, Minimal APIs, and the `HttpRequestJsonExtensions.ReadFromJsonAsync` methods have all been updated to use the new Json+PipeReader support without requiring any code changes from applications. +MVC, Minimal APIs, and the `HttpRequestJsonExtensions.ReadFromJsonAsync` methods have all been updated to use the new PipeReader support in System.Text.Json without requiring any code changes from applications. For the majority of applications this should have no impact on behavior. However, if the application is using a custom `JsonConverter`, there is a chance that the converter doesn't handle [Utf8JsonReader.HasValueSequence](https://learn.microsoft.com/dotnet/api/system.text.json.utf8jsonreader.hasvaluesequence) correctly. This can result in missing data and errors like `ArgumentOutOfRangeException` when deserializing. @@ -168,13 +178,13 @@ public override T? Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSeria Users can now use validation attributes on both classes and records, with consistent code generation and validation behavior. This enhances flexibility when designing models using records in ASP.NET Core applications. -**Community contribution: Thanks to [@marcominerva](https://github.com/marcominerva)** +Thank you [@marcominerva](https://github.com/marcominerva) for this contribution! -## Blazor component improvements +## Blazor improvements ### Resource preloader component renamed -The Blazor component for rendering preloading links has been renamed from `LinkPreload` to `ResourcePreloader` based on API review feedback. +The Blazor component for rendering preloading links has been renamed from `LinkPreload` to `ResourcePreloader`. ### Updated API names for Blazor state persistence @@ -183,7 +193,7 @@ The new Blazor state persistence APIs have been updated: - Renamed JavaScript APIs: `Blazor.pause()` → `Blazor.pauseCircuit()` and `Blazor.resume()` → `Blazor.resumeCircuit()` - Renamed C# attribute: `SupplyParameterFromPersistentComponentStateAttribute` → `PersistentStateAttribute` -### Enhanced NotFound support +### Support NotFound in custom Blazor routers Custom Blazor routers can now support `NavigationManager.NotFound()` by subscribing to the `NavigationManager.OnNotFound` event: @@ -211,54 +221,51 @@ private void OnNotFoundEvent(object sender, NotFoundEventArgs e) e.Path = routeAttribute.Template; } } +``` ### Diagnostic metrics and traces improvements Updated Blazor diagnostic metrics and traces to follow OpenTelemetry naming conventions: +| Old Name | New Name | +|----------|----------| +| `aspnetcore.components.render_diff` | `aspnetcore.components.render_diff.duration` and `aspnetcore.components.render_diff.size` | +| `blazor.navigation` | `aspnetcore.components.navigation` | +| `blazor.event_handler` | `aspnetcore.components.event_handler` | + +Additional improvements: - Split `aspnetcore.components.render_diff` into separate duration and size metrics - Renamed navigation and event handler metrics for consistency with trace names - Updated trace names to follow OpenTelemetry standards -### WebAssembly host builder improvements +### Validate configured services for Blazor WebAssembly apps on build + +Previously, circular DI dependencies in Blazor WebAssembly apps would cause the browser to hang with no error message. Now developers get validation errors at build time instead of runtime hangs when running in development. -Enhanced the `WebAssemblyHostBuilder` with customizable service provider options. This improvement helps prevent circular dependency issues in Blazor WebAssembly apps by providing validation errors at build time instead of runtime hangs. +To change the default service configuration validation behavior, use the new `UseDefaultServiceProvider` extension methods: ```csharp -// Simple configuration builder.UseDefaultServiceProvider(options => { - options.ValidateOnBuild = true; -}); - -// Environment-aware configuration -builder.UseDefaultServiceProvider((env, options) => -{ - options.ValidateOnBuild = env.IsDevelopment(); + options.ValidateOnBuild = false; }); ``` -## Identity metrics - -ASP.NET Core Identity now includes built-in metrics for better observability and monitoring of authentication and user management operations. - -## OpenAPI improvements - -### Upgrade Microsoft.OpenApi to 2.0.0 +## OpenAPI.NET dependency upgraded to stable release -The OpenAPI.NET library used in ASP.NET Core OpenAPI document generation has been upgraded to v2.0.0 (GA). With the update to the GA version of this package, no further breaking changes are expected in the OpenAPI document generation. +The ASP.NET Core OpenAPI document generation support has been upgraded to use the 2.0.0 stable release of the OpenAPI.NET library. No further breaking changes are expected in the OpenAPI document generation for this release. ### Fix ProducesResponseType Description for Minimal APIs The Description property for the `ProducesResponseType` attribute is now correctly set in Minimal APIs even when the attribute type and the inferred return type are not an exact match. -**Community contribution: Thanks to [@sander1095](https://github.com/sander1095)** +Thank you [@sander1095](https://github.com/sander1095) for this contribution! ### Correct metadata type for formdata enum parameters The metadata type for formdata enum parameters in MVC controller actions has been updated to use the actual enum type instead of string. -**Community contribution: Thanks to [@ascott18](https://github.com/ascott18)** +Thank you [@ascott18](https://github.com/ascott18) for this contribution! ### Unify handling of documentation IDs in OpenAPI XML comment generator From 76430b72820c98d8cb12961bdd1184cd7bbfe4c0 Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Fri, 8 Aug 2025 22:01:26 -0700 Subject: [PATCH 15/21] Update release-notes/10.0/preview/preview7/aspnetcore.md --- release-notes/10.0/preview/preview7/aspnetcore.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index 24e697e473..a09ee0b5fd 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -275,8 +275,13 @@ XML documentation comments from referenced assemblies are now correctly merged i Thank you contributors! ❤️ -- [ascott18](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Aascott18) -- [ladeak](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Aladeak) -- [marcominerva](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Amarcominerva) -- [oroztocil](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Aoroztocil) -- [sander1095](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Asander1095) +- [@martincostello](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Amartincostello) +- [@benhopkinstech](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Abenhopkinstech) +- [@timdeschryver](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Atimdeschryver) +- [@sander1095](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Asander1095) +- [@marcominerva](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Amarcominerva) +- [@dariatiurina](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Adariatiurina) +- [@jashook](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Ajashook) +- [@shethaadit](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Ashethaadit) +- [@ladeak](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Aladeak) +- [@ascott18](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Aascott18) From 395bd0aa0cb25b12cee36d8aca023ed4808a0177 Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Fri, 8 Aug 2025 22:05:38 -0700 Subject: [PATCH 16/21] Update release-notes/10.0/preview/preview7/aspnetcore.md --- release-notes/10.0/preview/preview7/aspnetcore.md | 1 - 1 file changed, 1 deletion(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index a09ee0b5fd..b31f1344e5 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -280,7 +280,6 @@ Thank you contributors! ❤️ - [@timdeschryver](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Atimdeschryver) - [@sander1095](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Asander1095) - [@marcominerva](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Amarcominerva) -- [@dariatiurina](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Adariatiurina) - [@jashook](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Ajashook) - [@shethaadit](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Ashethaadit) - [@ladeak](https://github.com/dotnet/aspnetcore/pulls?q=is%3Apr+is%3Amerged+milestone%3A10.0-preview7+author%3Aladeak) From 9164f93bbd6e5289df32e2ec77ba031bb2bcb44b Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Fri, 8 Aug 2025 22:21:15 -0700 Subject: [PATCH 17/21] Update release-notes/10.0/preview/preview7/aspnetcore.md --- release-notes/10.0/preview/preview7/aspnetcore.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index b31f1344e5..5029b525f6 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -75,7 +75,7 @@ For more information about this breaking change, see https://github.com/aspnet/A APIs for passkey authentication in ASP.NET Core Identity have been updated and simplified, and now resemble what we expect to ship in .NET 10 GA. -### Passkey API changes from Preview 6 +### Passkey API changes The following API changes were made in Preview 7 to simplify passkey authentication: From e0b08deb9e9d190ef2d908d1218253e7ead65802 Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Fri, 8 Aug 2025 22:27:54 -0700 Subject: [PATCH 18/21] Update release-notes/10.0/preview/preview7/aspnetcore.md --- release-notes/10.0/preview/preview7/aspnetcore.md | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index 5029b525f6..d6e6728ea7 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -73,18 +73,7 @@ For more information about this breaking change, see https://github.com/aspnet/A ## Passkey authentication improvements -APIs for passkey authentication in ASP.NET Core Identity have been updated and simplified, and now resemble what we expect to ship in .NET 10 GA. - -### Passkey API changes - -The following API changes were made in Preview 7 to simplify passkey authentication: - -- `IdentityApiEndpointRouteBuilderExtensions.MapIdentityApi()` now includes passkey endpoints by default -- Simplified registration flow with improved error handling -- Updated JavaScript interop APIs for better browser compatibility -- Streamlined credential verification process - -These changes improve the developer experience when implementing passkey authentication and align the APIs with the expected final release in .NET 10 GA. +APIs for passkey authentication in ASP.NET Core Identity have been updated and simplified. The Blazor Identity UI in the Blazor Web App project template has been updated accordingly. ### Getting started with passkeys From 83d5c0ffbac954c8242c8c56edff746a7c22de87 Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Fri, 8 Aug 2025 22:36:01 -0700 Subject: [PATCH 19/21] Update release-notes/10.0/preview/preview7/aspnetcore.md --- .../10.0/preview/preview7/aspnetcore.md | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index d6e6728ea7..531db1eb72 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -212,20 +212,16 @@ private void OnNotFoundEvent(object sender, NotFoundEventArgs e) } ``` -### Diagnostic metrics and traces improvements +### Updated metric names -Updated Blazor diagnostic metrics and traces to follow OpenTelemetry naming conventions: +The Blazor diagnostic metrics have been updated to follow OpenTelemetry naming conventions: -| Old Name | New Name | +| Old | New | |----------|----------| -| `aspnetcore.components.render_diff` | `aspnetcore.components.render_diff.duration` and `aspnetcore.components.render_diff.size` | -| `blazor.navigation` | `aspnetcore.components.navigation` | -| `blazor.event_handler` | `aspnetcore.components.event_handler` | - -Additional improvements: -- Split `aspnetcore.components.render_diff` into separate duration and size metrics -- Renamed navigation and event handler metrics for consistency with trace names -- Updated trace names to follow OpenTelemetry standards +| `aspnetcore.components.render_diff` | Split into `aspnetcore.components.render_diff.duration` and `aspnetcore.components.render_diff.size` | +| `aspnetcore.components.navigation` | `aspnetcore.components.navigate` | +| `aspnetcore.components.event_handler` | `aspnetcore.components.handle_event.duration` | +| `aspnetcore.components.update_parameters` | `aspnetcore.components.update_parameters.duration` ### Validate configured services for Blazor WebAssembly apps on build From ce5f0953d10c8d109f25aac2c720713bde0c1a55 Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Mon, 11 Aug 2025 14:08:50 -0700 Subject: [PATCH 20/21] Update release-notes/10.0/preview/preview7/aspnetcore.md --- release-notes/10.0/preview/preview7/aspnetcore.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index 531db1eb72..c34695fbbd 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -83,8 +83,6 @@ APIs for passkey authentication in ASP.NET Core Identity have been updated and s dotnet new blazor -au Individual ``` -**For existing applications:** Please refer to the [official docs](https://learn.microsoft.com/aspnet/core/security/authentication/identity) for guidance on upgrading existing apps to utilize passkeys. - ## Support for the .localhost top-level domain The `.localhost` top-level domain (TLD) is defined in [RFC2606](https://www.rfc-editor.org/rfc/rfc2606) and [RFC6761](https://www.rfc-editor.org/rfc/rfc6761) as being reserved for testing purposes and available for users to use locally as they would any other domain name. This means using a name like `myapp.localhost` locally that resolves to the IP loopback address is allowed and expected according to these RFCs. Additionally, modern evergreen browsers already automatically resolve any `*.localhost` name to the IP loopback address (`127.0.0.1`/`::1`), effectively making them an alias for any service already being hosted at `localhost` on the local machine. From 7f8e412ea3d84f58b28678455947bd150ab3d722 Mon Sep 17 00:00:00 2001 From: Daniel Roth Date: Mon, 11 Aug 2025 14:10:41 -0700 Subject: [PATCH 21/21] Update release-notes/10.0/preview/preview7/aspnetcore.md --- .../10.0/preview/preview7/aspnetcore.md | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/release-notes/10.0/preview/preview7/aspnetcore.md b/release-notes/10.0/preview/preview7/aspnetcore.md index c34695fbbd..4b34ad0897 100644 --- a/release-notes/10.0/preview/preview7/aspnetcore.md +++ b/release-notes/10.0/preview/preview7/aspnetcore.md @@ -75,6 +75,55 @@ For more information about this breaking change, see https://github.com/aspnet/A APIs for passkey authentication in ASP.NET Core Identity have been updated and simplified. The Blazor Identity UI in the Blazor Web App project template has been updated accordingly. +Passkey options are now configured globally via `IdentityPasskeyOptions`. Here's an example of how passkey options can be configured: + +```csharp +builder.Services.Configure(options => +{ + // Explicitly set the Relying Party ID (domain) + options.ServerDomain = "example.com"; + + // Configure authenticator timeout + options.AuthenticatorTimeout = TimeSpan.FromMinutes(3); + + // Configure challenge size + options.ChallengeSize = 64; +}); +``` + +The `SignInManager` passkey APIs have also been simplified. Passkey creation and request options can now be created as shown below: + +```csharp +// Makes passkey options for use with the JS `navigator.credentials.create()` API: +var optionsJson = await signInManager.MakePasskeyCreationOptionsAsync(new() +{ + Id = userId, + Name = userName, + DisplayName = displayName, +}); + +// Makes passkey options for use with the JS `navigator.credentials.get()` API: +var optionsJson = await signInManager.MakePasskeyRequestOptionsAsync(user); +``` + +Below is an example of how a new passkey can be validated and added to a user: + +```csharp +// 'credentialJson' is the JSON-serialized result from `navigator.credentials.create()`. +var attestationResult = await SignInManager.PerformPasskeyAttestationAsync(); +if (attestationResult.Succeeded) +{ + var addPasskeyResult = await UserManager.AddOrUpdatePasskeyAsync(user, attestationResult.Passkey); + // ... +} +else { /* ... */ } +``` + +To sign in with a passkey, use `SignInManager.PasskeySignInAsync()`: +```csharp +// 'credentialJson' is the JSON-serialized result from `navigator.credentials.get()`. +var result = await signInManager.PasskeySignInAsync(credentialJson); +``` ### Getting started with passkeys **For new applications:** The Blazor Web App project template now includes passkey functionality out of the box. Create a new Blazor app with passkey support using: