Refactor Authentication Framework and implement OpenID Connect (#723)

* Refactor OpenID Connect PKCE service implementation to consolidate logic and improve session storage management.

* Add support for client secrets and enhance OpenID Connect PKCE flow with session state management.

* Add `UseOpenIdConnect` extension method to simplify OIDC configuration for BlazorServer and BlazorWasm modules

* Add `Elsa.Studio.Authentication.OpenIdConnect` module to provide OpenID Connect-based authentication for Elsa Studio

* Switch to OpenID Connect for authentication, update configuration, and add OIDC script reference.

* Remove default value for `UsePkce` in OpenIdConnectConfiguration to align with existing conventions.

* Remove unused `wwwroot` folder reference from `Elsa.Studio.Login.csproj`.

* Add foundational types for OpenID Connect PKCE flow authentication

* Initial plan

* Phase 1-3 complete: Core OIDC module with Server and WASM implementations

Co-authored-by: sfmskywalker <[email protected]>

* Add shared authentication abstractions for multi-provider support

Co-authored-by: sfmskywalker <[email protected]>

* Add comprehensive authentication architecture documentation

Co-authored-by: sfmskywalker <[email protected]>

* Final: Add implementation summary for PR review

Co-authored-by: sfmskywalker <[email protected]>

* Add authentication infrastructure and modules for Elsa Studio, including ElsaAuth and OpenID Connect integration.

* Update project references to include new Elsa Studio Authentication modules.

* Update `RedirectToLoginUnauthorizedComponentProvider` to support fallback to default Unauthorized component when `IAuthorizationService` is unavailable.

* Mark `Elsa.Studio.Login` APIs as obsolete and migrate authentication to `Elsa.Studio.Authentication.ElsaAuth`. Simplify dependencies and refactor JWT parsing for BlazorServer and BlazorWasm modules.

* Switch to OpenID Connect authentication, remove legacy login module, and update service registration methods.

* Replace `Login` module with OpenID Connect, update authentication pipeline, and revise default `GetClaimsFromUserInfoEndpoint`.

* Replace `BearerTokenHttpMessageHandler` with `AuthenticatingApiHttpMessageHandler` and remove obsolete references

* Organize solution structure by adding new folders: authentication, localization, workflows, deprecated, samples, and dashboard. Remove obsolete project references.

* Refactor authentication: replace legacy services, update OIDC implementation, and restructure PKCE flow

* Add `Elsa.Studio.Authentication.ElsaAuth.UI` module to provide Elsa Identity authentication with a login UI and unauthorized redirect behavior.

* Migrate `AUTHENTICATION_ARCHITECTURE.md` to `doc/` folder, update project references, and refine namespace imports for authentication module.

* Introduce `IAnonymousBackendApiClientProvider` and refactor API client creation to support non-authenticated backend calls.

* Add token refresh mechanism for OpenID Connect and Elsa Identity authentication modules. Introduce token refresh coordinators, configuration providers, and support for silent token refresh. Update related services and integrate advanced options for customization.

* Add persisted token refresh for OpenID Connect in Blazor Server: implement browser-side pings, background services, and configurable strategies.

* Remove persisted token refresh strategy and related services from OpenID Connect configuration.

* Refactor OIDC configuration for Blazor WebAssembly: add Azure AD compatibility patches, improve URI handling, and modularize features.

* Fix Azure AD authentication in Blazor WASM by passing explicit API scopes during token exchange (#722)

* Initial plan

* Fix Azure AD authentication by passing explicit API scopes during token requests

- Updated WasmOidcTokenAccessor to request access tokens with explicit resource scopes
- Filter out standard OIDC scopes (openid, profile, email, offline_access) and pass only API scopes
- Register OidcOptions in DI container so WasmOidcTokenAccessor can access configured scopes
- This ensures Azure AD receives scope parameter during token exchange, fixing AADSTS errors

Co-authored-by: sfmskywalker <[email protected]>

* Add Azure AD configuration documentation for Blazor WASM

- Document Azure AD app registration setup and requirements
- Explain single-resource scope limitation (no mixing Graph + custom API scopes)
- Add troubleshooting guide for common Azure AD errors (AADSTS28000, AADSTS28003)
- Update example to use AddElsaOidcAuthentication instead of AddOidcAuthentication
- Document that standard OIDC scopes are automatically filtered

Co-authored-by: sfmskywalker <[email protected]>

* Address code review feedback

- Register OidcOptions as singleton instance instead of using Configure<T>
- Remove IOptions<T> dependency from WasmOidcTokenAccessor
- Add null check for Scopes array to prevent NullReferenceException
- Simplify DI registration pattern

Co-authored-by: sfmskywalker <[email protected]>

* Update src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs

Co-authored-by: Copilot <[email protected]>

* Update src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: sfmskywalker <[email protected]>
Co-authored-by: Sipke Schoorstra <[email protected]>
Co-authored-by: Copilot <[email protected]>

* Remove obsolete Azure AD compatibility patches and cleanup related JavaScript and Razor components.

* Refactor OpenID Connect callback path handling: use null-coalescing assignments and remove default path values from `OidcOptions`.

* Add token purposes and scoped token caching for enhanced authentication configuration

* Add scoped access token capabilities and token-purpose configuration

Introduce `IScopedAccessTokenProvider`, `IOidcTokenAccessorWithScopes`, and associated models to enable scope-aware token acquisition based on token purposes. Update handlers to support backend API scopes and implement scoped token caching for multi-audience token scenarios.

* Refactor authentication modules: simplify scoped token handling, update OIDC providers, and enhance incremental consent support.

* Add standalone OpenID Connect authentication module with multi-provider abstractions (#721)

* Initial plan

* Phase 1-3 complete: Core OIDC module with Server and WASM implementations

Co-authored-by: sfmskywalker <[email protected]>

* Add shared authentication abstractions for multi-provider support

Co-authored-by: sfmskywalker <[email protected]>

* Add comprehensive authentication architecture documentation

Co-authored-by: sfmskywalker <[email protected]>

* Final: Add implementation summary for PR review

Co-authored-by: sfmskywalker <[email protected]>

* Add authentication infrastructure and modules for Elsa Studio, including ElsaAuth and OpenID Connect integration.

* Update project references to include new Elsa Studio Authentication modules.

* Update `RedirectToLoginUnauthorizedComponentProvider` to support fallback to default Unauthorized component when `IAuthorizationService` is unavailable.

* Mark `Elsa.Studio.Login` APIs as obsolete and migrate authentication to `Elsa.Studio.Authentication.ElsaAuth`. Simplify dependencies and refactor JWT parsing for BlazorServer and BlazorWasm modules.

* Switch to OpenID Connect authentication, remove legacy login module, and update service registration methods.

* Replace `Login` module with OpenID Connect, update authentication pipeline, and revise default `GetClaimsFromUserInfoEndpoint`.

* Replace `BearerTokenHttpMessageHandler` with `AuthenticatingApiHttpMessageHandler` and remove obsolete references

* Organize solution structure by adding new folders: authentication, localization, workflows, deprecated, samples, and dashboard. Remove obsolete project references.

* Refactor authentication: replace legacy services, update OIDC implementation, and restructure PKCE flow

* Add `Elsa.Studio.Authentication.ElsaAuth.UI` module to provide Elsa Identity authentication with a login UI and unauthorized redirect behavior.

* Migrate `AUTHENTICATION_ARCHITECTURE.md` to `doc/` folder, update project references, and refine namespace imports for authentication module.

* Introduce `IAnonymousBackendApiClientProvider` and refactor API client creation to support non-authenticated backend calls.

* Add token refresh mechanism for OpenID Connect and Elsa Identity authentication modules. Introduce token refresh coordinators, configuration providers, and support for silent token refresh. Update related services and integrate advanced options for customization.

* Add persisted token refresh for OpenID Connect in Blazor Server: implement browser-side pings, background services, and configurable strategies.

* Remove persisted token refresh strategy and related services from OpenID Connect configuration.

* Refactor OIDC configuration for Blazor WebAssembly: add Azure AD compatibility patches, improve URI handling, and modularize features.

* Fix Azure AD authentication in Blazor WASM by passing explicit API scopes during token exchange (#722)

* Initial plan

* Fix Azure AD authentication by passing explicit API scopes during token requests

- Updated WasmOidcTokenAccessor to request access tokens with explicit resource scopes
- Filter out standard OIDC scopes (openid, profile, email, offline_access) and pass only API scopes
- Register OidcOptions in DI container so WasmOidcTokenAccessor can access configured scopes
- This ensures Azure AD receives scope parameter during token exchange, fixing AADSTS errors

Co-authored-by: sfmskywalker <[email protected]>

* Add Azure AD configuration documentation for Blazor WASM

- Document Azure AD app registration setup and requirements
- Explain single-resource scope limitation (no mixing Graph + custom API scopes)
- Add troubleshooting guide for common Azure AD errors (AADSTS28000, AADSTS28003)
- Update example to use AddElsaOidcAuthentication instead of AddOidcAuthentication
- Document that standard OIDC scopes are automatically filtered

Co-authored-by: sfmskywalker <[email protected]>

* Address code review feedback

- Register OidcOptions as singleton instance instead of using Configure<T>
- Remove IOptions<T> dependency from WasmOidcTokenAccessor
- Add null check for Scopes array to prevent NullReferenceException
- Simplify DI registration pattern

Co-authored-by: sfmskywalker <[email protected]>

* Update src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs

Co-authored-by: Copilot <[email protected]>

* Update src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: sfmskywalker <[email protected]>
Co-authored-by: Sipke Schoorstra <[email protected]>
Co-authored-by: Copilot <[email protected]>

* Remove obsolete Azure AD compatibility patches and cleanup related JavaScript and Razor components.

* Refactor OpenID Connect callback path handling: use null-coalescing assignments and remove default path values from `OidcOptions`.

* Add token purposes and scoped token caching for enhanced authentication configuration

* Add scoped access token capabilities and token-purpose configuration

Introduce `IScopedAccessTokenProvider`, `IOidcTokenAccessorWithScopes`, and associated models to enable scope-aware token acquisition based on token purposes. Update handlers to support backend API scopes and implement scoped token caching for multi-audience token scenarios.

* Refactor authentication modules: simplify scoped token handling, update OIDC providers, and enhance incremental consent support.

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: sfmskywalker <[email protected]>
Co-authored-by: Sipke Schoorstra <[email protected]>
Co-authored-by: Sipke Schoorstra <[email protected]>
Co-authored-by: Copilot <[email protected]>

* Refactor authentication modules: replace `IScopedAccessTokenProvider` with streamlined scope-aware token handling, introduce generic component providers, and enhance JWT accessor abstractions.

* Refactor authentication modules: replace `GenericComponentProvider` with `UnauthorizedComponentProvider`, streamline component references, and mark `LoginFeature` as obsolete.

* Update authentication architecture documentation to reflect actual codebase (#724)

* Initial plan

* Update authentication architecture documentation with accurate module information

Co-authored-by: sfmskywalker <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: sfmskywalker <[email protected]>

* Simplify token access with explicit methods instead of string-based lookups (#725)

* Initial plan

* Simplify token access architecture - replace string-based token names with explicit methods

Co-authored-by: sfmskywalker <[email protected]>

* Update documentation to reflect simplified token access architecture

Co-authored-by: sfmskywalker <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: sfmskywalker <[email protected]>
Co-authored-by: Sipke Schoorstra <[email protected]>

* Remove `IScopedAccessTokenProvider`, related properties, and simplify OIDC scope configuration

* Refactor authentication modules: remove obsolete abstractions, streamline configuration setup, and introduce provider-specific HTTP connection options.

* Remove obsolete unauthorized component providers and migrate to generic `UnauthorizedComponentProvider`. Streamline default provider registrations.

* Refactor authentication modules: replace `ITokenRefreshCoordinator` with `ISingleFlightCoordinator`, remove obsolete abstractions, and streamline service registrations across modules.

* Refactor authentication modules: replace `IOidcTokenAccessor` with `ITokenProvider`, simplify service registrations, and enhance Blazor WASM and Server OIDC token handling.

* Remove obsolete persisted OIDC refresh services and replace with `AuthCookieEvents` for token refresh logic. Simplify Blazor Server implementation by leveraging `CookieAuthenticationEvents.OnValidatePrincipal`.

* Remove `IScopedTokenCache` and related implementations. Simplify Blazor Server OIDC token handling by replacing scoped token cache with in-memory dictionary and updating `ServerTokenProvider` logic. Add Polly-based retry policy for token refresh HTTP client.

* Update package versions: upgrade `Elsa.Api.Client` to `3.6.0-rc2`, replace `Http.Resilience` with `Http.Polly`, and realign framework-specific dependencies.

* Apply file-scoped namespace declarations across the solution to align with modern C# practices.

* Update `AUTHENTICATION_ARCHITECTURE.md` to reflect updated Blazor Server and WASM authentication workflows, replace obsolete components, and document new token refresh flow.

* Update default authentication provider to `ElsaAuth` and adjust related documentation and configuration. Refactor `ITokenProvider` interface and improve token handling description.

* Remove `AddAuthenticationInfrastructure` and related references. Clean up obsolete extensions and update service registrations in authentication modules. Adjust documentation to reflect changes.

* Refactor authentication modules: consolidate duplicate JWT parsers into a single implementation, remove legacy services and interfaces, and streamline service registrations.

* Consolidate authentication service registrations: simplify `AddElsaAuth` and `AddElsaAuthUI` extensions, remove redundant `Blazored.LocalStorage` and JWT parser registrations, and streamline usage across Blazor Server and WASM.

* Update `AddOpenIdConnectAuth` naming and replace `ITimeZoneProvider` implementation with `LocalTimeZoneProvider`. Clean up redundant service and variable usages in Blazor Server and WASM hosts.

* Update authentication provider to `ElsaAuth` in configurations and remove redundant comments and unused application URLs.

* Remove `LoginState` component and associated `LoginFeature` logic from `ElsaAuth` authentication modules.

* Add README files for `Elsa.Studio.Authentication` modules: core, Blazor Server, Blazor WebAssembly, and OpenID Connect modules. Document architecture, setup instructions, and troubleshooting details.

* Refactor `IAuthenticationProvider` to `ITokenProvider` across `ElsaAuth` modules and rename `JwtAuthenticationProvider` to `JwtTokenProvider` for improved clarity and consistency.

* Update references from `IAuthenticationProvider` to `ITokenProvider` in README and architecture docs for consistency

* Update localization module to use nullable result in `blazorCulture.get` and switch default authentication to `OpenIdConnect`

* Remove `AZURE_AD_BLAZOR_WASM_AUTH_PLAN.md` as it is no longer relevant to the updated architecture and authentication strategy.

* Rename `ElsaAuth` modules and references to `ElsaIdentity` for alignment with updated authentication strategy. Remove deprecated components and update relevant configurations, service registrations, and documentation accordingly.

* Remove redundant null assignment to `Authorization` header in `ElsaIdentityAuthenticatingApiHttpMessageHandler`.

* Simplify `AccessTokenProvider` lambda expression in `ElsaAuthHttpConnectionOptionsConfigurator`.

* Refactor `ServerTokenProvider` and `TokenRefreshService` constructors to use primary constructor syntax for improved readability and reduced boilerplate. Adjust usages to align with updated structure.

* Remove redundant `<remarks>` section from `AddOidcAuthentication` method documentation.

* Remove `AppBaseUrl` property and related logic from OIDC options and configuration as it is no longer required.

* Add support for legacy Elsa Login authentication module and update project references

* Refactor `WorkflowInstanceObserverFactory` to enable asynchronous configuration of `HttpConnectionOptions` during SignalR connection setup.

* Fix authentication bugs and code quality issues from PR #723 review (#726)

* Initial plan

* Address code review feedback: fix authentication condition, improve documentation, and simplify nested if statements

Co-authored-by: sfmskywalker <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: sfmskywalker <[email protected]>
Co-authored-by: Sipke Schoorstra <[email protected]>

* Add configurable `NameClaimType` and `RoleClaimType` to OIDC options and update token validation parameters accordingly

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: sfmskywalker <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: 3 people

Directory.Packages.props

@@ -4,7 +4,7 @@
     <CentralPackageTransitivePinningEnabled>false</CentralPackageTransitivePinningEnabled>
   </PropertyGroup>
   <ItemGroup Label="Elsa">
-    <PackageVersion Include="Elsa.Api.Client" Version="3.6.0-preview.4162" />
+    <PackageVersion Include="Elsa.Api.Client" Version="3.6.0-rc2" />
   </ItemGroup>
   <ItemGroup>
     <PackageVersion Include="Blazored.FluentValidation" Version="2.2.0" />
@@ -26,6 +26,7 @@
   </ItemGroup>
   <ItemGroup Condition="'$(TargetFramework)' == 'net8.0'">
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.22" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.22" />
     <PackageVersion Include="Microsoft.AspNetCore.Components" Version="8.0.22" />
     <PackageVersion Include="Microsoft.AspNetCore.Components.Authorization" Version="8.0.22" />
     <PackageVersion Include="Microsoft.AspNetCore.Components.CustomElements" Version="8.0.22" />
@@ -34,13 +35,15 @@
     <PackageVersion Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="8.0.22" />
     <PackageVersion Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="8.0.22" PrivateAssets="all" />
     <PackageVersion Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="8.0.22" />
-    <PackageVersion Include="Microsoft.AspNetCore.SignalR.Client" Version="8.0.22" />
-    <PackageVersion Include="Microsoft.AspNetCore.WebUtilities" Version="8.0.22" />
     <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="9.0.11" />
     <PackageVersion Include="Microsoft.JSInterop" Version="8.0.22" />
+    <PackageVersion Include="Microsoft.AspNetCore.WebUtilities" Version="8.0.22" />
+    <PackageVersion Include="Microsoft.AspNetCore.SignalR.Client" Version="8.0.22" />
+    <PackageVersion Include="Microsoft.Extensions.Http.Polly" Version="9.0.11" />
   </ItemGroup>
   <ItemGroup Condition="'$(TargetFramework)' == 'net9.0'">
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="9.0.11" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="9.0.11" />
     <PackageVersion Include="Microsoft.AspNetCore.Components" Version="9.0.11" />
     <PackageVersion Include="Microsoft.AspNetCore.Components.Authorization" Version="9.0.11" />
     <PackageVersion Include="Microsoft.AspNetCore.Components.CustomElements" Version="9.0.11" />
@@ -49,13 +52,15 @@
     <PackageVersion Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="9.0.11" />
     <PackageVersion Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="9.0.11" PrivateAssets="all" />
     <PackageVersion Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="9.0.11" />
-    <PackageVersion Include="Microsoft.AspNetCore.SignalR.Client" Version="9.0.11" />
     <PackageVersion Include="Microsoft.AspNetCore.WebUtilities" Version="9.0.11" />
+    <PackageVersion Include="Microsoft.AspNetCore.SignalR.Client" Version="9.0.11" />
     <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="9.0.11" />
     <PackageVersion Include="Microsoft.JSInterop" Version="9.0.11" />
+    <PackageVersion Include="Microsoft.Extensions.Http.Polly" Version="9.0.11" />
   </ItemGroup>
   <ItemGroup Condition="'$(TargetFramework)' == 'net10.0'">
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.1" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="10.0.1" />
     <PackageVersion Include="Microsoft.AspNetCore.Components" Version="10.0.1" />
     <PackageVersion Include="Microsoft.AspNetCore.Components.Authorization" Version="10.0.1" />
     <PackageVersion Include="Microsoft.AspNetCore.Components.CustomElements" Version="10.0.1" />
@@ -68,5 +73,6 @@
     <PackageVersion Include="Microsoft.AspNetCore.WebUtilities" Version="10.0.1" />
     <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.1" />
     <PackageVersion Include="Microsoft.JSInterop" Version="10.0.1" />
+    <PackageVersion Include="Microsoft.Extensions.Http.Polly" Version="10.0.1" />
   </ItemGroup>
 </Project>

Elsa.Studio.sln

@@ -0,0 +1,24 @@
+using System.Diagnostics.CodeAnalysis;
+
+namespace Elsa.Studio.Contracts;
+
+/// <summary>
+/// Provides API clients to the backend for anonymous (non-authenticated) calls.
+/// </summary>
+/// <remarks>
+/// This provider is intended for endpoints like <c>/identity/login</c> where attaching an access token is not required
+/// and can even be harmful (e.g., stale tokens, circular dependencies during sign-in).
+/// </remarks>
+public interface IAnonymousBackendApiClientProvider
+{
+    /// <summary>
+    /// Gets the URL to the backend.
+    /// </summary>
+    Uri Url { get; }
+
+    /// <summary>
+    /// Gets an API client that does not attach access tokens.
+    /// </summary>
+    /// <typeparam name="T">The API client type.</typeparam>
+    ValueTask<T> GetApiAsync<[DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.All)] T>(CancellationToken cancellationToken = default) where T : class;
+}

doc/AUTHENTICATION_ARCHITECTURE.md

@@ -1,3 +1,5 @@
+using System.Diagnostics.CodeAnalysis;
+
 namespace Elsa.Studio.Contracts;
 
 /// <summary>
@@ -15,5 +17,5 @@ public interface IBackendApiClientProvider
     /// </summary>
     /// <typeparam name="T">The API client type.</typeparam>
     /// <returns>The API client.</returns>
-    ValueTask<T> GetApiAsync<T>(CancellationToken cancellationToken = default) where T : class;
+    ValueTask<T> GetApiAsync<[DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.All)] T>(CancellationToken cancellationToken = default) where T : class;
 }

src/framework/Elsa.Studio.Core/Contracts/IAnonymousBackendApiClientProvider.cs

@@ -1,36 +1,37 @@
-namespace Elsa.Studio.Contracts
+using Elsa.Studio.Models;
+
+namespace Elsa.Studio.Contracts;
+
+/// <summary>
+/// Defines a contract for visualizing objects into Visualized representations.
+/// </summary>
+public interface IContentVisualizer
 {
     /// <summary>
-    /// Defines a contract for visualizing objects into Visualized representations.
+    /// Gets the name of the content visualizer.
     /// </summary>
-    public interface IContentVisualizer
-    {
-        /// <summary>
-        /// Gets the name of the content visualizer.
-        /// </summary>
-        string Name { get; }
+    string Name { get; }
 
-        /// <summary>
-        /// Returns the syntax used by this visualizer.
-        /// </summary>
-        string Syntax { get; }
+    /// <summary>
+    /// Returns the syntax used by this visualizer.
+    /// </summary>
+    string Syntax { get; }
 
-        /// <summary>
-        /// Determines whether the content can be visualized with this visualizer.
-        /// </summary>
-        /// <param name="input">The object to evaluate for visualizing capability. Cannot be <see langword="null"/>.</param>
-        /// <returns><see langword="true"/> if the input can be visualized; otherwise, <see langword="false"/>.</returns>
-        bool CanVisualize(object input);
+    /// <summary>
+    /// Determines whether the content can be visualized with this visualizer.
+    /// </summary>
+    /// <param name="input">The object to evaluate for visualizing capability. Cannot be <see langword="null"/>.</param>
+    /// <returns><see langword="true"/> if the input can be visualized; otherwise, <see langword="false"/>.</returns>
+    bool CanVisualize(object input);
 
-        /// <summary>
-        /// Returns a prettified text version of the input.
-        /// </summary>
-        string? ToPretty(object input);
+    /// <summary>
+    /// Returns a prettified text version of the input.
+    /// </summary>
+    string? ToPretty(object input);
 
-        /// <summary>
-        /// Returns tabular representation of the input.
-        /// Returns <see langword="null"/> if not supported.
-        /// </summary>
-        TabulatedContentVisualizer? ToTable(object input);
-    }
+    /// <summary>
+    /// Returns tabular representation of the input.
+    /// Returns <see langword="null"/> if not supported.
+    /// </summary>
+    TabulatedContentVisualizer? ToTable(object input);
 }

src/framework/Elsa.Studio.Core/Contracts/IBackendApiClientProvider.cs

@@ -1,21 +1,20 @@
-namespace Elsa.Studio.Contracts
+namespace Elsa.Studio.Contracts;
+
+/// <summary>
+/// Provides content visualizers.
+/// </summary>
+public interface IContentVisualizerProvider
 {
     /// <summary>
-    /// Provides content visualizers.
+    /// Attempts to resolve the best matching visualizer for the input.
     /// </summary>
-    public interface IContentVisualizerProvider
-    {
-        /// <summary>
-        /// Attempts to resolve the best matching visualizer for the input.
-        /// </summary>
-        /// <param name="content">The content to check visualizers against.</param>
-        /// <returns></returns>
-        IContentVisualizer MatchOrDefault(object content);
+    /// <param name="content">The content to check visualizers against.</param>
+    /// <returns></returns>
+    IContentVisualizer MatchOrDefault(object content);
 
-        /// <summary>
-        /// Returns all content visualizers.
-        /// </summary>
-        /// <returns></returns>
-        IEnumerable<IContentVisualizer> GetAll();
-    }
+    /// <summary>
+    /// Returns all content visualizers.
+    /// </summary>
+    /// <returns></returns>
+    IEnumerable<IContentVisualizer> GetAll();
 }

src/framework/Elsa.Studio.Core/Contracts/IContentVisualizer.cs

@@ -0,0 +1,12 @@
+namespace Elsa.Studio.Contracts;
+
+/// <summary>
+/// Coordinates operations to prevent multiple concurrent executions.
+/// </summary>
+public interface ISingleFlightCoordinator
+{
+    /// <summary>
+    /// Ensures only one operation runs at a time for the current scope.
+    /// </summary>
+    Task<T> RunAsync<T>(Func<CancellationToken, Task<T>> action, CancellationToken cancellationToken);
+}

src/framework/Elsa.Studio.Core/Contracts/IContentVisualizerProvider.cs

@@ -2,51 +2,50 @@
 using Elsa.Studio.Models;
 using Microsoft.AspNetCore.Components;
 
-namespace Elsa.Studio.Contracts
+namespace Elsa.Studio.Contracts;
+
+/// <summary>
+/// Provides a contract for UI field extension handlers.
+/// </summary>
+public interface IUIFieldExtensionHandler
 {
     /// <summary>
-    /// Provides a contract for UI field extension handlers.
-    /// </summary>
-    public interface IUIFieldExtensionHandler
-    {
-        /// <summary>
-        /// The order in which the extensions should be displayed.
-        /// </summary>
-        int DisplayOrder { get; set; }
-
-        /// <summary>
-        /// If set to true and no restricting types are set, either with <c>UIHintComponent</c>, <c>ActivityTypes</c> or <c>Syntaxes</c>, this extension will be rendered for in all field types.
-        /// </summary>
-        bool IncludeForAll { get; set; }
-
-        /// <summary>
-        /// The position to render the extension within the field.
-        /// </summary>
-        FieldExtensionPosition Position { get; set; }
-
-        /// <summary>
-        /// The UIHint component this extension should be rendered for.
-        /// </summary>
-        string UIHintComponent { get; set; }
-
-        /// <summary>
-        /// The activities this extension should be rendered for.
-        /// </summary>
-        List<string> ActivityTypes { get; set; }
-
-        /// <summary>
-        /// The syntaxes this extension should be rendered for.
-        /// </summary>
-        List<string> Syntaxes { get; set; }
-
-        /// <summary>
-        /// Returns true if the handler extension the specified or is empty.
-        /// </summary>
-        bool GetExtensionForInputComponent(string componentName);
-
-        /// <summary>
-        /// Returns a <see cref="RenderFragment"/> of the added extension.
-        /// </summary>
-        RenderFragment DisplayExtension(DisplayInputEditorContext context);
-    }
+    /// The order in which the extensions should be displayed.
+    /// </summary>
+    int DisplayOrder { get; set; }
+
+    /// <summary>
+    /// If set to true and no restricting types are set, either with <c>UIHintComponent</c>, <c>ActivityTypes</c> or <c>Syntaxes</c>, this extension will be rendered for in all field types.
+    /// </summary>
+    bool IncludeForAll { get; set; }
+
+    /// <summary>
+    /// The position to render the extension within the field.
+    /// </summary>
+    FieldExtensionPosition Position { get; set; }
+
+    /// <summary>
+    /// The UIHint component this extension should be rendered for.
+    /// </summary>
+    string UIHintComponent { get; set; }
+
+    /// <summary>
+    /// The activities this extension should be rendered for.
+    /// </summary>
+    List<string> ActivityTypes { get; set; }
+
+    /// <summary>
+    /// The syntaxes this extension should be rendered for.
+    /// </summary>
+    List<string> Syntaxes { get; set; }
+
+    /// <summary>
+    /// Returns true if the handler extension the specified or is empty.
+    /// </summary>
+    bool GetExtensionForInputComponent(string componentName);
+
+    /// <summary>
+    /// Returns a <see cref="RenderFragment"/> of the added extension.
+    /// </summary>
+    RenderFragment DisplayExtension(DisplayInputEditorContext context);
 }

src/framework/Elsa.Studio.Core/Contracts/ISingleFlightCoordinator.cs

@@ -1,6 +1,5 @@
 using Elsa.Api.Client.Extensions;
 using Elsa.Studio.Contracts;
-using Elsa.Studio.Core.Services;
 using Elsa.Studio.Localization;
 using Elsa.Studio.Models;
 using Elsa.Studio.Services;
@@ -41,13 +40,17 @@ public static IServiceCollection AddCoreInternal(this IServiceCollection service
 
         // Content visualizers
         services.AddContentVisualizer<JsonContentVisualizer>();
-        
+
         // Mediator.
         services.AddScoped<IMediator, DefaultMediator>();
 
         //Localization
         services.AddSingleton<ILocalizationProvider, DefaultLocalizationProvider>();
         services.AddSingleton<ILocalizer, DefaultLocalizer>();
+
+        // Single-flight coordinator for preventing concurrent operations.
+        services.TryAddScoped<ISingleFlightCoordinator, SingleFlightCoordinator>();
+
         return services;
     }
 
@@ -60,6 +63,7 @@ public static IServiceCollection AddRemoteBackend(this IServiceCollection servic
         services.AddDefaultApiClients(config?.ConfigureHttpClientBuilder);
         services.TryAddScoped<IRemoteBackendAccessor, DefaultRemoteBackendAccessor>();
         services.TryAddScoped<IBackendApiClientProvider, DefaultBackendApiClientProvider>();
+        services.TryAddScoped<IAnonymousBackendApiClientProvider, DefaultAnonymousBackendApiClientProvider>();
         return services;
     }