🚀 Blazor.Auth v2.0

What's Changed

Blazor.Auth has received a major security overhaul!
The library now uses better security standards and practices to ensure your JWTs are secure and protected against potential threats.

The cookies containing your JWTs are now marked as HttpOnly, Secure, and SameSite.

These important security flags ensure that your users' data is protected against common attacks like Cross-Site Scripting (XSS), Man-In-The-Middle (MITM), and Cross-Site Request Forgery (CSRF).

Breaking Changes

• Blazor.Auth now only allows the use of JWTs in an HTTPS context by default. This behavior can be disabled by setting the DisableSecureCookieFlag option to true in the server part of the application.

  Example:

  builder.AddBlazorAuth<SampleAuthenticationService>(options =>
  {
      options.DisableSecureCookieFlag = true;
  });

• IUserService now returns AuthenticationOperationInfo instead of AuthenticationResult in SignInAsync, SignUpAsync and RefreshJwtPairAsync methods. This is a new class similar to AuthenticationResult but without the actual JWTs.

• IAuthenticationService is now only available in the Server part of the application;

• AuthenticationStateProvider implementations have been unified into a single class. The differences between rendering environments are now handled by IUserService. AuthenticationStateProvider now relies on IUserService to resolve the user's authentication state;

• Client-side code now makes an HTTP request in order to resolve the user's authentication state or perform any authentication operation. This change allows the client part of the app to receive access to the user's authentication information, which is now stored in a cookie that is only accessible to the server in the context of an HTTP request made by the user (HttpOnly flag);

• Authentication operations in interactive server-side rendering now trigger an HTTP request from the client's machine to the server. This allows Blazor server to gain access to the context of an HTTP request made by the user, which is necessary to read and manipulate authentication cookies.

Full Changelog: Auth-v1.1.0...Auth-v2.0.1

🚀 Blazor.Auth v1.1

What changed

• #27: Replaced BuildClaimsPrincipal method in IIdentityClaimsService with an asynchronous BuildClaimsPrincipalAsync to allow asynchronous operations when collecting additional user claims information. By @gaelj

Blazor.Auth v1.0

🚀 Blazor.Auth v1.0 Release Notes

We are thrilled to announce the release of Blazor.Auth v1.0, our tearless authentication library for the Blazor framework. This milestone marks the transition from pre-release versions to a stable and feature-complete package.

Key Features

Authentication and Authorization

• Easy Integration: Simple setup process to integrate authentication and authorization into your Blazor applications.
• Custom JWT Support: Supports custom JWT-based authentication schemes.
• Cookies Storage: Store users' authentication tokens using their browser cookies.
• User Registration and Login: Support for user sign-up, sign-in, and sign-out functionalities.
• Token Refresh: Automatically handle token refresh to keep users authenticated without interruptions.
• Rendermode support: Supports all Blazor United render modes:
  • Static SSR
  • Interactive Server
  • Interactive Webassembly
  • Interactive Auto

Developer Experience

• Extensible and Customizable: Highly extensible architecture allows for customization and extension to meet specific requirements.
• Detailed Documentation: Comprehensive documentation and examples to help you get started quickly and efficiently.

Getting Started

To get started with Blazor.Auth v1.0, please visit our documentation for installation instructions, usage guides, and API references.

Acknowledgements

We extend our heartfelt thanks to our contributors and the community for their invaluable feedback and support in making this release possible.