Here's a summary of what's new in ASP.NET Core in this preview release:
- Blazor component constructor injection
- WebSocket compression for Blazor interactive server components
- Easier OIDC and OAuth parameter customization
- Configure HTTP.sys extended authentication flags
ASP.NET Core updates in .NET 9 Preview 2:
- Discussion
- What's new in ASP.NET Core in .NET 9 documentation.
- Breaking changes
- Roadmap
.NET 9 Preview 2:
Blazor components now support constructor injection of configured services. This is in addition to the existing support for property injection of services via @inject or using the [Inject] attribute.
For example, the following component uses constructor injection with a C# primary constructor to get access to the NavigationManager service:
ConstructorInjection.razor
<button @onclick="NavigateToCounter">Go to Counter</button>ConstructorInjection.razor.cs
using Microsoft.AspNetCore.Components;
public partial class ConstructorInjection(NavigationManager navigationManager)
{
private void NavigateToCounter() => navigationManager.NavigateTo("/counter");
}Blazor interactive server rendering now enables WebSocket compression by default, which significantly reduces the message payload size.
To mitigate the risk of compression-related attacks over secure connections, interactive server rendering also now uses a default Content Security Policy (CSP) of frame-ancestor: 'self', which specifies the app may be embedded only on pages from the same origin.
To change the frame-ancestors source, use the ContentSecurityFrameAncestorsPolicy option:
app.MapRazorComponents<App>()
.AddInteractiveServerRenderMode(o => o.ContentSecurityFrameAncestorsPolicy="'none'");To disable compression, use the DisableWebSocketCompression option:
app.MapRazorComponents<App>()
.AddInteractiveServerRenderMode(o => o.DisableWebSocketCompression = true);The OAuth and OIDC authentication handlers now have a new AdditionalAuthorizationParameters option to make it easy to customize authorization message parameters that are usually included as part of the redirect query string. Previously this would have required a custom OnRedirectToIdentityProvider callback or overridden BuildChallengeUrl method in a custom hander. For example:
builder.Services.AddAuthentication().AddOpenIdConnect(options =>
{
options.Events.OnRedirectToIdentityProvider = context =>
{
context.ProtocolMessage.SetParameter("prompt", "login");
context.ProtocolMessage.SetParameter("audience", "https://api.example.com");
return Task.CompletedTask;
};
});Now becomes:
builder.Services.AddAuthentication().AddOpenIdConnect(options =>
{
options.AdditionalAuthorizationParameters.Add("prompt", "login");
options.AdditionalAuthorizationParameters.Add("audience", "https://api.example.com");
});Thank you @joegoldman2 for this contribution!
You can now configure the HTTP_AUTH_EX_FLAG_ENABLE_KERBEROS_CREDENTIAL_CACHING and HTTP_AUTH_EX_FLAG_CAPTURE_CREDENTIAL HTTP.sys flags using the new EnableKerberosCredentialCaching and CaptureCredentials properties on the HTTP.sys AuthenticationManager to optimize how Windows authentication is handled. For example:
webBuilder.UseHttpSys(options =>
{
options.Authentication.Schemes = AuthenticationSchemes.Negotiate;
options.Authentication.EnableKerberosCredentialCaching = true;
options.Authentication.CaptureCredentials = true;
});Thank you @evgenykotkov for this contribution!
Thank you contributors! ❤️