Vivek, you can't believe how much your words mean to me. Mentioning me alongside Milan and Nick not only made my day - it made my year, I guess. 😅 Seriously, thank you so much!! Really appreciate it. Cheers! 🎉

I have to second that. Patrick's explanations are crystal clear.

@@colllm Thank you soooo much! ❤️

I enjoy how organic and sincere are the steps you present. Especially when you forget/mistake a word and put a comment giving a “spoiler” on whats wrong. Also how specific are each videos demonstrating specific features. Congrats man.

@@joaoalbertofn Thank you so much! Really means the world to me! 😊

Glad you feel the same way. Thanks for your feedback. Cheers! 😊

I think Nick Chapsas does a vid on it.

Second that. A start to end view on setting up a API web server and then getting a WebApp doing all the authentication using the API Server. JWT and Refresh tokens. Nothing out their showing start to end with .net8 at this time. Belive 'IAmTim', is going to do a video once released.

Thanks! Maybe this video helps: kzbin.info/www/bejne/qpuXlYGEZ8-EqpI Cheers!

Saw the link in the description) Subscribed

Hi @colllm For now, just think of the client project as a way of clearly defining exactly what .NET code is sent down to the client browser. No .NET code in the main server project will be sent down to the browser. For many of us, this clarity is important for security reasons. For others this is important so they can ensure the size of what is downloaded by the client is minimal. There is no reason your server project (such as when running the Signalr/InteractiveServer option) can't use any of the components you put in the client project, but you do need a line of code in Program.cs telling it to include components in that client project. It should give you peace that if you included this line in a server component: string myPassword = "Why did I put a password in my code"; You don't need to worry about that being included in the WASM stuff being sent to the client.

Absolutely understand where you're coming from. Having dabbled with RC2 (video on that coming up), I too felt a bit nostalgic about the ASP.NET Core hosted structure we saw with the earlier Blazor WebAssembly setups. With this new Blazor Web App Template, the Web API project isn't quite needed in the same way. To put it simply, the Blazor Server project now embodies the Web API. It's fully equipped to handle all the API needs, so you have the flexibility to integrate controllers if that's your approach. However, since you're inherently on the server, it's not a necessity. When you're keen on utilizing any server-side services within the WebAssembly project, you just link the reference, get them onboarded in the Program.cs, and you're set. One hiccup I find is the absence of an out-of-the-box Swagger UI for immediate testing. Nonetheless, it's feasible to isolate services, like those connecting to a database, and house them in a distinct class library project. This approach provides a neat separation of logic. While the Blazor Server project remains the primary startup project, there's freedom to host an independent Web API on an alternate server. There's a world of possibilities, but it does require a bit of acclimation. I sense that those who've deeply engaged with Blazor Server more than WebAssembly might find the transition smoother. My instinct tells me we might be nudged towards adopting a more streamlined architectural approach with this template. And honestly? That's not a negative shift in the slightest. I'm sharing this based on a couple of hours of exploration, so I'm curious - what are your thoughts on this?

I agree the names could be better, as you have server, server side rendering. As for the auto, from what I’ve read at the moment they don’t even know fully how it will work, or when the switch will happen, I guess data will be super important.

@@ConorDrewFrom the stand ups I've watched Auto will work like Blazor Server if the dotnet wasm runtime isn't downloaded yet, and it will d/l stuff. Next time that page is loaded with will be client side. There will be no data switching etc.

How is the Auth broken and do you mean its a mess from looking at it, or just a mess as in they shouldnt have done it this way?

@@ConorDrew As in the OIDC authentication provider for Blazor Wasm doesn't work with the new template, has no ability to add authentication from the cli, and can't be added manually into a state that works. And the OIDC Authentication provider, even if it worked, explicitly states that it doesn't support code flow, only implicit flow which is depreciated for security reasons, thus meaning that no one should use it to deploy to production. And the new authentication stuff in .net 8 is just OIDC implicit password flow without the discovery endpoint and the endpoints themselves renamed for some reason. Even the payload of the token request is virtually identical. And it has exactly the same security vulnerability as OIDC implicit flow. As a result it shouldn't be used as written.

@jameshancock I am more comfortable for now with the dual project approach. Even if they had achieved their goal of a single project, I was concerned how you would stop someone accidentally including something intended for server side and having it shipped to the client. I think this is a reasonable start and they need to put a lot of though into doing this as a single project. For example, maybe as a single project, they would need you to be explicit about exactly what is included versus stripped from the project on building the WASM part. Regarding the OIDC stuff - are you talking about the new auth endpoints? because they have been clear this is not an OIDC implementation. I have not looked at it closely enough yet to comment, but have heard loud and clear it is not OIDC.

@@PortalUser2 dual project would be fine but the Auth provider for the wasm side is broken entirely. They claim it isn’t oidc implicit flow and they’re correct. It’s the even more outdated oauth2 rops flow that if you allow anyone but your own clients to use it is insecure. Which, given that the only thing stopping someone else using it is client id readily available in the browser, it’s insecure day one. ONLY code flow is even marginally secure in browsers. This isn’t it.