Fix dashboard auth when unsecured

[JamesNK]

Description

Fixes #5490
Fixes #4851

Changes to auth caused the dashboard's unsecured mode to fail. I don't exactly understand what is going on, but I think that:

1. Request would come into ASP.NET Core and the HttpContext.User would be set with a claim <- good
2. The request user is set as Blazor's auth state <- good
3. Blazor Server circuit is created and uses SignalR user as new auth state. SignalR user is a default unauthenticated principal. I'm not sure why it's different from the HttpContext's user. <- bad
4. AuthorizeRouteView in dashboard sees unauthorized user and displays message in browser.

I fixed this by making an auth scheme handler just for unsecured mode and made it the default auth scheme if dashboard is configured to be unsecured. My guess is the SignalR was attempting to run the default auth scheme (cookies) when it gets its user and was failing because cookies isn't used in unsecured mode.

I'm not sure how to test this simply. It might require a playwright test 😬

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No
• Does the change require an update in our Aspire docs?
  • Yes
    • Link to aspire-docs issue:
  • No

Microsoft Reviewers: Open in CodeFlow

[radical]

I'm not sure how to test this simply. It might require a playwright test 😬

Aspire.Dashboard.Tests has some playwright tests.

https://github.com/dotnet/aspire/blob/main/tests/Aspire.Dashboard.Tests/Integration/Playwright/AppBarTests.cs

[davidfowl]

So this is what didn't work with SignalR?

[JamesNK]

Yes. It worked with the initial request (otherwise the page would have been a 401) but didn't with SignalR,. The SignalR failed then flowed into Blazor, which then caused the authorized route view component to display Unauthorized.

[JamesNK]

/backport to release/8.2

[github-actions]

Started backporting to release/8.2: https://github.com/dotnet/aspire/actions/runs/10692819322

[NapalmCodes]

Has this been released? I am running into this problem as well due to https needing disabled to work with a custom container component that cannot trust dotnet dev-certs.

[adkirsch]

Has this been released? I am running into this problem as well due to https needing disabled to work with a custom container component that cannot trust dotnet dev-certs.

Would like to know as well. Just started a new project yesterday with freshly updated workload and nuget packages.

[davidfowl]

@joperezr When does the 8.2 patch ship?

[joperezr]

For consumers of docker image: The 8.2.0 version of the container that has the fix for this has shipped to the nightly registry of MCR. It can be found here: https://mcr.microsoft.com/en-us/product/dotnet/nightly/aspire-dashboard/ and can be pulled via docker pull mcr.microsoft.com/dotnet/nightly/aspire-dashboard:8.2. It would take a couple of more weeks to also ship to the non-nightly mcr registry.

For people using .NET Aspire dashboard via the AppHost (most common case): The fix will ship in .NET Aspire 8.2.1 patch, which is scheduled to ship on 9/26.