For an ASP.NET SPA app, the code template that ships with VS2013 is very different from the code template that ships with VS2013 Updates 2/3/4. For reference, here's the same template from
VS2013: https://www.dropbox.com/s/nc9t691adg2q9ac/OldTemplate.zip?dl=0
VS2013 update 4: https://www.dropbox.com/s/sk8qajyxy4kx4m3/NewTemplate.zip?dl=0
The biggest difference seems to be that logging in with the original template is done without a postback, entirely through JavaScript (which seems to keep with the SPA spirit). But in the later version of the template, a full postback happens during login. There is a plethora of other changes that seem connected to this main change, for example, in the older version there exists this method inside ApplicationOAuthProvider.cs:
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
using (UserManager<IdentityUser> userManager = _userManagerFactory())
{
IdentityUser user = await userManager.FindAsync(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
ClaimsIdentity oAuthIdentity = await userManager.CreateIdentityAsync(user,
context.Options.AuthenticationType);
ClaimsIdentity cookiesIdentity = await userManager.CreateIdentityAsync(user,
CookieAuthenticationDefaults.AuthenticationType);
AuthenticationProperties properties = CreateProperties(user.UserName);
AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
context.Validated(ticket);
context.Request.Context.Authentication.SignIn(cookiesIdentity);
}
}
This method is completely omitted from the newer template.
Would appreciate any insight as to why such significant changes were made. I don't see any advantages, and for a SPA-style app I prefer the lack of postback. But perhaps there were important security or design reasons considered which I should also consider.
Thanks... -Ben
