finds.dev← search

// the find

davidfowl/TodoApp

★ 3,102 · C# · MIT · updated Feb 2026

Todo application with ASP.NET Core Blazor WASM, Minimal APIs and Authentication

A reference Todo app by David Fowl (ASP.NET Core team) that wires together minimal APIs, Blazor WASM, ASP.NET Core Identity, and .NET Aspire into one runnable example. It's not a starter template — it's a teaching repo showing how the pieces connect in a modern .NET 9 stack. If you're trying to understand how cookie auth, bearer tokens, YARP forwarding, and Blazor hosted mode interact, this is the clearest example Microsoft's ecosystem has.

The auth story is unusually complete: local username/password, JWT, cookie sessions, social OAuth (GitHub/Google/Microsoft), and Auth0 OIDC all coexist and are individually toggleable. The YARP IHttpForwarder usage — where the Blazor server-side host proxies API calls to the backend — is one of the only clean public examples of that pattern. Integration tests use a real WebApplicationFactory with an in-memory SQLite database rather than mocks, so they actually catch middleware config bugs. Aspire AppHost wires up both services together with zero manual port coordination, which is a good model for how Aspire is meant to be used.

It's pinned to a 2022-era migration schema and the EF migrations haven't been touched since mid-2023, so the data model is basically frozen. There's no refresh token rotation — the token endpoint hands back a refresh token but the sample never demonstrates using it, so anyone copying this for a real app will build the wrong mental model. The Blazor client is minimal to the point of being misleading: a single TodoList component with no real state management, error boundaries, or loading states, which won't prepare you for what an actual Blazor WASM app looks like at scale. The devcontainer support exists but the init.sh is sparse and the Aspire CLI dependency makes it non-trivial to actually run in a container.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →