.NET 10 Preview 7: WebSocketStream, Passkeys, MAUI XAML Generator

Microsoft has published Preview 7 of .NET 10, a release that looks and smells very much like “near feature-complete” for the platform’s November launch — bringing a clutch of pragmatic developer productivity improvements, security enhancements such as passkey integration for ASP.NET Identity, and several long-awaited quality fixes (notably in .NET MAUI), while leaving the door open for a final round of polish before general availability.

Background​

.NET’s calendar-driven release rhythm means November is the big moment each year, and .NET 10 is slated to be a Long Term Support (LTS) release. That LTS designation carries three years of servicing and security updates, making this a release enterprises will factor into migration roadmaps. The .NET team has been shipping monthly previews through 2025 and is using the virtual .NET Conf event in mid-November as the natural GA window. (learn.microsoft.com, sessionize.com)
Preview 7 (published August 12, 2025) is therefore a late-stage milestone: not a heated feature-bake, but a consolidation pass that introduces a small set of new APIs and a wider set of fixes and refinements across runtime, libraries, tooling, ASP.NET Core, Blazor, MAUI, Windows Forms and WPF. Expect the cadence to follow the usual pattern: a release candidate (RC) cycle in September–October, with GA tied closely to .NET Conf. (devblogs.microsoft.com, learn.microsoft.com)

---

What’s in Preview 7 — at a glance​

• New library APIs including a WebSocketStream abstraction and improvements to serialization plumbing (PipeReader integration).
• ASP.NET Core / Blazor: simplified passkey authentication plumbing and template-level support for passkeys in new Blazor apps using individual authentication.
• .NET MAUI: a strongly-typed XAML source generator, MediaPicker EXIF handling, SafeArea enhancements, new control APIs (picker open/close, public TabbedPageManager), and a raft of quality fixes. (devblogs.microsoft.com, github.com)
• Security / cryptography: expanded post-quantum cryptography (PQC) support and new cipher primitives exposed to managed APIs.
• Desktop UI: Windows Forms dark-mode rendering fixes, WPF Fluent theme improvements and other quality updates.

These aren’t headline-breaking features — they’re practical, developer-oriented changes that matter in day-to-day engineering: more ergonomic APIs, safer defaults, and build-time tooling improvements.

---

Deep dive: WebSocketStream — streams meet sockets​

What it is and why it matters​

Preview 7 lists WebSocketStream among the libraries updates: a library-level, stream-based abstraction over WebSocket connections that makes WebSocket programming more idiomatic for developers who already think in terms of streams and serializers. Instead of juggling receive buffers, manual framing, and ad-hoc assembly of message payloads, the WebSocketStream approach lets you work with a Stream-like API and combine it with existing serializers (System.Text.Json, pipelines, etc.). Microsoft highlights how simple it can be to read and deserialize a JSON message in two lines when using the new abstraction.
The concept mirrors recent moves in browser APIs (WebSocketStream) and community libraries that wrap websockets as streams; those JavaScript/Chrome/MDN discussions show the benefit of marrying streams APIs with WebSockets for backpressure-aware, async-safe processing. The .NET implementation pulls that pattern into the runtime’s libraries, making it easier to integrate WebSocket endpoints with existing stream- or pipeline-based code. (developer.chrome.com, developer.mozilla.org)

Practical benefits​

• Cleaner code: fewer manual buffer manipulations, easy integration with serializers and pipelines.
• Backpressure handling: stream/pipeline semantics make it simpler to avoid message flooding and unbounded concurrent processing.
• Composability: treat a WebSocket transport like any other stream; use the same diagnostics, middleware and serializers you already use.

Caveats and what to watch for​

• Implementation specifics (framing details, partial messages, binary/text semantics) matter. Before adopting widely, validate behavior against expected edge cases — fragmented messages, very large payloads, and cross-platform nuances — and test interoperability with non-.NET clients.
• Because WebSockets touch network, protocol and serialization concerns, ensure your telemetry and observability capture WebSocket lifecycle events (connect/disconnect/errors) and message-level metrics after migrating code.

---

Passkeys in ASP.NET Core and Blazor — real progress, real constraints​

Preview 7 continues Microsoft’s push to make passkeys a first-class part of ASP.NET Identity and Blazor templates. The team has simplified passkey authentication support and wired it into the Blazor project template that uses Individual authentication — so creating a new Blazor app and enabling passkeys is as simple as running the template command and choosing Individual authentication. (devblogs.microsoft.com, andrewlock.net)

Why this is important​

• Security: passkeys (FIDO/WebAuthn) provide phishing-resistant, device-bound authentication using platform authenticators (Windows Hello, Touch ID, Android/Chrome passkeys), a material step up from passwords.
• Usability: when integrated into templates, passkeys lower adoption friction for developers and offer a modern UX out of the box.

The limits — and the devil in templates​

• Templates still scaffold a password-backed account in many flows; passkeys are frequently added to an existing account rather than replacing passwords entirely. That transitional model is pragmatic, but it reduces the immediate anti-phishing benefits if passwords remain in the account model by default. Critics point out that an initial, mandatory password undermines the "passwordless" promise.
• The built-in passkey support in Identity is intentionally conservative: core WebAuthn functionality is present, but the team has kept the public surface small for long-term stability. That means advanced attestation and policy validation may still require third-party libraries or extra work.

Recommended adoption approach​

• Use the new Blazor templates for experimental or greenfield apps to get the passkey UX in place quickly.
• Treat passkeys as an additional authentication mechanism initially; remove passwords only after a careful migration, account recovery analysis, and a user/device-key escrow or sync strategy.
• Validate attestation requirements and regulatory constraints (e.g., enterprise attestation policies) before flipping “passwordless only” in a production environment.

---

.NET MAUI: XAML source generator and the long road to quality​

.NET MAUI receives one of the more practically consequential changes in Preview 7: a strongly-typed XAML source generator. Instead of parsing XAML at runtime, the build process emits compiled representations of XAML files, turning runtime parsing into a compile-time code-generation step. The immediate payoffs are:

• Faster app startup (parsing work is done at compile time).
• Better tooling: generated types improve IntelliSense, error detection earlier in the build, and make diagnostics more actionable.
• Stricter typing: some classes of runtime XAML errors surface at build time.

Preview 7 also refines MAUI controls: MediaPicker EXIF handling, SafeArea layout behavior, new control APIs (open/close for pickers), and API exposure such as TabbedPageManager now being public. The MAUI release notes and GitHub release for preview 7 enumerate a long list of bug fixes and smaller improvements, which collectively aim to address MAUI’s reputation for spotty quality. (github.com, devblogs.microsoft.com)

Why this is a meaningful change​

MAUI’s biggest practical problems historically have been tooling, startup and layout glitches, and inconsistent control behavior across platforms. Moving XAML processing to a source-generated, strongly-typed model is a direct lever on tooling and reliability — developers get compile-time validation and better IDE feedback.

Why skepticism remains justified​

• Microsoft itself uses MAUI relatively sparingly in flagship apps; enterprise confidence often rises when vendor products are built on a framework that gets internal production usage. The present improvements help, but adoption risk is still tied to ecosystem momentum, third-party control quality and consistent cross-platform behavior.

---

Other notable changes and platform polish​

• C# 14: .NET 10 ships alongside C# 14 features; preview docs and the compiler team have been iterating experimental features through the preview cycle. Some language additions require opting into preview language versions during the preview period.
• Post-quantum cryptography (PQC): the crypto stack expands PQC support, reflecting broader industry work to prepare managed platforms for quantum-resistant algorithms. This is a forward-looking change with real implications for long-lived secure systems.
• Desktop UI: Windows Forms and WPF receive focused quality work — e.g., dark-mode rendering fixes for ComboBox and RichTextBox, and Fluent theme polish in WPF — which matters for organizations maintaining long-lived desktop codebases.

---

Critical analysis: strengths, pragmatic value, and open questions​

Strengths​

• Developer ergonomics: the new WebSocketStream abstraction and PipeReader integration for JSON reduce boilerplate and improve safety, especially for service-oriented and real-time apps. These touches lower the friction to adopt modern patterns without large library churn. (devblogs.microsoft.com, developer.chrome.com)
• Security-forward defaults: first-class passkey integration in Identity and templates is an important shift. If tooling can keep simplifying adoption, passkeys may finally cross the chasm from security-lab novelty to mainstream practice. (devblogs.microsoft.com, andrewlock.net)
• Tooling and build-time checks: MAUI’s XAML source generator and other compile-time investments improve the developer feedback loop and will reduce time wasted tracking down runtime-only XAML errors.

Risks and limitations​

• Template conservatism: passkeys are being introduced in a migration-friendly, conservative way that still leans on passwords as a fallback. That is pragmatic, but it also dilutes the “passwordless by default” argument and creates potential confusion in threat models.
• MAUI maturity: quality and cross-platform consistency remain an adoption risk. Microsoft’s fixes are welcome, but large enterprise uptake will hinge on a sustained streak of reliability and richer third-party ecosystem support.
• Interoperability edge cases: new abstractions (e.g., WebSocketStream) are powerful but demand careful validation when interoperating with non-.NET peers or legacy protocol quirks. Tests for fragmentation, partial frames and backpressure behavior are essential. (devblogs.microsoft.com, developer.chrome.com)

Business and operational considerations​

• LTS timing matters: .NET 10 being an LTS release means longer servicing windows; organizations planning migrations from .NET 6/8/9 should time their upgrade cycles to align with patch windows and application lifecycles. The policy and cadence should guide upgrade roadmaps. (learn.microsoft.com, dotnet.microsoft.com)
• Security posture: PQC additions are forward-looking, but adopting new primitives requires cryptographic review, third-party validation and, often, governance signoff for production cryptography changes.

---

Upgrade guidance: how teams should approach .NET 10​

• Inventory & prioritize: identify high-risk apps (native P/Invoke, platform-specific dependencies, desktop UI) and prioritize testing there first.
• Stage previews in dev-only lanes: run Preview 7 in sandboxed CI and test harnesses to exercise new APIs (WebSocketStream, passkeys, MAUI XAML generator) before moving to RC/GA builds.
• Exercise authentication flows: if using ASP.NET Identity or Blazor templates, test passkey enroll/login flows, account recovery and device-change scenarios. Ensure UX and fallback behaviors meet policy and UX needs.
• Test interop and edge cases: for WebSocket workloads, create cross-platform interoperability tests against non-.NET clients; for MAUI, validate UI on each target platform and screen shape. (developer.chrome.com, github.com)
• Adopt incrementally: move libraries and services onto .NET 10 first; hold back monolith migrations until RC or GA and until third-party dependencies support .NET 10 officially.
• Monitor patches: treat early GA as the beginning of stability hardening — subscribe to servicing notes and patch streams and bake monthly servicing into your maintenance plan.

---

Timeline and release expectations​

Preview 7’s August 12, 2025 publication signals the late-preview phase. Historically, after a final preview like this the team issues release candidates in the months immediately before GA. With .NET Conf and the major release window in mid-November, expect:

• September: release candidate 1 (feature-freeze confirmed).
• October: release candidate 2 (final bug fixes and performance tuning).
• Mid-November: GA and LTS announcement during .NET Conf (virtual event spanning early to mid-November). (devblogs.microsoft.com, sessionize.com)

---

Conclusion​

Preview 7 of .NET 10 is a practical, late-stage update that leans heavily toward polish and developer ergonomics: a stream-based WebSocket abstraction that simplifies real-time messaging, first-class passkey support scaffolded into Blazor templates, and a MAUI XAML source generator that measurably improves build-time diagnostics and tooling. For teams, the message is straightforward: experiment now, validate interoperability and identity flows, and plan staged adoption for GA and LTS support. The changes aren’t a platform pivot — they’re the kind of incremental, pragmatic improvements that make day-to-day development faster and safer, provided teams approach migration with realistic testing, careful rollout and an eye on the October–November candidate/GA timeline. (devblogs.microsoft.com, learn.microsoft.com, github.com)

---

Source: theregister.com .NET 10 preview out now, likely to be near feature-complete