[.NET 8] Using attribute [Authorize] is bugged when refreshing page (shows HTTP ERROR 401 despite being logged in)

[DM-98]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

I'm using Blazor RenderMode InteractiveServer globally and Prerender turned off. I also use JWT authentication (not sure how it behaves with other authentication methods).

When navigating with a href clicks it works fine authenticating the user and showing authorized page. But when the same user refreshes the page with F5, it shows HTTP ERROR 401, like this:

A minimal reproducable project is made for you to see the issue.

Expected Behavior

I expect the authenticated & authorized user to keep seeing the Authorized content inside the blazor page component after a F5 page refresh.

Steps To Reproduce

1. Download the repo: Minimalistic project - Github
   or quickly Git Bash this:
   git clone https://github.com/DM-98/BlazorApp2-AuthorizationIssueRepro
2. Open Package Manager Console and run "Update-Database"
   (which makes a new database called BlazorApp2-AuthorizationBugRepro)
3. Start with(out) debugging
4. Register a user and then Login
5. Navigate to [Authorize]'d page only and press F5

Exceptions (if any)

No response

.NET Version

8.0.100

Anything else?

No response

[surayya-MS]

Thanks for contacting us, @DM-98 !
The authentication state provider the app defined is only used within Blazor and is not integrated with the ASP.NET Core authentication system. During prerendering, Blazor Web respects the metadata defined on the page and uses the ASP.NET Core authentication system to determine if the user is authenticated. Since you haven't integrated your custom AuthenticationStateProvider with the built-in authentication system, when you navigate from one page to the other, only your auth provider is used, (which works), but when you refresh the page, your provider is not involved in the auth decision, and thats why the page doesn't get rendered.

To address this, it's better if you perform the authentication within the ASP.NET Core auth system and your authentication state provider only takes care of reflecting that state. For an example on how to do this, check the authentication state provider in the Blazor Web template with individual user accounts.

[rezamohammad]

Hello, @surayya-MS
if possible, write a sample code for example
Thankful

[rezamohammad]

hi @DM-98
#52063 (comment)

Well, I found a workaround by:
define following class and register it where server initializes

public class BlazorAuthorizationMiddlewareResultHandler : IAuthorizationMiddlewareResultHandler
{
    public Task HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult)
    {
        return next(context);
    }
}

and handler:

services.AddSingleton<IAuthorizationMiddlewareResultHandler, BlazorAuthorizationMiddlewareResultHandler>();
This class will prevent redirection from the new .net 8 authorization middleware response.
The problem still exists, but we can at least we can use .NET 8 new feature the way we used to in Blazor and .NET 7.

You may need to separate endpoint routing other than blazor routes since it basically renders serverside authorization (via .AddAuthentication(...).AddJwtBearer(...)) ineffective.

hope this helps, enjoy .net 8. while the team fixes the problem.

[dmm-l-mediehus]

@rezamohammad The workaround works flawlessly, thanks.

[sh-jthorpe]

Thanks for contacting us, @DM-98 ! The authentication state provider the app defined is only used within Blazor and is not integrated with the ASP.NET Core authentication system. During prerendering, Blazor Web respects the metadata defined on the page and uses the ASP.NET Core authentication system to determine if the user is authenticated. Since you haven't integrated your custom AuthenticationStateProvider with the built-in authentication system, when you navigate from one page to the other, only your auth provider is used, (which works), but when you refresh the page, your provider is not involved in the auth decision, and thats why the page doesn't get rendered.

To address this, it's better if you perform the authentication within the ASP.NET Core auth system and your authentication state provider only takes care of reflecting that state. For an example on how to do this, check the authentication state provider in the Blazor Web template with individual user accounts.

Hi @surayya-MS, i've logged #52586 as this issue applies to MS Entra ID auth as well, and in that scenario there's no authentication state provider for us to configure.

[Stefan13-13]

For me the workaround by @rezamohammad does not work.
The error goes away, but now I can view my page with the @attribute [Authorize(Policy = MyPolicy)] while I'm not autorized.