dotnet
Example authorization policy is bypassed when browsing to any other link on the site first
Description
Using Visual Studio 2022 and dotnet core 9 version, the application runs as expected. When an administrator attempts to access /local-account tab, it returns as unauthorized.
using Visual Studio 2026 Insiders and dotnet core 10
- If I open a new browser and go directly to /local-account, I receive a 403 error as expected.
- However, if I open any other page on the site first and then navigate to the /local-account tab as an Administrator account, it opens the page and displays the content -bypassing the Authorization policy.
Page URL
https://learn.microsoft.com/en-us/aspnet/core/blazor/security/blazor-web-app-with-windows-authentication?view=aspnetcore-9.0
Content source URL
https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md
Document ID
34e4285b-c559-a3e1-30b2-4ff240e7a9fb
Platform Id
796db7a0-bc23-6666-70b4-7f96f81cdf46
Article author
@guardrex
Metadata
- ID: 34e4285b-c559-a3e1-30b2-4ff240e7a9fb
- PlatformId: 796db7a0-bc23-6666-70b4-7f96f81cdf46
- Service: aspnet-core
- Sub-service: blazor
🧟💀 Happy Halloween!! 🎃🧛
Stand-by! ... A green dinosaur 🦖 will be along shortly to assist.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thanks for the report, @thomstratton! I'll take a look at this first thing tomorrow (Tuesday) morning.
I took a look, and I'll defer to @halter73 and/or @mikekistler because the policy shouldn't allow that behavior. I think you may have found a bug 😈. If so, they'll likely either move this issue to the product unit's repo for work or have you close here and open a new issue over there. Stand-by for them to see this and respond. If we don't hear back in 24 hours, I'll email them for attention to this.