InteractiveAuto WebAssembly fails under FallbackPolicy RequireAuthenticatedUser

[alexaka1]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

In a Blazor Web App created with dotnet new blazor -int Auto -ai false, WebAssembly takeover fails for anonymous users when ASP.NET Core authorization uses a fallback policy that requires authenticated users.

The app explicitly marks both Razor components and static assets as anonymous:

• app.MapStaticAssets().AllowAnonymous()
• app.MapRazorComponents<App>(...).AllowAnonymous()

However, after navigating to an InteractiveAuto page and refreshing once WebAssembly should take over, the app fails because a framework asset under /_framework/ is returned as 401 Unauthorized.

In my repro, the failing asset is:

https://localhost:7112/_framework/resource-collection.9RAE4.js

The hash changes per build, but the behavior is consistent.

This leaves the page in the Blazor error state and prevents WebAssembly mode from loading for anonymous users.

If I sign in first, the same page refresh works and WebAssembly takes over correctly.

Expected Behavior

If both MapRazorComponents(...) and MapStaticAssets() are explicitly marked with AllowAnonymous(), InteractiveAuto should be able to load its required /_framework/* assets for anonymous users even when a fallback policy is configured.

Refreshing an InteractiveAuto page as an anonymous user should succeed and switch to WebAssembly mode instead of failing with a 401 on a framework asset.

Steps To Reproduce

Repro repo:
https://github.com/alexaka1/repro-dotnet--aspnetcore-65993

1. Clone the repro repo.
2. Run the server project over HTTPS so it listens on https://localhost:7112.
3. Open https://localhost:7112.
4. Navigate to /counter.
5. On first load, server interactivity works and the page shows Counter (Server).
6. Wait briefly so the WebAssembly assets can download.
7. Refresh the page.
8. The page fails and shows the Blazor error UI.
9. Inspect the network/console output and observe that a hashed /_framework/resource-collection.*.js request returns 401 Unauthorized.
10. Navigate to /auth and sign in.
11. Navigate back to /counter.
12. Refresh the page again.
13. Now the page loads successfully and shows Counter (WebAssembly).

Important repro detail:
The app configures a fallback policy requiring authenticated users, while also explicitly calling:

• app.MapStaticAssets().AllowAnonymous()
• app.MapRazorComponents<App>(...).AllowAnonymous()

Exceptions (if any)

Browser console:
ManagedError: AggregateException_ctor_DefaultMessage (Failed to fetch dynamically imported module: https://localhost:7112/_framework/resource-collection.9RAE4.js
TypeError: Failed to fetch dynamically imported module: https://localhost:7112/_framework/resource-collection.9RAE4.js)

HTTP response for the failing asset:
HTTP/2 401

.NET Version

10.0.201

Anything else?

Relevant app configuration in the repro:

• Blazor Web App template
• dotnet new blazor -int Auto -ai false
• static routing (<Routes /> is not given a render mode directly)
• custom auth scheme based on a cookie
• authorization configured with both:
  • default policy requiring authenticated users
  • fallback policy requiring authenticated users
• MapStaticAssets().AllowAnonymous()
• MapRazorComponents<App>(...).AllowAnonymous()

Observed behavior:

• anonymous user: refresh on /counter fails because /_framework/resource-collection.*.js returns 401
• signed-in user: refresh on /counter succeeds and WebAssembly mode works

This seems related to fallback policy behavior around framework/static resources used by InteractiveAuto.

I am 100% sure this is related to #51836 and the implicit fix was not fully complete.

[MihuBot]

I'm a bot. Here is a possible related and/or duplicate issue (I may be wrong):

• Blazor resource-collection endpoints don't seem to respect authorization overrides #65327