Example authorization policy is bypassed when browsing to any other link on the site first

[thomstratton]

Description

Using Visual Studio 2022 and dotnet core 9 version, the application runs as expected. When an administrator attempts to access /local-account tab, it returns as unauthorized.

using Visual Studio 2026 Insiders and dotnet core 10

• If I open a new browser and go directly to /local-account, I receive a 403 error as expected.
• However, if I open any other page on the site first and then navigate to the /local-account tab as an Administrator account, it opens the page and displays the content -bypassing the Authorization policy.

Page URL

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/blazor-web-app-with-windows-authentication?view=aspnetcore-9.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md

Document ID

34e4285b-c559-a3e1-30b2-4ff240e7a9fb

Platform Id

796db7a0-bc23-6666-70b4-7f96f81cdf46

Article author

@guardrex

Metadata

• ID: 34e4285b-c559-a3e1-30b2-4ff240e7a9fb
• PlatformId: 796db7a0-bc23-6666-70b4-7f96f81cdf46
• Service: aspnet-core
• Sub-service: blazor

Related Issues

[github-actions]

🧟💀 Happy Halloween!! 🎃🧛

Stand-by! ... A green dinosaur 🦖 will be along shortly to assist.

[guardrex]

Thanks for the report, @thomstratton! I'll take a look at this first thing tomorrow (Tuesday) morning.

[guardrex]

I took a look, and I'll defer to @halter73 and/or @mikekistler because the policy shouldn't allow that behavior. I think you may have found a bug 😈. If so, they'll likely either move this issue to the product unit's repo for work or have you close here and open a new issue over there. Stand-by for them to see this and respond. If we don't hear back in 24 hours, I'll email them for attention to this.

[guardrex]

Ping @halter73 / @mikekistler ... This issue could still use an engineer's 👁️ to see if it should perhaps be moved to the PU repo for investigation.