Blazor Web Assembly authentication issue in version 10.0.8

Question

Blazor Web Assembly authentication issue in version 10.0.8

Muthukumar S 5

Richard Wright 0 Reputation points

2026-06-11T18:55:04.1133333+00:00

This is a confirmed regression introduced in the 10.0.8 servicing update, currently tracked on GitHub under aspnetcore#66978. The issue stems from a breaking change or bug in the underlying AuthenticationService.js script file shipped with the 10.0.8 WebAssembly authentication packages, causing MSAL/OIDC lifecycles to bypass execution entirely. This results in RemoteUserAccount resolving as null and User.Identity.IsAuthenticated evaluating to false inside the custom AccountClaimsPrincipalFactory, despite a successful authentication callback from the identity provider.

Temporary Workarounds:

Roll back: Downgrade your Microsoft.AspNetCore.Components.WebAssembly.Authentication and related MSAL packages back to version 10.0.7 until a servicing fix is released.

Manual Script Override: If you must stay on 10.0.8, manually replacing the 10.0.8 AuthenticationService.js asset in your deployment with the working version from 10.0.7 restores functionality without modifying your C# application logic.

2 answers

Your answer

Richard Wright 0 Reputation points

2026-06-11T18:55:04.1133333+00:00

This is a confirmed regression introduced in the 10.0.8 servicing update, currently tracked on GitHub under aspnetcore#66978. The issue stems from a breaking change or bug in the underlying AuthenticationService.js script file shipped with the 10.0.8 WebAssembly authentication packages, causing MSAL/OIDC lifecycles to bypass execution entirely. This results in RemoteUserAccount resolving as null and User.Identity.IsAuthenticated evaluating to false inside the custom AccountClaimsPrincipalFactory, despite a successful authentication callback from the identity provider.

Temporary Workarounds:

Roll back: Downgrade your Microsoft.AspNetCore.Components.WebAssembly.Authentication and related MSAL packages back to version 10.0.7 until a servicing fix is released.

Manual Script Override: If you must stay on 10.0.8, manually replacing the 10.0.8 AuthenticationService.js asset in your deployment with the working version from 10.0.7 restores functionality without modifying your C# application logic.

Answer 1

Danny Nguyen (WICLOUD CORPORATION) 7,105 Microsoft External Staff Moderator

Hi @Muthukumar S , could you share a bit more detail about the issue? For example, what authentication setup/provider you’re using, the exact error or behavior you’re seeing, and whether this started only after updating to 10.0.8.

In the meantime, these docs may help with common Blazor WebAssembly authentication setup and troubleshooting:

Blazor WebAssembly security/authentication overview: https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/?view=aspnetcore-10.0
Blazor WebAssembly additional security scenarios: https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/additional-scenarios?view=aspnetcore-10.0
Hosted Blazor WebAssembly with Microsoft Entra ID: https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-microsoft-entra-id?view=aspnetcore-7.0
Blazor WebAssembly with ASP.NET Core Identity: https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-identity/?view=aspnetcore-10.0
ASP.NET Core authentication overview: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/?view=aspnetcore-10.0

If you can share the error message, browser console output, or relevant authentication configuration, it will be easier to suggest specific troubleshooting step.

Muthukumar S 5 Reputation points

2026-05-29T03:44:57.2066667+00:00

Hi @Danny Nguyen (WICLOUD CORPORATION) Thanks for your response. I am using MSAL authentication, and after upgrading to version 10.0.8, the RemoteUserAccount is always null in the CreateUserAsync method within my ClaimFactory. The same configuration works perfectly up to version 10.0.7 using the same Visual Studio (v18.6.1). This issue is occurring only after the upgrade. So the Authentication is not working.
Danny Nguyen (WICLOUD CORPORATION) 7,105 Reputation points Microsoft External Staff Moderator

2026-05-29T10:48:26.31+00:00
Hi @Muthukumar S , thank you for your follow up. I tested this with a clean Blazor WebAssembly + MSAL repro and wasn’t able to reproduce a general 10.0.8 regression.

What I observed is that CreateUserAsync can be called during the initial unauthenticated flow with RemoteUserAccount == null, and then called again after a successful sign-in with a populated account. In my test on 10.0.8, the post-login call had a non-null RemoteUserAccount, so authentication completed successfully.

Because of that, a custom AccountClaimsPrincipalFactory<RemoteUserAccount> should defensively handle the unauthenticated case, for example:

public override ValueTask<ClaimsPrincipal> CreateUserAsync( RemoteUserAccount account, RemoteAuthenticationUserOptions options) { if (account is null) { return base.CreateUserAsync(account, options); } // custom claim logic here return base.CreateUserAsync(account, options); }

If you can share a minimal repro or the custom claim-mapping code, that would help narrow down your problem.
Muthukumar S 5 Reputation points

2026-06-01T02:02:58.0266667+00:00

@Danny Nguyen (WICLOUD CORPORATION) Thanks for your response. I am using dotnet SDK 10.0.300 and MSAL 10.0.8. Is there any version mismatch or any possible lifecycle regression. Because 10.0.7 run time is working fine with the same SDK.
Muthukumar S 5 Reputation points

2026-06-01T02:26:16.9+00:00

@Danny Nguyen (WICLOUD CORPORATION) Thank you for your response. I am currently using .NET SDK 10.0.300 along with MSAL 10.0.8. Could there be any version compatibility issues or potential lifecycle regressions contributing to this behavior?

I have also observed that AuthenticationService.js is not being executed during the login process, and the RemoteUserAccount object is returning null values. Interestingly, the same setup works as expected with runtime version 10.0.7 on the same SDK.

I would appreciate your insights on this. Thank you.
Danny Nguyen (WICLOUD CORPORATION) 7,105 Reputation points Microsoft External Staff Moderator

2026-06-01T10:59:18.71+00:00
Hi @Muthukumar S , I wasn’t able to reproduce a general compatibility issue between SDK 10.0.300 and MSAL 10.0.8 in a minimal repro, so this may be specific to your app or auth flow.

Could you share the following so I can compare it with a working sample?

Program.cs

your custom AccountClaimsPrincipalFactory<RemoteUserAccount> implementation

your .csproj package versions

any custom AuthenticationService.js or related auth script changes

whether RemoteUserAccount is null only before sign-in, or still null after the login callback completes

A minimal repro would be even better if you can provide one.
Danny Nguyen (WICLOUD CORPORATION) 7,105 Reputation points Microsoft External Staff Moderator

2026-06-03T07:07:20.1066667+00:00

Hi, just checking in. Do you have any update on this post?
Muthukumar S 5 Reputation points

2026-06-03T22:31:42.45+00:00

@Danny Nguyen (WICLOUD CORPORATION) Replacing manually the AuthenticationService.js in 10.0.8 with the version from 10.0.7 works correctly with the 10.0.8 runtime, without any other changes. It looks like issue in the java script layer. Please share your thoughts on this. Thanks.
Danny Nguyen (WICLOUD CORPORATION) 7,105 Reputation points Microsoft External Staff Moderator

2026-06-04T11:00:48.5166667+00:00

Thanks, that’s very helpful.

I also see this is already being tracked in https://github.com/dotnet/aspnetcore/issues/66978, and since you’re already on that issue, it’s probably best to continue tracking it there. If this turns out to be caused by an upstream/service-side/auth-stack change, that issue is the right place for the .NET team to coordinate investigation and any fix.

For now, sticking with the 10.0.7 AuthenticationService.js workaround seems reasonable until there’s more guidance or a fix on that issue.
Danny Nguyen (WICLOUD CORPORATION) 7,105 Reputation points Microsoft External Staff Moderator

2026-06-08T10:25:08.4133333+00:00

Hi, just checking in—do you have any further questions about this issue? If the workaround works for you for now, I’d appreciate it if you can give me a confirmation.

Thank you.
Muthukumar S 5 Reputation points

2026-06-08T14:09:46.15+00:00

Hi @Danny Nguyen (WICLOUD CORPORATION) Is it a valid approach or acceptable workaround to use AuthenticationService.js version 10.0.7 while running on runtime version 10.0.8? Would it be advisable to ship a production build that combines two different versions in this way? I would appreciate your thoughts on this.
Danny Nguyen (WICLOUD CORPORATION) 7,105 Reputation points Microsoft External Staff Moderator

2026-06-09T04:43:07.0866667+00:00

Hi @Muthukumar S , thanks for the follow-up — this is a good question.

Using AuthenticationService.js from 10.0.7 with the 10.0.8 runtime can work as a temporary workaround, especially since you’ve already confirmed it restores the expected behavior. However, I wouldn’t consider this a long-term or ideal production setup, since it mixes assets across versions and may lead to unexpected issues later (especially if there are other changes in the auth pipeline).

If you plan to ship, a safer option would be to stay fully on 10.0.7 until there’s an official fix or guidance for 10.0.8.

If you notice any additional behavior differences or logs (especially around the login callback / JS execution), feel free to share — that may also help validate the root cause.
If there is no new updates, and these problem are already being tracked on https://github.com/dotnet/aspnetcore/issues/66978, I would greatly appreciate it if you could follow this guidance or provide feedback.

Thank you.

Muthukumar S 5

Hi @Danny Nguyen (WICLOUD CORPORATION)

Here I am sharing my implementation configuration details, please have a look and let me know if you have any findings, Issues still exist even upgrading into the latest runtime 10.0.9 as well. but both 10.0.8 and 10.0.9 runtime, the auth flow is working fine with the AuthenticationService.Js version 10.0.7.

Note : RemoteUserAccount is null before sign-in and still null after the login callback completes

Program.cs

var builder = WebAssemblyHostBuilder.CreateDefault(args);

builder.RootComponents.Add<App>("#app");

builder.RootComponents.Add<HeadOutlet>("head::after");

// Boot order: pre-Blazor JS version gate → Blazor boot → MSAL token acquisition → ClaimFactory populates roles/permissions.

// MSAL authentication

builder.Services.AddMsalAuthentication(options =>

{

builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);

options.ProviderOptions.Cache.CacheLocation = "localStorage";

options.ProviderOptions.Authentication.ValidateAuthority = true;

options.ProviderOptions.LoginMode = "redirect";

})

.AddAccountClaimsPrincipalFactory<ClaimFactory>();

CliamFactory.cs

public class ClaimFactory(ILogger<ClaimFactory> logger,

  IHttpClientFactory httpClientFactory, 

  IAccessTokenProviderAccessor accessor, 

  NotificationService notificationService,

  IApplicationInsights applicationInsights,

  

  PermissionService permissionService) : AccountClaimsPrincipalFactory<RemoteUserAccount>(accessor)

{

  private readonly ILogger _logger = logger;

  private readonly IHttpClientFactory _httpClientFactory = httpClientFactory;

  private readonly PermissionService _permissionService = permissionService;

  private readonly IApplicationInsights _applicationInsights = applicationInsights;

  private readonly NotificationService _notificationService = notificationService;

  private readonly SemaphoreSlim _lock = new(1, 1);

  public override async ValueTask<ClaimsPrincipal> CreateUserAsync(RemoteUserAccount account, RemoteAuthenticationUserOptions options)

  {

      try

      {

          await _lock.WaitAsync();

          var user = await base.CreateUserAsync(account, options);

          if (user.Identity?.IsAuthenticated != true)

          {

              _logger.LogInformation("User is not authenticated. Skipping claims population.");

              return user;

          }

         

          var http = _httpClientFactory.CreateClient("Test.MyApp.API");

          var identity = (ClaimsIdentity)user.Identity;

         

         var roleTask = http.GetAsync("api/users/roles");

          var permissionTask = http.GetAsync("api/users/permissions");

          var isSuperAdminTask = http.GetAsync("api/users/superadmin");

          await Task.WhenAll(roleTask, permissionTask, isSuperAdminTask);

          var roleResponse = roleTask.Result;

          var userDto = roleResponse.StatusCode == HttpStatusCode.OK ? await roleTask.Result.Content.ReadFromJsonAsync<UserDto>() : new();

        

          var isSuperAdmin = await isSuperAdminTask.Result.Content.ReadFromJsonAsync<bool?>() ?? false;

          _permissionService.SetIsSuperAdmin(isSuperAdmin);

          var permissions = await permissionTask.Result.Content.ReadFromJsonAsync<HashSet<Permissions>>() ?? [];

          _permissionService.SetPermissions(permissions);

          List<string> newRoleClaims = [];

          foreach (var userRole in userDto.UserRoles.OrderBy(x => x.BusinessId))

          {

              switch (userRole.BusinessId)

              {

                  case "XXX":

                      identity.AddClaim(new Claim("XXX", userRole.Role));

                      newRoleClaims.Add($"XXXX_{userRole.Role}");

                      break;

                  case "YYY":

                      identity.AddClaim(new Claim("YYY", userRole.Role));

                      newRoleClaims.Add($"YYY_{userRole.Role}");

                      break;

                 

              }

              

          }

          var roleClaims = identity.FindAll(identity.RoleClaimType);

          if (roleClaims == null || roleClaims.Any() == false)

          {

              foreach (var roleClaim in newRoleClaims)

              {

                  identity.AddClaim(new Claim(identity.RoleClaimType, roleClaim));

              }

          }

          return user;

      }

      catch (AccessTokenNotAvailableException exception)

      {

          exception.Redirect();

          _logger.LogWarning("Access token not available. Redirecting to login.");

          return new ClaimsPrincipal();

      }

      catch (Exception ex)

      {

          _logger.LogError(ex, "Error obtaining user claims for My App.");

          throw;

      }

      finally

      {

          _lock.Release();

      }

  }

}

CsProj:

<PackageReference Include="BlazorApplicationInsights" Version="3.3.0" />

<PackageReference Include="Blazored.FluentValidation" Version="2.2.0" />

<PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.23.0" />

<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="10.0.8" />

<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="10.0.8" PrivateAssets="all" />

<PackageReference Include="Microsoft.Authentication.WebAssembly.Msal" Version="10.0.8" />

<PackageReference Include="OpenTelemetry.Api" Version="1.15.3" />

<PackageReference Include="Telerik.UI.for.Blazor" Version="12.3.0" />

</ItemGroup>

Danny Nguyen (WICLOUD CORPORATION) 7,105 Reputation points Microsoft External Staff Moderator

2026-06-11T07:56:38.9266667+00:00

Hi @Muthukumar S , thanks for sharing the details.

From the code you shared, I don’t see anything obvious in the ClaimFactory that would explain why RemoteUserAccount stays null after the login callback. Since replacing only AuthenticationService.js with the 10.0.7 version restores the auth flow, this still points more toward a JavaScript auth layer change/regression.

One thing I noticed is that your .csproj still references 10.0.8 packages. If you are testing 10.0.9, please make sure these package references are also updated to 10.0.9, then clean bin / obj, clear browser cache/site data, and test again with matching 10.0.9 files.

That said, I would not recommend using mixed versions, such as 10.0.7 AuthenticationService.js with 10.0.8/10.0.9 runtime, as a long-term production solution. It may be okay only as a temporary workaround for validation. The safer option is to stay fully on the working 10.0.7 set until there is official guidance or a fix.

Since this appears related to the GitHub issue already being tracked here: aspnetcore issue 66978, I’d suggest adding your latest findings there too, especially that 10.0.8 and 10.0.9 both reproduce the issue, and replacing only AuthenticationService.js with 10.0.7 restores the auth flow.
Muthukumar S 5 Reputation points

2026-06-11T15:48:08.9066667+00:00

One thing I noticed is that your .csproj still references 10.0.8 packages Hi @Danny Nguyen (WICLOUD CORPORATION) The issue still remains the same in both 10.0.8 and 10.0.9, If it is an issue with the javascript layer, how do we address this issue? Also one more observation AuthenticationServices.js is identical on both 10.0.8 and 10.0.9.
Danny Nguyen (WICLOUD CORPORATION) 7,105 Reputation points Microsoft External Staff Moderator

2026-06-12T08:07:58.6066667+00:00

Hi @Muthukumar S , thanks for the follow-up.

I checked the 10.0.7 and 10.0.8 AuthenticationService.js files. One important difference is that 10.0.7 uses an older MSAL JS stack, while 10.0.8 uses a newer one. Since 10.0.8 and 10.0.9 behave the same, this still looks more related to the newer bundled auth script than to your ClaimFactory code.

At this point, I don’t see an app-side code change I can confidently recommend from the ClaimFactory alone, because the custom claims code runs after the Blazor/MSAL login result is processed. If RemoteUserAccount is still null after the login callback, the problem likely happens before your custom claims logic.

For now, using the 10.0.7 AuthenticationService.js with 10.0.8/10.0.9 may work as a temporary workaround, since you confirmed it restores the auth flow. However, I would not treat this as a long-term production setup because it mixes assets across versions and could cause other issues later.

The safer production option is to stay fully on the working 10.0.7 package/runtime set until there is an official fix or guidance.

Since this is already being tracked here: aspnetcore issue 66978, I’d suggest continuing the investigation on that GitHub issue and adding your latest finding there, especially that 10.0.8 and 10.0.9 have the same behavior, while the 10.0.7 script works.

Answer 2

In 10.0.8 the most common causes for IsAuthenticated == false and RemoteUserAccount == null after an upgrade are configuration or package coherence issues in the Blazor WebAssembly authentication stack.

Use the following checks and fixes:

Verify identity provider (OIDC/MSAL) configuration

Confirm that all OIDC settings still match the provider app registration:
- Authority / Instance
- Tenant ID / Tenant domain
- Client ID
- Redirect URI
- Scopes and API permissions
A mismatch in any of these (for example, redirect URI or port) prevents the token from being issued and processed, which leaves the user unauthenticated.
If the app is running on a different port than configured in the redirect URI, update the provider configuration or the app so they match.

Inspect logs and network traffic

Enable client-side authentication logging for Blazor WebAssembly as described in the Blazor logging guidance. This will show whether the OIDC flow completes and whether tokens are received.
Use the browser’s developer tools Network tab to inspect the authentication redirects and token responses. Look for error responses from the identity provider or backend.

Check for incoherent packages after upgrading to 10.0.8 A functioning app can fail immediately after upgrading the .NET SDK or changing package versions due to incoherent packages.

Apply the recommended cleanup steps:

Clear NuGet caches:
```
   dotnet nuget locals all --clear
```
Delete the project’s bin and obj folders.
Restore and rebuild the project.
If deployed, delete all files in the deployment folder on the server before redeploying.

Also ensure that all Blazor and authentication-related packages target the same framework and are compatible with .NET 10.0.8. Using package versions incompatible with the app’s target framework isn’t supported.

Confirm the authentication pipeline still runs

Ensure the Blazor WebAssembly app still uses the Microsoft.AspNetCore.Components.WebAssembly.Authentication library and that the OIDC authentication process is wired as expected (login page /authentication/login, callback /authentication/login-callback, etc.).
If the authentication JavaScript (AuthenticationService.js) or MSAL version was customized or replaced, verify that the custom implementation still matches the 10.0.8 expectations. If a custom AuthenticationService is used, confirm the script reference is correct and loads before blazor.webassembly.js.

Validate the token itself

Once a token is obtained, decode it using https://jwt.ms to confirm it contains the expected claims and that it is valid (issuer, audience, expiry). If the token is missing or invalid, the authentication state will remain unauthenticated.

If after these steps IsAuthenticated remains false, focus on:

Logs from the client-side authentication library.
Network traces around /authentication/login and /authentication/login-callback.
Any differences in configuration or package versions introduced between 10.0.7 and 10.0.8.

References:

Share via

Blazor Web Assembly authentication issue in version 10.0.8

2 answers

Your answer