Configuring .NET 10 Blazor WASM program.cs to use an HTTP Delegate to attach JWT Security Token

Question

Configuring .NET 10 Blazor WASM program.cs to use an HTTP Delegate to attach JWT Security Token

Bob N 0

My knowledge of JWT security tokens until several weeks ago was nil. After a bit of reading, I was able to retrieve a security token from a 'login' server, and able to use that token within Blazor, and with the addition of an AuthenticationStateProvider it would correctly display the user name and have the <AuthorizedView> behaving as well. After reading further, it looked like using an Http delegate handler was the correct approach use to attach the token and handle refresh as needed. As proof of concept, I was able to basically cut/paste some code to insert the delegate handler -- no action taken yet -- and have it pass along the request. Again, so far, so good. I dug a bit further for an example that attached the token (see https://blog.stackademic.com/build-a-secure-blazor-webassembly-app-with-asp-net-core-10-and-jwt-authentication-ba341350868b)

I thought I was done -- however I could not get the code provided at that site to actually use the HttpDelegate. After a bit of fruitless tinkering, I realized my knowledge of all the 'setup' in Program.cs (AddScoped, AddTransient, HttpMessageHandler) were all beyond my depth of understanding, in particular how constructor for the DelegeHandler receives it's parameters. In my code where it is actually invoked, the constructor looks like:

        public SecureHttpDelegateHandler(ILogger<SecureHttpDelegateHandler> logger) {  _logger = logger; }

And the delegate is called and can be seen in the log trace

     protected override async Task<HttpResponseMessage>SendAsync( HttpRequestMessage request, CancellationToken cancellationToken)
     {
         try
         {
             _logger.LogInformation("Before HTTP request");
             var result = await base.SendAsync(request, cancellationToken);
             result.EnsureSuccessStatusCode();
             _logger.LogInformation("After HTTP request");
             return result;
         }
         catch (Exception e)
         {
             _logger.LogError(e, "HTTP request failed");
             throw;
         }
     }

When I try and switch over to the version of the handler that is passed to token storage and the service to retrieve and refresh the tokens:

      public SecureHttpDelegateHandler(TokenStorage tokenStorage, AuthService auth) { _tokenStorage = tokenStorage; _auth = auth;  }

I immediately get the error

AggregateException_ctor_DefaultMessage (Some services are not able to be constructed (Error while validating the service descriptor 'ServiceType: XXX.Services.SecureHttpDelegateHandler Lifetime: Transient ImplementationType: XX.Services.SecureHttpDelegateHandler': CannotResolveService, XXX.Services.AuthService, XX.Services.SecureHttpDelegateHandler))

After much unsuccessful tinkering, I have realized my depth of knowledge on what has to be done in program.cs (and it what order) has come up short.

What I currently have that does not work is below. Please advise on where I have gone awry -- much of this is beyond my current understanding.

Thanks!

var builder = WebAssemblyHostBuilder.CreateDefault(args);
builder.RootComponents.Add<App>("#app");
builder.RootComponents.Add<HeadOutlet>("head::after");

builder.Services.AddScoped(sp => new HttpClient { BaseAddress = new Uri("https://jsonplaceholder.typicode.com") });
builder.Services.AddTransient<SecureHttpDelegateHandler>();
builder.Services.AddHttpClient("XXXAPI", httpClient =>
{
    httpClient.BaseAddress = new Uri("https://jsonplaceholder.typicode.com");
})
.AddHttpMessageHandler<SecureHttpDelegateHandler>();

builder.Services.AddScoped<TokenStorage>();
builder.Services.AddScoped<AuthenticationStateProvider, AppAuthenticationStateProvider>();
builder.Services.AddScoped<PostService>();
builder.Services.AddScoped(sp=> sp.GetRequiredService<IHttpClientFactory>().CreateClient("XXXPI"));


builder.Services.AddAuthorizationCore();

var app = builder.Build();

await app.RunAsync();

0 comments

2 answers

Your answer

Answer 1

Damien Pham (WICLOUD CORPORATION) 1,755 Microsoft External Staff Moderator

Hello @Bob N ,

Thank you for sharing.

I can see why this feels confusing. The immediate problem is not JWT itself; it is the dependency injection setup.

AddHttpMessageHandler<SecureHttpDelegateHandler>() tells IHttpClientFactory to create that handler through dependency injection. That means every constructor dependency of SecureHttpDelegateHandler must be registered in the service container.

In your failing version, the handler requires AuthService:

public SecureHttpDelegateHandler(TokenStorage tokenStorage, AuthService auth)
{
    _tokenStorage = tokenStorage;
    _auth = auth;
}

However, AuthService is not registered in the code shown, which matches the exception you posted.

For this setup, the registrations should look more like this:

var builder = WebAssemblyHostBuilder.CreateDefault(args);

builder.RootComponents.Add<App>("#app");
builder.RootComponents.Add<HeadOutlet>("head::after");

builder.Services.AddScoped<TokenStorage>();
builder.Services.AddScoped<AuthService>();
builder.Services.AddScoped<AuthenticationStateProvider, AppAuthenticationStateProvider>();
builder.Services.AddScoped<PostService>();

builder.Services.AddTransient<SecureHttpDelegateHandler>();

builder.Services.AddHttpClient("XXXAPI", client =>
{
    client.BaseAddress = new Uri("https://jsonplaceholder.typicode.com");
})
.AddHttpMessageHandler<SecureHttpDelegateHandler>();

builder.Services.AddScoped(sp =>
    sp.GetRequiredService<IHttpClientFactory>().CreateClient("XXXAPI"));

builder.Services.AddAuthorizationCore();

var app = builder.Build();
await app.RunAsync();

There are two specific issues in your sample:

AuthService needs to be registered so the handler can be constructed.
CreateClient("XXXPI") does not match the registered client name, which is "XXXAPI". The names must match exactly.

Microsoft's IHttpClientFactory guidance explains that delegating handlers are used as outgoing request middleware, and the Blazor WebAssembly security guidance shows the recommended pattern of registering an authorization handler and attaching it with AddHttpClient(...).AddHttpMessageHandler(...):

If you are using the built-in Blazor/OIDC authentication flow, I would also consider using AuthorizationMessageHandler or BaseAddressAuthorizationMessageHandler, because that is the framework-supported pattern for attaching access tokens to outgoing requests:

Attach tokens to outgoing requests

I hope this helps. If you found my response helpful or informative, I would greatly appreciate it if you could follow this guidance or provide feedback.

Thank you.

Bob N 0

Thanks very much for your guidance! -- It has gotten me quite a bit closer, but not quite there.

I'm including the current code below for reference. If I do not attempt to pass the AuthService to the DelegateHandler, everything seems to work:

public SecureHttpDelegateHandler(ILogger<SecureHttpDelegateHandler> logger, TokenStorage tokenStorage)
{
    _logger = logger;
    _tokenStorage = tokenStorage;
    _auth = auth;
}

However, including the AuthService results in the Exception shown below

    public SecureHttpDelegateHandler(ILogger<SecureHttpDelegateHandler> logger, TokenStorage tokenStorage, AuthService auth)
    {
        _logger = logger;
        _tokenStorage = tokenStorage;
        _auth = auth;
    }

The exception points back to this line

builder.Services.AddScoped(sp =>sp.GetRequiredService<IHttpClientFactory>().CreateClient("CropSimAPI"));

as can be seen below. Hopefully you can get me over this hurdle. I'll go back and do some further reading as this is again beyond my current skills.

Thanks!

<><><><><>

rit: Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100]

  Unhandled exception rendering component: Lazy_Value_RecursiveCallsToValue

System.InvalidOperationException: Lazy_Value_RecursiveCallsToValue

at System.Lazy`1[[Microsoft.Extensions.Http.ActiveHandlerTrackingEntry, Microsoft.Extensions.Http, Version=10.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60]].ViaFactory(LazyThreadSafetyMode mode)

at System.Lazy`1[[Microsoft.Extensions.Http.ActiveHandlerTrackingEntry, Microsoft.Extensions.Http, Version=10.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60]].ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)

at System.Lazy`1[[Microsoft.Extensions.Http.ActiveHandlerTrackingEntry, Microsoft.Extensions.Http, Version=10.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60]].CreateValue()

at System.Lazy`1[[Microsoft.Extensions.Http.ActiveHandlerTrackingEntry, Microsoft.Extensions.Http, Version=10.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60]].get_Value()

at Microsoft.Extensions.Http.DefaultHttpClientFactory.CreateHandler(String name)

at Microsoft.Extensions.Http.DefaultHttpClientFactory.CreateClient(String name)

at Program.<>c.<<Main>$>b__0_1(IServiceProvider sp) in C:\Users\bnonnemann\source\repos\CropSimNT\Program.cs:line 32

at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitFactory(FactoryCallSite factoryCallSite, RuntimeResolverContext context)

<><><><><><>

var builder = WebAssemblyHostBuilder.CreateDefault(args);
builder.RootComponents.Add<App>("#app");
builder.RootComponents.Add<HeadOutlet>("head::after");


// Register services used by the SecureHttpDelegateHandler FIRST
builder.Services.AddScoped<TokenStorage>();
builder.Services.AddScoped<ApiService>();
builder.Services.AddScoped<AuthenticationStateProvider, AppAuthenticationStateProvider>();
builder.Services.AddScoped<AuthService>();
builder.Services.AddScoped<PostService>();

// Now register the handler that depends on TokenStorage and AuthService
builder.Services.AddTransient<SecureHttpDelegateHandler>();

// Register the named HttpClient that uses the handler
builder.Services.AddHttpClient("CropSimAPI", httpClient =>
{
    httpClient.BaseAddress = new Uri("https://jsonplaceholder.typicode.com");
})
.AddHttpMessageHandler<SecureHttpDelegateHandler>();

//Factory-based client for injection
builder.Services.AddScoped(sp =>sp.GetRequiredService<IHttpClientFactory>().CreateClient("CropSimAPI"));

builder.Services.AddAuthorizationCore();

var app = builder.Build();

await app.RunAsync();

using Microsoft.JSInterop;

namespace CropSimNT.Services;

// this class handles the storing and retrieval of the JWT security token
public class TokenStorage
{
    private readonly IJSRuntime _js;
    private string? _accessToken;

    //  save of the JS runtime
    public TokenStorage(IJSRuntime js) { _js = js; }

    // Access token (in-memory only)
    public string? GetAccessToken() => _accessToken;

    public void SetAccessToken(string token) => _accessToken = token;

    public void ClearAccessToken() => _accessToken = null;


    // Refresh token (localStorage)
    public async Task<string?> GetRefreshTokenAsync() => await _js.InvokeAsync<string>("localStorage.getItem", "refreshToken");

    public async Task SetRefreshTokenAsync(string token) => await _js.InvokeVoidAsync("localStorage.setItem", "refreshToken", token);

    public async Task ClearRefreshTokenAsync() => await _js.InvokeVoidAsync("localStorage.removeItem", "refreshToken");
}

using System.Security.Claims;
using System.IdentityModel.Tokens.Jwt;
using Microsoft.AspNetCore.Components.Authorization;
using CropSimNT.Services;

namespace CropSimNT.Authentication
{

    public class AppAuthenticationStateProvider : AuthenticationStateProvider
    {
        private readonly TokenStorage _tokenStorage;

        public AppAuthenticationStateProvider(TokenStorage tokenStorage)
        {
            _tokenStorage = tokenStorage;
        }

        public override Task<AuthenticationState> GetAuthenticationStateAsync()
        {
            var token = _tokenStorage.GetAccessToken();

            if (string.IsNullOrEmpty(token))
                return Task.FromResult(new AuthenticationState(new ClaimsPrincipal(new ClaimsIdentity())));

            var handler = new JwtSecurityTokenHandler();
            var jwt = handler.ReadJwtToken(token);

            var identity = new ClaimsIdentity(jwt.Claims, "jwt");
            var user = new ClaimsPrincipal(identity);

            return Task.FromResult(new AuthenticationState(user));
        }

        public void NotifyUserAuthentication(string token)
        {
            var handler = new JwtSecurityTokenHandler();
            var jwt = handler.ReadJwtToken(token);

            var identity = new ClaimsIdentity(jwt.Claims, "jwt");
            var user = new ClaimsPrincipal(identity);

            NotifyAuthenticationStateChanged(
                Task.FromResult(new AuthenticationState(user))
            );
        }

        public void NotifyUserLogout()
        {
            NotifyAuthenticationStateChanged(
                Task.FromResult(new AuthenticationState(
                    new ClaimsPrincipal(new ClaimsIdentity())
                ))
            );
        }
    }
}

namespace CropSimNT.Services;

public class AuthService
{
    private readonly ApiService _api;
    private readonly TokenStorage _tokens;
    private readonly AppAuthenticationStateProvider _authState;

    public AuthService(ApiService api, TokenStorage tokens, AuthenticationStateProvider authState)
    {
        _api = api;
        _tokens = tokens;
        _authState = (AppAuthenticationStateProvider)authState;
    }

    public async Task<String> ReadPublicAsync()
    {
        return await _api.ReadPublic();
    }

    public async Task<String> ReadPublicAsync2()
    {
        return await _api.ReadPublic();
    }


    public async Task<string> LoginAsync(string username, string password)
    {
        var result = await _api.LoginAsync(new LoginRequest
        {
            Username = username,
            Password = password
        });

        if (result == null)
            return string.Empty;

        _tokens.SetAccessToken(result.AccessToken);
        await _tokens.SetRefreshTokenAsync(result.RefreshToken);

        _authState.NotifyUserAuthentication(result.AccessToken);

        return result.AccessToken;
    }

    public async Task<bool> RefreshAsync()
    {
        var refresh = await _tokens.GetRefreshTokenAsync();
        if (refresh == null) return false;

        var result = await _api.RefreshAsync(new RefreshTokenRequest
        {
            Username = "",
            RefreshToken = refresh
        });

        if (result == null) return false;

        _tokens.SetAccessToken(result.AccessToken);
        await _tokens.SetRefreshTokenAsync(result.RefreshToken);

        _authState.NotifyUserAuthentication(result.AccessToken);
        return true;
    }


    public async Task LogoutAsync()
    {
        _tokens.ClearAccessToken();
        await _tokens.ClearRefreshTokenAsync();
        _authState.NotifyUserLogout();
    }

}

using CropSimNT.Models;
using System.Net.Http.Json;

namespace CropSimNT.Services
{
    public class PostService
    {
        private readonly HttpClient _httpClient;

        public PostService(HttpClient httpClient) { _httpClient = httpClient; }

        public async Task<List<Post>> GetPostsAsync()
        {
            var result = new List<Post>();

            using (var request = new HttpRequestMessage(HttpMethod.Get, "/posts"))
            {
                var response = await _httpClient.SendAsync(request, CancellationToken.None);
                response.EnsureSuccessStatusCode();
                result = await response.Content.ReadFromJsonAsync<List<Post>>();
            }
            return result ?? new List<Post>();
        }
    }
}

namespace CropSimNT.Services
{
    public class SecureHttpDelegateHandler : DelegatingHandler
    {
        ILogger _logger;
        TokenStorage _tokenStorage;
        AuthService _auth;
		
		// this crashes
        public SecureHttpDelegateHandler(ILogger<SecureHttpDelegateHandler> logger, TokenStorage tokenStorage, AuthService auth)
        {
            _logger = logger;
            _tokenStorage = tokenStorage;
            _auth = auth;
        }

        //  this works
        //public SecureHttpDelegateHandler(ILogger<SecureHttpDelegateHandler> logger, TokenStorage tokenStorage) 
        //{  
        //    _logger = logger; 
        //    _tokenStorage = tokenStorage; 
        //}
        //public SecureHttpDelegateHandler(TokenStorage tokenStorage, AuthService auth) { _tokenStorage = tokenStorage; _auth = auth;  }
        
        protected override async Task<HttpResponseMessage>SendAsync( HttpRequestMessage request, CancellationToken cancellationToken)
        {
            try
            {
                _logger.LogInformation("Before HTTP request");
                //  to do, get token from storage, if expired, get new one and update storage
                var result = await base.SendAsync(request, cancellationToken);
                result.EnsureSuccessStatusCode();
                _logger.LogInformation("After HTTP request");
                return result;
            }
            catch (Exception e)
            {
                _logger.LogError(e, "HTTP request failed");
                throw;
            }
        }
    }
}

@page "/posts"
@inject CropSimNT.Services.PostService PostService

<h3>Posts</h3>

@if (posts == null)
{
    <p><em>Loading...</em></p>
}
else
{
    <div class="list-group">
        @foreach (var post in posts)
        {
            <div class="list-group-item">
                <h5>@post.Title</h5>
                <p>@post.Body</p>
            </div>
        }
    </div>
}

@code {
private List<CropSimNT.Models.Post>
? posts;

protected override async Task OnInitializedAsync()
{
posts = await PostService.GetPostsAsync();
}
}

Damien Pham (WICLOUD CORPORATION) 1,755 Reputation points Microsoft External Staff Moderator

2026-06-10T03:45:07.3433333+00:00
Thank you for your updates. I can see why this is frustrating. The new exception is different from the first one: AuthService is now being found, but resolving it from inside the handler is causing a circular dependency.

The key point is that AddHttpMessageHandler<SecureHttpDelegateHandler>() makes IHttpClientFactory build SecureHttpDelegateHandler as part of creating the CropSimAPI client.

From the code you shared, the dependency chain appears to be roughly:

CreateClient("CropSimAPI") -> builds SecureHttpDelegateHandler -> SecureHttpDelegateHandler asks for AuthService -> AuthService depends on ApiService -> ApiService likely uses the injected HttpClient -> injected HttpClient is created from CreateClient("CropSimAPI") -> builds SecureHttpDelegateHandler again

That is why the stack trace points at:

builder.Services.AddScoped(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("CropSimAPI"));

That line is where the recursion becomes visible, because it registers the CropSimAPI named client as the HttpClient that gets injected into other services. The underlying issue is the circular dependency between the named client pipeline and AuthService.

So the next fix is not registration order. The next fix is to break the cycle.

The simplest approach is:

Do not inject AuthService into SecureHttpDelegateHandler.

Keep SecureHttpDelegateHandler limited to token access only, for example TokenStorage plus ILogger<SecureHttpDelegateHandler>.

If AuthService must call login/refresh endpoints, make sure it uses a different client that does not use SecureHttpDelegateHandler.

For example:

builder.Services.AddScoped<TokenStorage>(); builder.Services.AddScoped<AuthService>(); builder.Services.AddScoped<AuthenticationStateProvider, AppAuthenticationStateProvider>(); builder.Services.AddTransient<SecureHttpDelegateHandler>(); builder.Services.AddHttpClient("CropSimAPI", client => { client.BaseAddress = new Uri("https://jsonplaceholder.typicode.com"); }) .AddHttpMessageHandler<SecureHttpDelegateHandler>(); builder.Services.AddHttpClient("AuthApi", client => { client.BaseAddress = new Uri("https://jsonplaceholder.typicode.com"); }); builder.Services.AddScoped(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("CropSimAPI"));

Then AuthService or ApiService should use AuthApi for login/refresh calls if those calls must happen outside the secured pipeline.

For example, instead of letting the login/refresh path use the default injected HttpClient, inject IHttpClientFactory and create the auth client explicitly:

public class ApiService { private readonly HttpClient _authClient; public ApiService(IHttpClientFactory httpClientFactory) { _authClient = httpClientFactory.CreateClient("AuthApi"); } // Use _authClient for login/refresh calls. }

The important part is to avoid this cycle:

handler -> AuthService -> ApiService -> HttpClient -> same handler

Once that cycle is removed, the Lazy_Value_RecursiveCallsToValue exception should go away.

Microsoft's IHttpClientFactory guidance explains that delegating handlers are created through DI as part of the outgoing request pipeline, and the Blazor WebAssembly security guidance recommends AuthorizationMessageHandler / BaseAddressAuthorizationMessageHandler for attaching tokens to outgoing requests:

Use DI in outgoing request middleware

Custom AuthorizationMessageHandler class

Attach tokens to outgoing requests
Damien Pham (WICLOUD CORPORATION) 1,755 Reputation points Microsoft External Staff Moderator

2026-06-12T08:22:04.8966667+00:00

Hello @Bob N ,

Please don’t hesitate to leave a comment if you have any questions or would like any clarification. I’d be glad to help clarify any details.

Answer 2

SecureHttpDelegateHandler can only be constructed if all of its constructor parameters are registered in the DI container before the handler itself is registered. The error indicates that AuthService (and possibly TokenStorage) is not resolvable when the handler is created.

In Blazor WebAssembly, DelegatingHandler-based token handlers are typically wired using AuthorizationMessageHandler / BaseAddressAuthorizationMessageHandler and IAccessTokenProvider, but the same DI rules apply: every dependency in the handler constructor must be registered.

Key points for the shown setup:

Register dependencies before the handler
Ensure the handler is registered with the correct lifetime
Ensure the named HttpClient is created correctly

A corrected ordering for the registrations would look like this:

var builder = WebAssemblyHostBuilder.CreateDefault(args);
builder.RootComponents.Add<App>("#app");
builder.RootComponents.Add<HeadOutlet>("head::after");

// Base HttpClient (if needed)
builder.Services.AddScoped(sp => new HttpClient
{
    BaseAddress = new Uri("https://jsonplaceholder.typicode.com")
});

// Register services used by the handler FIRST
builder.Services.AddScoped<TokenStorage>();
builder.Services.AddScoped<AuthService>();

// Now register the handler that depends on TokenStorage and AuthService
builder.Services.AddTransient<SecureHttpDelegateHandler>();

// Register the named HttpClient that uses the handler
builder.Services.AddHttpClient("XXXAPI", httpClient =>
{
    httpClient.BaseAddress = new Uri("https://jsonplaceholder.typicode.com");
})
.AddHttpMessageHandler<SecureHttpDelegateHandler>();

// Other app services
builder.Services.AddScoped<AuthenticationStateProvider, AppAuthenticationStateProvider>();
builder.Services.AddScoped<PostService>();

// Factory-based client for injection
builder.Services.AddScoped(sp =>
    sp.GetRequiredService<IHttpClientFactory>().CreateClient("XXXAPI"));

builder.Services.AddAuthorizationCore();

var app = builder.Build();

await app.RunAsync();

Notes:

AuthService must be registered (AddScoped<AuthService>() or similar) with the same or longer lifetime than the handler’s dependencies.

The handler’s constructor can then safely be:

  public SecureHttpDelegateHandler(TokenStorage tokenStorage, AuthService auth)
  {
      _tokenStorage = tokenStorage;
      _auth = auth;
  }

When using Blazor WebAssembly with JWTs, consider using AuthorizationMessageHandler and IAccessTokenProvider as described in the Blazor WebAssembly additional security scenarios. These are designed to attach tokens to outgoing requests and handle token acquisition/refresh.

References:

ASP.NET Core Blazor WebAssembly additional security scenarios

Share via

Configuring .NET 10 Blazor WASM program.cs to use an HTTP Delegate to attach JWT Security Token

2 answers

Your answer