Logout doesn't work in Blazor Web Application with global WASM interactivity (AntiforgeryValidationException)

[Andrzej-W]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

AntiforgeryValidationException after clicking logout when Blazor WASM interactive page is displayed in application with global interactivity.

Expected Behavior

Logout should work without exceptions.

Steps To Reproduce

1. Create Blazor Web Application with global WASM interactivity.
   dotnet new blazor -n LogoutTest --interactivity WebAssembly --auth Individual --all-interactive True
2. Run the application, register new user (apply DB migration), login as new user.
3. (this step is not necessary) Open any page used to manage an account (they are not interactive). Click Logout - everything works as expected.
4. Login again, open any WASM interactive page, for example Counter and click Logout. Exception!

Exceptions (if any)

      An unhandled exception has occurred while executing the request.
      Microsoft.AspNetCore.Http.BadHttpRequestException: Invalid anti-forgery token found when reading parameter "string returnUrl" from the request body as form.
       ---> Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The required antiforgery request token was not provided in either form field "__RequestVerificationToken" or header value "RequestVerificationToken".
         at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext)
         at Microsoft.AspNetCore.Antiforgery.Internal.AntiforgeryMiddleware.InvokeAwaited(HttpContext context)
         --- End of inner exception stack trace ---
         at Microsoft.AspNetCore.Http.RequestDelegateFactory.Log.InvalidAntiforgeryToken(HttpContext httpContext, String parameterTypeName, String parameterName, Exception exception, Boolean shouldThrow)
         at Microsoft.AspNetCore.Http.RequestDelegateFactory.<HandleRequestBodyAndCompileRequestDelegateForForm>g__TryReadFormAsync|103_0(HttpContext httpContext, String parameterTypeName, String parameterName, Boolean throwOnBadRequest)
         at Microsoft.AspNetCore.Http.RequestDelegateFactory.<>c__DisplayClass103_2.<<HandleRequestBodyAndCompileRequestDelegateForForm>b__2>d.MoveNext()
      --- End of stack trace from previous location ---
         at Microsoft.AspNetCore.Antiforgery.Internal.AntiforgeryMiddleware.InvokeAwaited(HttpContext context)
         at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

.NET Version

9.0.100-rc.2.24474.11

Anything else?

Probably related issue #56687
Pinging @javiercn because he was active in related issue.

[Andrzej-W]

The problem is that html form does not contain __RequestVerificationToken hidden field. This bug is related to this issue #54533 and it looks it is NOT fixed. Original issue was reported by @SteveSandersonMS. Pinging @javiercn again because he was working on the fix in .NET 9 RC1.