.NET 8 "Blazor Web App" Authentication and AllowAnonymous

[oliverw]

I have implemented Azure AD B2C authentication in a .NET 8 "Blazor Web App" (the new hybrid-islands template). The default should be to require authentication for everything except Blazor Pages (not Razor Pages) whitelisted using: @attribute [AllowAnonymous] (I don't have @attribute [Authorize] in _Imports.razor). Global auth is enforced through the FallbackPolicy (see below).

Contrary to my experiments with Blazor Server in .NET 7. This actually works - kind of. The home page is indeed accessible as anonymous user, BUT all all CSS styles and Javascript is missing. I believe this is because according to my own debugging observations, even requests to static resource go through the DenyAnonymousAuthorizationRequirement handler added by the FallbackPolicy. Which flat out denies those requests if the user is authenticated. I have no real idea how to fix this or what the recommended approach is.

Program.cs:

var initialScopes = builder.Configuration["DownstreamApi:Scopes"]?.Split(' ');

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
            .AddMicrosoftGraph(builder.Configuration.GetSection("DownstreamApi"))
            .AddInMemoryTokenCaches();
builder.Services.AddControllersWithViews()
    .AddMicrosoftIdentityUI();

builder.Services.AddAuthorization(options =>
{
    options.FallbackPolicy = options.DefaultPolicy;
});

Home.razor:

@page "/"
@attribute [AllowAnonymous]

<PageTitle>Index</PageTitle>

<h1>Hello, world!</h1>

[georg-jung]

@oliverw Did you find a solution since?

[demayer]

Same problem here.
Thinking it would narrow down the problem, I have reduced the web app to server-side only.
E.g. an AuthorizeView works fine, even with a Policy and Resource.
As soon as I add the @Attribute [AllowAnonymous] to the landing page, the app freezes. E.g. Button clicks don't fire anymore.