Blazor NullReferenceException at AuthorizeViewCore.OnParametersSetAsync() in Published App but runs fine locally

[v-milindm]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

Hello Team,

We have a web application for MSFT internal tenant. The app runs on Blazor WebAssembly Core Hosted model configuration following this approach: https://docs.microsoft.com/en-us/aspnet/core/blazor/components/prerendering-and-integration?view=aspnetcore-6.0&pivots=webassembly and it is hosted on Azure App Service.

It uses MSID platform authentication and is registered in AAD (Single tenant) as suggested in this guide: https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory?view=aspnetcore-6.0

Now,

• Since past few weeks, the application completely stops working if we publish the application to Azure App Service. (Regardless of whether any changes are made or not in the application codebase)
• Note: The application runs totally fine when running/debugging locally either via Visual Studio 2022 or Visual Studio Code.
• But it throws System.NullReferenceException: Arg_NullReferenceException at Microsoft.AspNetCore.Components.Authorization.AuthorizeViewCore.OnParametersSetAsync() after publishing to the Azure App Service.
• It does not matter how it is published i.e., regardless of whether it is manually or via DevOps CI/CD pipeline trigger
• Also, tried deploying manually via using both Visual Studio 2022 publishing options: framework-dependent and self-contained but got the same error.

Currently, this is a blocking issue as we are unable to deploy new changes/updates to any of the environments hosted on Azure App Service and its relative deployment slots.

Sample project

• I have created a sample/repro project using the Visual Studio 2022's Blazor WebAssembly App template with ASP.NET Core Hosted option enabled as that is the structure we are using in the application.
• Also, it is using Microsoft Identity platform for authentication.
• The other primary thing I'd like to mention that my application is using the following pre-rendering approach as well: https://docs.microsoft.com/en-us/aspnet/core/blazor/components/prerendering-and-integration?view=aspnetcore-6.0&pivots=webassembly
• Although, in the _Hosts.cshtml I had to update the render-mode to WebAssembly from WebAssemblyPrerendered mode as the prerendered mode was giving me some trouble with using some of the injected parameters/services.

Repository link: https://github.com/v-milindm/blazordebugapp

Please let me know in case you require any additional information or anything from my side.
I'd really appreciate it if someone can help me with this issue.
Thank you

Expected Behavior

The published version of the application should work as it is working when ran/debugged locally.

Steps To Reproduce

Here's the repository link: https://github.com/v-milindm/blazordebugapp

Used VS2022 to create the Blazor WebAssembly App, added minimal startup configuration as my application is using. Please find the below mentioned files, which are modified in the original template

• Uses the ASP.NET Core Hosted model/structure
• Added Authentication Type: Microsoft Identity Platform
• Updated Client - Program.cs
• Updated Server - Program.cs
• Added the application's azure-pipeline yaml configuration file here

I haven't checked in my tenant-id and client-id in the appSettings so in case you require that then please let me know, I can create an Azure App Service for debugging/testing the published version.
Also, for the MSID auth, the AAD (Single tenant) app registration is added as per this guide: https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory?view=aspnetcore-6.0

Please update the following with the client-id and client-secrets, etc...

• Client - appSettings.json
• Server - appSettings.json
• Update app ID in Client - Program.cs

Once the above steps are done,

• Run the application locally, it should run fine.
• Publish the application to Azure App Service.
• Go to the published web app URL
• The application will throw NullReferenceException as soon as it loads up.

Exceptions (if any)

The following exception appears in the published web application,

blazor.webassembly.js:1

   crit: Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100]
  Unhandled exception rendering component: Arg_NullReferenceException

System.NullReferenceException: Arg_NullReferenceException
at Microsoft.AspNetCore.Components.Authorization.AuthorizeViewCore.OnParametersSetAsync()
at Microsoft.AspNetCore.Components.ComponentBase.CallStateHasChangedOnAsyncCompletion(Task task)
at Microsoft.AspNetCore.Components.ComponentBase.RunInitAndSetParametersAsync()
at Microsoft.AspNetCore.Components.RenderTree.Renderer.GetErrorHandledTask(Task , ComponentState )

.NET Version

6.0.300

Anything else?

.NET SDK version: 6.0.300
Visual Studio 2022 Enterprise version: 17.2.1
Visual Studio Code version: 1.67.2
Azure App Service for hosting (.NET 6)
Azure DevOps for repository, code commit and CI/CD

Note: I have tried remote debugging with the Azure App Service but there is nothing that suggests what is causing the AuthorizeView component to throw null reference exception specifically in the published app.

[javiercn]

@v-milindm thanks for contacting us.

Can you extend AuthorizeView (something like MyAuthorizeView) override OnParametersSetAsync() and check what is throwing the null reference exception? (Maybe write it to the output with console.writeline)? I suspect based on the code that is AuthenticationState.User

[ghost]

Hi @v-milindm. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[v-milindm]

Hello @javiercn, thank you for reaching out and the suggestions!

I spent some more time debugging and placing some logging around wherever authentication data is being passed around starting from its source. Still, probably requires some more debugging and logging!

I have updated my repo and checked-in the new changes here
And I found out that CustomAuthStateProvider is throwing exception.
For some reason, it is not getting the user data at GetAuthenticationStateAsync of CustomAuthStateProvider.
I did create a CustomAuthorizeView by extending the AuthorizeViewCore but the above exception seems to be happening before this component is rendered.

The exception shows as below from the custom logging message, need to see the stack trace probably but I think the error lies somewhere with the injected services otherwise the GetAuthenticationStateAsync should be able to get the data since it is just using the IUserManagerRepository service to get the hard coded data from here: UserManagerRepository.
Logged message from exception: Exception at CustomAuthStateProvider.GetAuthenticationStateAsync, message: ArgumentNull_Generic Arg_ParamName_Name, user

Here's the image for reference from the hosted environment:

Strangely, the application works completely fine when I run locally, it only throws ArgumentNullException in the deployed environment.
Just a speculation, I think the services are either not getting injected on time or being called/used before they are ready in the hosted environment maybe or something got changed recently with how the startup DI services behaves.
Also, this configuration used to work fine just a month back. The current staging/production environments are working totally fine from the previous snapshot build, which was created and deployed in March.

Here's a screenshot of running the application in my local environment:

Do you know what might be causing this kind of behavior? Is it possible that recently something got changed with the application configuration/DI strategy and possibly my application is incorrectly configured?
Please do let me know if you have any other suggestions or anything that might help!

Thank you again for the help!

[javiercn]

@v-milindm thanks for the additional details.

I didn't notice this when I looked at the code the first time.

Replacing the authentication state provider in Webassembly is more involved than what you are doing there because it also handles the login/logout process so you need to extend AuthenticationService (which extends AuthenticationStateProvider) and register the same instance as an implementation of both services.

If you are looking to capture additional information after the user has logged in, you should use https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/additional-scenarios?view=aspnetcore-6.0#customize-the-user

[ghost]

Hi @v-milindm. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[v-milindm]

Hello @javiercn, thank you again for the tip!

I have been trying couple of things as per your suggestion and few more from some of the docs as well. I added the CustomAccountFactory like mentioned in that document you provided the link to, but I am not able to figure out the issue with AuthenticationStateProvider.

One of the things I tried is this one: name-claim-and-role-claim-mapping but didn't quite figure out a way to inject it in both Server and Client. Only Server got the data but Client was not getting anything.
I haven't tried this one but one of the other things I might try next is follow some of the approach from this guide: azure-active-directory-groups-and-roles.
Assuming it helps with my scenario where I need to add user roles that I get using this: UserManagerRepository in my application.

Regarding your suggestion,

If possible, can you provide any documentation/guide on this, where you have mentioned in your comment that: you need to extend AuthenticationService (which extends AuthenticationStateProvider) and register the same instance as an implementation of both services or any sample code or examples showing me how I can achieve this?
Mainly, I need to get the authenticated user data from Blazor Server to Client as the Server is the one taking care of the authentication part.
Also, I need to add custom claims, mainly the role type claims as the user roles information are stored into separate database.

What I am trying to do and what I have done so far,

Some of these I might have already mentioned in my previous comments but here's bit more context,

• My application uses the pre-rendering approach, so the Client/WebAssembly application is rendered from the Server.
• This is the documentation I followed to implement the above approach: prerendering-and-integration
• Also, the above documentation provides link to this: support-prerendering-with-authentication, which shows how to handle the authentication in prerendering mode. I followed steps from this article after implementing the below mentioned authentication approaches.
• Note: my application is set to render-mode="WebAssembly" already and not loading anything prerendered.

The authentication part:

Now, to implement authentication, I partially used this guide: hosted-with-azure-active-directory as the above linked document mentions to support prerendering with authentication after following the guidance in one of the Blazor WebAssembly security app topics, which is this one.

Furthermore, on the authentication, specifically for Server project

• More importantly, since Server takes care of the authentication part and I just want to pass the authentication information to Client.
• So, on top of the above guide, I followed this guide as well to update the Server part: Add sign-in with Microsoft to a web app to handle server side authentication into my WebAssembly application with ASP.NET Core Hosted configuration.
• Mainly, the app registration in portal and the redirection URIs.

I am not entirely sure if this was the correct/right approach and/or what I am doing is fine or not, but it worked fine, at least it used to work fine up until now, I guess.

Please let me know if there is anything that can help me with this issue here! I have been trying to figure it out but seems like I am stuck onto something and maybe I am trying to implement something that goes against Blazor's design and/or is not supported.
I haven't checked in anything new in my repo at the moment. I am going to keep investigating this and see if I can find some solution but definitely could use some help and guidance.

Let me know if you need any other information from my end.
Thank you!

[javiercn]

@v-milindm thanks for the additional details.

I'm not sure I'm fully grasping what your concrete scenario is. It will help if you can (for a moment) forget about the implementation and describe the scenario you are trying to accomplish.

From what I can tell/infer:

• You have a hosted Blazor Webassembly app.
• You are using AAD for authentication.
• You are trying to use prerendering on the server.
• You are authenticating the user on the server with AAD.
• You are also authenticating the user on the client with AAD.
• You are trying to add additional information to the user on the server as well as on the client.

Does this describe your scenario?

[ghost]

Hi @v-milindm. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[v-milindm]

@javiercn apologies for the late response on your questions, but you are on point about the scenario of my application and that is what I had done previously and I am still trying to do with my application for majority of the part.

I think the only part that is little different is that I am not performing dual authentication i.e., Server asks for authentication and gets that information and then passes it to the Client as well. The Client, as far as I understand doesn't need to ask for authentication again as Server took care of it hence kind of avoiding the dual authentication there. Client, uses the same authentication.

But, I can change this behavior if needed because I think this is the part where I have got the concept of authentication misunderstood probably due to maybe mixing it with pre-rendering concept, I guess?

• I am using ASP.NET Core hosted Blazor Webassembly app. (Client, Server and Shared project structure)
• I am using AAD for authentication (single-tenant only).
• I am using the prerendering on the server. (the render-mode is set to WebAssembly mode)
• I am authenticating the user on the server with AAD.
• I am authenticating the user on the client with AAD. (so this might be partially true only and where it gets confusing but I am not performing re-authentication here i.e., since Server already authenticated as it is pre-rendering the Client and I have the authenticated user info in the CustomAuthStateProvider, which is injected to Client and Server both and I think I used it to pass the authenticated user details from Server to Client)
• Yes, I am trying to add additional information to the user on the Server as well as on the Client. (Claims such as user roles and maybe policies in future)

Please let me know if you need any additional information here or if I missed anything while answering your questions as needed.
Thank you!

[javiercn]

@v-milindm thanks for the clarifications.

The Microsoft.AspNetCore.Components.WebAssembly.Authentication is only meant to be used if you are authenticating the user from within the SPA.

if you are authenticating the user on the server and passing down the authentication information to the client, you should avoid using any of the authentication related bits on either Microsoft.AspNetCore.Components.WebAssembly.Authentication or the template.

Instead, I would suggest you authenticate the user on the server (as you are doing) and pass down all the information to the client. Then on the client you implement your AuthenticationStateProvider to consume that information.

In essence, Microsoft.AspNetCore.Components.WebAssembly.Authentication is for handling authentication flows client-side, and if you aren't using that, you shouldn't use it.

[v-milindm]

@javiercn thank you for the help and suggestion!

I tried as you suggested, and removed the Removed WebAssembly Authentication, which worked fine when tested locally.

The application did Server side authentication and passed all the authorized user information to Client with custom user role claims added when I ran locally.

Unfortunately, that still did not resolve my original problem,
As I mentioned, the application works fine locally but as soon as I deploy/publish it to Azure App Service, it throws null reference exception in CustomAuthStateProvider.cs which I have injected used in both Server and Client project to pass down all the information from Server to Client.

This is the implementation for CustomAuthStateProvider.cs

[ghost]

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.

[javiercn]

@v-milindm Not sure if it will impact anything, but this needs to be scoped.

https://github.com/v-milindm/blazordebugapp/blob/master/blazordebugapp/Client/Program.cs#L41

I would suggest you try and debug through the webassembly application to see exactly where it is failing.

[ghost]

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.

[v-milindm]

@javiercn thank you for the help once again!

I was finally able to figure out the issue after adding some more logging into all of my start up services of the Client project.

Unfortunately, I assumed incorrect and thought there was a problem with authentication/authorization.

Apparently, this line right here: https://github.com/v-milindm/blazordebugapp/blob/master/blazordebugapp/Client/Services/UserRoleService.cs#L42 was not able to deserialize the JSON content into this object: https://github.com/v-milindm/blazordebugapp/blob/master/blazordebugapp/Shared/Models/UserIdentityClaims.cs.

Also, it was working fine locally so that gave me hard time to figure out, otherwise this issue was quite simple, which took way longer than it should have to figure it out sadly.

It throwed this exception:

Stack trace:
blazor.webassembly.js:1

   fail: blazordebugapp.Client.Services.UserRoleService[0]
  Exception at UserRoleService.GetAuthUser, message: ConstructorParamIncompleteBinding, System.Tuple`2[System.String,System.String], stack:    at System.Text.Json.ThrowHelper.ThrowInvalidOperationException_ConstructorParameterIncompleteBinding(Type )
     at System.Text.Json.Serialization.Converters.ObjectWithParameterizedConstructorConverter`1[[System.Tuple`2[[System.String, System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e],[System.String, System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]], System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].OnTryRead(Utf8JsonReader& , Type , JsonSerializerOptions , ReadStack& , Tuple`2& )
     at System.Text.Json.Serialization.JsonConverter`1[[System.Tuple`2[[System.String, System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e],[System.String, System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]], System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].TryRead(Utf8JsonReader& , Type , JsonSerializerOptions , ReadStack& , Tuple`2& )
     at System.Text.Json.Serialization.JsonCollectionConverter`2[[System.Collections.Generic.List`1[[System.Tuple`2[[System.String, System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e],[System.String, System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]], System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]], System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e],[System.Tuple`2[[System.String, System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e],[System.String, System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]], System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].OnTryRead(Utf8JsonReader& , Type , JsonSerializerOptions , ReadStack& , List`1& )
     at System.Text.Json.Serialization.JsonConverter`1[[System.Collections.Generic.List`1[[System.Tuple`2[[System.String, System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e],[System.String, System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]], System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]], System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].TryRead(Utf8JsonReader& , Type , JsonSerializerOptions , ReadStack& , List`1& )
     at System.Text.Json.Serialization.Metadata.JsonPropertyInfo`1[[System.Collections.Generic.List`1[[System.Tuple`2[[System.String, System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e],[System.String, System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]], System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]], System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].ReadJsonAndSetMember(Object , ReadStack& , Utf8JsonReader& )
     at System.Text.Json.Serialization.Converters.ObjectDefaultConverter`1[[blazordebugapp.Shared.Models.UserIdentityClaims, blazordebugapp.Shared, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]].OnTryRead(Utf8JsonReader& , Type , JsonSerializerOptions , ReadStack& , UserIdentityClaims& )
     at System.Text.Json.Serialization.JsonConverter`1[[blazordebugapp.Shared.Models.UserIdentityClaims, blazordebugapp.Shared, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]].TryRead(Utf8JsonReader& , Type , JsonSerializerOptions , ReadStack& , UserIdentityClaims& )
     at System.Text.Json.Serialization.JsonConverter`1[[blazordebugapp.Shared.Models.UserIdentityClaims, blazordebugapp.Shared, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]].ReadCore(Utf8JsonReader& , JsonSerializerOptions , ReadStack& )
     at System.Text.Json.JsonSerializer.ReadCore[UserIdentityClaims](JsonConverter , Utf8JsonReader& , JsonSerializerOptions , ReadStack& )
     at System.Text.Json.JsonSerializer.ReadCore[UserIdentityClaims](JsonReaderState& , Boolean , ReadOnlySpan`1 , JsonSerializerOptions , ReadStack& , JsonConverter )
     at System.Text.Json.JsonSerializer.ContinueDeserialize[UserIdentityClaims](ReadBufferState& , JsonReaderState& , ReadStack& , JsonConverter , JsonSerializerOptions )
     at System.Text.Json.JsonSerializer.<ReadAllAsync>d__65`1[[blazordebugapp.Shared.Models.UserIdentityClaims, blazordebugapp.Shared, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]].MoveNext()
     at System.Net.Http.Json.HttpContentJsonExtensions.<ReadFromJsonAsyncCore>d__4`1[[blazordebugapp.Shared.Models.UserIdentityClaims, blazordebugapp.Shared, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]].MoveNext()
     at System.Net.Http.Json.HttpClientJsonExtensions.<GetFromJsonAsyncCore>d__13`1[[blazordebugapp.Shared.Models.UserIdentityClaims, blazordebugapp.Shared, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]].MoveNext()
     at blazordebugapp.Client.Services.UserRoleService.GetAuthUser()

invokeJSFromDotNet @ blazor.webassembly.js:1

To resolve this issue,
Since the JSON serializer was unable to parse the content part where it needed to use Tuple, I just created another class instead of using List<Tuple<string, string>>, which deserialized fine and resolved this issue.
Note: I tried to parse the content with both System.Text.Json and Newtonsoft.Json libraries, both of them failed to deserialize the JSON content.
Maybe something got changed how the deserialization takes place when parsing JSON content into Tuple but then again why did it work locally? Why was this: UserRoleService able to parse the content fine when I ran locally?

Anyhow, this resolves my issue, so I am going to leave this closed.
Thank you for your help once again.