From 73e3d67ca103048c85d099bcff6033016e0d39de Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 3 Dec 2025 23:13:40 +0000
Subject: [PATCH 1/7] Initial plan


From 1eaaede6fda97482c062f8c03456c4786314b5df Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 3 Dec 2025 23:34:12 +0000
Subject: [PATCH 2/7] Add ForbiddenPage support for Blazor Router and SSR
 endpoints

Co-authored-by: javiercn <6995051+javiercn@users.noreply.github.com>
---
 .../Components/src/NavigationManager.cs       | 37 +++++++++
 .../Components/src/PublicAPI.Unshipped.txt    |  8 ++
 .../src/Routing/ForbiddenEventArgs.cs         | 15 ++++
 .../Components/src/Routing/Router.cs          | 78 +++++++++++++++++++
 .../src/RazorComponentEndpointInvoker.cs      | 20 +++++
 .../EndpointHtmlRenderer.EventDispatch.cs     | 45 +++++++++++
 .../EndpointHtmlRenderer.Streaming.cs         |  6 ++
 .../src/Rendering/EndpointHtmlRenderer.cs     |  3 +
 8 files changed, 212 insertions(+)
 create mode 100644 src/Components/Components/src/Routing/ForbiddenEventArgs.cs

diff --git a/src/Components/Components/src/NavigationManager.cs b/src/Components/Components/src/NavigationManager.cs
index fecbfaca6c28..4fe7b4b3bbd4 100644
--- a/src/Components/Components/src/NavigationManager.cs
+++ b/src/Components/Components/src/NavigationManager.cs
@@ -54,6 +54,25 @@ public event EventHandler<NotFoundEventArgs> OnNotFound
 
     private EventHandler<NotFoundEventArgs>? _notFound;
 
+    /// <summary>
+    /// An event that fires when access to a page is forbidden.
+    /// </summary>
+    public event EventHandler<ForbiddenEventArgs> OnForbidden
+    {
+        add
+        {
+            AssertInitialized();
+            _forbidden += value;
+        }
+        remove
+        {
+            AssertInitialized();
+            _forbidden -= value;
+        }
+    }
+
+    private EventHandler<ForbiddenEventArgs>? _forbidden;
+
     // For the baseUri it's worth storing as a System.Uri so we can do operations
     // on that type. System.Uri gives us access to the original string anyway.
     private Uri? _baseUri;
@@ -214,6 +233,24 @@ private void NotFoundCore()
         }
     }
 
+    /// <summary>
+    /// Handles setting the Forbidden state.
+    /// </summary>
+    public void Forbidden() => ForbiddenCore();
+
+    private void ForbiddenCore()
+    {
+        if (_forbidden is null)
+        {
+            // global router doesn't exist, no events were registered
+            return;
+        }
+        else
+        {
+            _forbidden.Invoke(this, new ForbiddenEventArgs());
+        }
+    }
+
     /// <summary>
     /// Called to initialize BaseURI and current URI before these values are used for the first time.
     /// Override <see cref="EnsureInitialized" /> and call this method to dynamically calculate these values.
diff --git a/src/Components/Components/src/PublicAPI.Unshipped.txt b/src/Components/Components/src/PublicAPI.Unshipped.txt
index 7dc5c58110bf..76decbd60bb6 100644
--- a/src/Components/Components/src/PublicAPI.Unshipped.txt
+++ b/src/Components/Components/src/PublicAPI.Unshipped.txt
@@ -1 +1,9 @@
 #nullable enable
+Microsoft.AspNetCore.Components.NavigationManager.Forbidden() -> void
+Microsoft.AspNetCore.Components.NavigationManager.OnForbidden -> System.EventHandler<Microsoft.AspNetCore.Components.Routing.ForbiddenEventArgs!>!
+Microsoft.AspNetCore.Components.Routing.ForbiddenEventArgs
+Microsoft.AspNetCore.Components.Routing.ForbiddenEventArgs.ForbiddenEventArgs() -> void
+Microsoft.AspNetCore.Components.Routing.ForbiddenEventArgs.Path.get -> string?
+Microsoft.AspNetCore.Components.Routing.ForbiddenEventArgs.Path.set -> void
+Microsoft.AspNetCore.Components.Routing.Router.ForbiddenPage.get -> System.Type?
+Microsoft.AspNetCore.Components.Routing.Router.ForbiddenPage.set -> void
diff --git a/src/Components/Components/src/Routing/ForbiddenEventArgs.cs b/src/Components/Components/src/Routing/ForbiddenEventArgs.cs
new file mode 100644
index 000000000000..5f532dfcea4b
--- /dev/null
+++ b/src/Components/Components/src/Routing/ForbiddenEventArgs.cs
@@ -0,0 +1,15 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace Microsoft.AspNetCore.Components.Routing;
+
+/// <summary>
+/// <see cref="EventArgs" /> for <see cref="NavigationManager.OnForbidden" />.
+/// </summary>
+public sealed class ForbiddenEventArgs : EventArgs
+{
+    /// <summary>
+    /// Gets the path of ForbiddenPage. If the path is set, it indicates that a subscriber has handled the rendering of the Forbidden contents.
+    /// </summary>
+    public string? Path { get; set; }
+}
diff --git a/src/Components/Components/src/Routing/Router.cs b/src/Components/Components/src/Routing/Router.cs
index ecb69fe2cf63..128db4c6ed47 100644
--- a/src/Components/Components/src/Routing/Router.cs
+++ b/src/Components/Components/src/Routing/Router.cs
@@ -30,6 +30,7 @@ static readonly IReadOnlyDictionary<string, object> _emptyParametersDictionary
     bool _navigationInterceptionEnabled;
     ILogger<Router> _logger;
     string _notFoundPageRoute;
+    string _forbiddenPageRoute;
 
     private string _updateScrollPositionForHashLastLocation;
     private bool _updateScrollPositionForHash;
@@ -81,6 +82,13 @@ static readonly IReadOnlyDictionary<string, object> _emptyParametersDictionary
     [DynamicallyAccessedMembers(LinkerFlags.Component)]
     public Type? NotFoundPage { get; set; }
 
+    /// <summary>
+    /// Gets or sets the page content to display when access to a page is forbidden.
+    /// </summary>
+    [Parameter]
+    [DynamicallyAccessedMembers(LinkerFlags.Component)]
+    public Type? ForbiddenPage { get; set; }
+
     /// <summary>
     /// Gets or sets the content to display when a match is found for the requested route.
     /// </summary>
@@ -117,6 +125,7 @@ public void Attach(RenderHandle renderHandle)
         _locationAbsolute = NavigationManager.Uri;
         NavigationManager.LocationChanged += OnLocationChanged;
         NavigationManager.OnNotFound += OnNotFound;
+        NavigationManager.OnForbidden += OnForbidden;
         RoutingStateProvider = ServiceProvider.GetService<IRoutingStateProvider>();
 
         if (HotReloadManager.Default.MetadataUpdateSupported)
@@ -171,6 +180,28 @@ public async Task SetParametersAsync(ParameterView parameters)
             }
         }
 
+        if (ForbiddenPage != null)
+        {
+            if (!typeof(IComponent).IsAssignableFrom(ForbiddenPage))
+            {
+                throw new InvalidOperationException($"The type {ForbiddenPage.FullName} " +
+                    $"does not implement {typeof(IComponent).FullName}.");
+            }
+
+            var routeAttributes = ForbiddenPage.GetCustomAttributes(typeof(RouteAttribute), inherit: true);
+            if (routeAttributes.Length == 0)
+            {
+                throw new InvalidOperationException($"The type {ForbiddenPage.FullName} " +
+                    $"does not have a {typeof(RouteAttribute).FullName} applied to it.");
+            }
+
+            var routeAttribute = (RouteAttribute)routeAttributes[0];
+            if (routeAttribute.Template != null)
+            {
+                _forbiddenPageRoute = routeAttribute.Template;
+            }
+        }
+
         if (!_onNavigateCalled)
         {
             _onNavigateCalled = true;
@@ -187,6 +218,7 @@ public void Dispose()
     {
         NavigationManager.LocationChanged -= OnLocationChanged;
         NavigationManager.OnNotFound -= OnNotFound;
+        NavigationManager.OnForbidden -= OnForbidden;
         if (HotReloadManager.Default.MetadataUpdateSupported)
         {
             HotReloadManager.Default.OnDeltaApplied -= ClearRouteCaches;
@@ -409,6 +441,26 @@ private void OnNotFound(object sender, NotFoundEventArgs args)
         }
     }
 
+    private void OnForbidden(object sender, ForbiddenEventArgs args)
+    {
+        bool renderContentIsProvided = ForbiddenPage != null || args.Path != null;
+        if (_renderHandle.IsInitialized && renderContentIsProvided)
+        {
+            if (!string.IsNullOrEmpty(args.Path))
+            {
+                // The path can be set by a subscriber not defined in blazor framework.
+                _renderHandle.Render(builder => RenderComponentByRoute(builder, args.Path));
+            }
+            else
+            {
+                // Having the path set signals to the endpoint renderer that router handled rendering.
+                args.Path = _forbiddenPageRoute;
+                RenderForbidden();
+            }
+            Log.DisplayingForbidden(_logger, args.Path);
+        }
+    }
+
     internal void RenderComponentByRoute(RenderTreeBuilder builder, string route)
     {
         var componentType = FindComponentTypeByRoute(route);
@@ -466,6 +518,29 @@ private void RenderNotFound()
         });
     }
 
+    private void RenderForbidden()
+    {
+        _renderHandle.Render(builder =>
+        {
+            if (ForbiddenPage != null)
+            {
+                builder.OpenComponent<RouteView>(0);
+                builder.AddAttribute(1, nameof(RouteView.RouteData),
+                    new RouteData(ForbiddenPage, _emptyParametersDictionary));
+                builder.CloseComponent();
+            }
+            else
+            {
+                DefaultForbiddenContent(builder);
+            }
+        });
+    }
+
+    private static void DefaultForbiddenContent(RenderTreeBuilder builder)
+    {
+        builder.AddContent(0, "Forbidden");
+    }
+
     async Task IHandleAfterRender.OnAfterRenderAsync()
     {
         if (!_navigationInterceptionEnabled)
@@ -495,6 +570,9 @@ private static partial class Log
 
         [LoggerMessage(4, LogLevel.Debug, $"Displaying contents of {{displayedContentPath}} on request", EventName = "DisplayingNotFoundOnRequest")]
         internal static partial void DisplayingNotFound(ILogger logger, string displayedContentPath);
+
+        [LoggerMessage(5, LogLevel.Debug, $"Displaying contents of {{displayedContentPath}} on forbidden request", EventName = "DisplayingForbiddenOnRequest")]
+        internal static partial void DisplayingForbidden(ILogger logger, string displayedContentPath);
 #pragma warning restore CS0618 // Type or member is obsolete
     }
 }
diff --git a/src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs b/src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs
index 22119d0522c9..28316b4b9355 100644
--- a/src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs
+++ b/src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs
@@ -135,6 +135,11 @@ await _renderer.InitializeStandardComponentServicesAsync(
             _renderer.SetNotFoundWhenResponseNotStarted();
         }
 
+        if (_renderer.ForbiddenEventArgs != null)
+        {
+            _renderer.SetForbiddenWhenResponseNotStarted();
+        }
+
         if (!quiesceTask.IsCompleted)
         {
             // An incomplete QuiescenceTask indicates there may be streaming rendering updates.
@@ -167,6 +172,10 @@ await _renderer.InitializeStandardComponentServicesAsync(
             {
                 await _renderer.SetNotFoundWhenResponseHasStarted();
             }
+            if (_renderer.ForbiddenEventArgs != null)
+            {
+                await _renderer.SetForbiddenWhenResponseHasStarted();
+            }
         }
         else
         {
@@ -191,6 +200,17 @@ await _renderer.InitializeStandardComponentServicesAsync(
             return;
         }
 
+        if (context.Response.StatusCode == StatusCodes.Status403Forbidden &&
+            !isReExecuted &&
+            string.IsNullOrEmpty(_renderer.ForbiddenEventArgs?.Path))
+        {
+            // Router did not handle the Forbidden event, otherwise this would not be empty.
+            // Don't flush the response if we have an unhandled 403 rendering
+            // This will allow the StatusCodePages middleware to re-execute the request
+            context.Response.ContentType = null;
+            return;
+        }
+
         // Invoke FlushAsync to ensure any buffered content is asynchronously written to the underlying
         // response asynchronously. In the absence of this line, the buffer gets synchronously written to the
         // response as part of the Dispose which has a perf impact.
diff --git a/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.EventDispatch.cs b/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.EventDispatch.cs
index a06d3e66d622..5605ea0e033c 100644
--- a/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.EventDispatch.cs
+++ b/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.EventDispatch.cs
@@ -108,6 +108,35 @@ internal async Task SetNotFoundWhenResponseHasStarted()
         SignalRendererToFinishRendering();
     }
 
+    internal void SetForbiddenWhenResponseNotStarted()
+    {
+        _httpContext.Response.StatusCode = StatusCodes.Status403Forbidden;
+
+        // When the application triggers a Forbidden event, we continue rendering the current batch.
+        // However, after completing this batch, we do not want to process any further UI updates,
+        // as we are going to return a 403 status and discard the UI updates generated so far.
+        SignalRendererToFinishRendering();
+    }
+
+    internal async Task SetForbiddenWhenResponseHasStarted()
+    {
+        if (string.IsNullOrEmpty(_forbiddenUrl))
+        {
+            var baseUri = $"{_httpContext.Request.Scheme}://{_httpContext.Request.Host}{_httpContext.Request.PathBase}/";
+            _forbiddenUrl = GetForbiddenUrl(baseUri, ForbiddenEventArgs);
+        }
+        var defaultBufferSize = 16 * 1024;
+        await using var writer = new HttpResponseStreamWriter(_httpContext.Response.Body, Encoding.UTF8, defaultBufferSize, ArrayPool<byte>.Shared, ArrayPool<char>.Shared);
+        using var bufferWriter = new BufferedTextWriter(writer);
+        HandleForbiddenAfterResponseStarted(bufferWriter, _httpContext, _forbiddenUrl);
+        await bufferWriter.FlushAsync();
+
+        // When the application triggers a Forbidden event, we continue rendering the current batch.
+        // However, after completing this batch, we do not want to process any further UI updates,
+        // as we are going to return a 403 status and discard the UI updates generated so far.
+        SignalRendererToFinishRendering();
+    }
+
     private string GetNotFoundUrl(string baseUri, NotFoundEventArgs? args)
     {
         string? path = args?.Path;
@@ -124,6 +153,22 @@ private string GetNotFoundUrl(string baseUri, NotFoundEventArgs? args)
         return $"{baseUri}{path.TrimStart('/')}";
     }
 
+    private string GetForbiddenUrl(string baseUri, ForbiddenEventArgs? args)
+    {
+        string? path = args?.Path;
+        if (string.IsNullOrEmpty(path))
+        {
+            var pathFormat = _httpContext.Items[nameof(StatusCodePagesOptions)] as string;
+            if (string.IsNullOrEmpty(pathFormat))
+            {
+                throw new InvalidOperationException($"The {nameof(Router.ForbiddenPage)} route must be specified or re-execution middleware has to be set to render forbidden content.");
+            }
+
+            path = pathFormat;
+        }
+        return $"{baseUri}{path.TrimStart('/')}";
+    }
+
     private async Task OnNavigateTo(string uri)
     {
         if (_httpContext.Response.HasStarted)
diff --git a/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.Streaming.cs b/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.Streaming.cs
index 50728a8c3271..4c9174917696 100644
--- a/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.Streaming.cs
+++ b/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.Streaming.cs
@@ -231,6 +231,12 @@ private static void HandleNotFoundAfterResponseStarted(TextWriter writer, HttpCo
         WriteResponseTemplate(writer, httpContext, notFoundUrl, useEnhancedNav: true);
     }
 
+    private static void HandleForbiddenAfterResponseStarted(TextWriter writer, HttpContext httpContext, string forbiddenUrl)
+    {
+        writer.Write("<blazor-ssr><template type=\"forbidden\"");
+        WriteResponseTemplate(writer, httpContext, forbiddenUrl, useEnhancedNav: true);
+    }
+
     private static void HandleNavigationAfterResponseStarted(TextWriter writer, HttpContext httpContext, string destinationUrl)
     {
         writer.Write("<blazor-ssr><template type=\"redirection\"");
diff --git a/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.cs b/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.cs
index ac24baa2f7d5..5bb927ab072b 100644
--- a/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.cs
+++ b/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.cs
@@ -53,6 +53,7 @@ internal partial class EndpointHtmlRenderer : StaticHtmlRenderer, IComponentPrer
     private readonly List<Task> _nonStreamingPendingTasks = new();
 
     private string _notFoundUrl = string.Empty;
+    private string _forbiddenUrl = string.Empty;
 
     public EndpointHtmlRenderer(IServiceProvider serviceProvider, ILoggerFactory loggerFactory)
         : base(serviceProvider, loggerFactory)
@@ -64,6 +65,7 @@ public EndpointHtmlRenderer(IServiceProvider serviceProvider, ILoggerFactory log
 
     internal HttpContext? HttpContext => _httpContext;
     internal NotFoundEventArgs? NotFoundEventArgs { get; private set; }
+    internal ForbiddenEventArgs? ForbiddenEventArgs { get; private set; }
 
     internal void SetHttpContext(HttpContext httpContext)
     {
@@ -90,6 +92,7 @@ internal async Task InitializeStandardComponentServicesAsync(
             uri => GetErrorHandledTask(OnNavigateTo(uri)));
 
         navigationManager?.OnNotFound += (sender, args) => NotFoundEventArgs = args;
+        navigationManager?.OnForbidden += (sender, args) => ForbiddenEventArgs = args;
 
         var authenticationStateProvider = httpContext.RequestServices.GetService<AuthenticationStateProvider>();
         if (authenticationStateProvider is IHostEnvironmentAuthenticationStateProvider hostEnvironmentAuthenticationStateProvider)

From b4bdd85abb9e14652323c3ba5907d4486cbd5287 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 3 Dec 2025 23:40:15 +0000
Subject: [PATCH 3/7] Add unit tests for ForbiddenPage and Forbidden event

Co-authored-by: javiercn <6995051+javiercn@users.noreply.github.com>
---
 .../Components/test/NavigationManagerTest.cs  |  38 ++++
 .../Components/test/Routing/RouterTest.cs     | 214 ++++++++++++++++++
 2 files changed, 252 insertions(+)

diff --git a/src/Components/Components/test/NavigationManagerTest.cs b/src/Components/Components/test/NavigationManagerTest.cs
index 3f6e680d0c8b..f793499503dd 100644
--- a/src/Components/Components/test/NavigationManagerTest.cs
+++ b/src/Components/Components/test/NavigationManagerTest.cs
@@ -886,6 +886,44 @@ public void OnNotFoundSubscriptionIsTriggeredWhenNotFoundCalled()
         // Assert
         Assert.True(notFoundTriggered, "The OnNotFound event was not triggered as expected.");
     }
+
+    [Fact]
+    public void OnForbiddenSubscriptionIsTriggeredWhenForbiddenCalled()
+    {
+        // Arrange
+        var baseUri = "scheme://host/";
+        var testNavManager = new TestNavigationManager(baseUri);
+        bool forbiddenTriggered = false;
+        testNavManager.OnForbidden += (sender, args) => forbiddenTriggered = true;
+
+        // Simulate a component triggered Forbidden
+        testNavManager.Forbidden();
+
+        // Assert
+        Assert.True(forbiddenTriggered, "The OnForbidden event was not triggered as expected.");
+    }
+
+    [Fact]
+    public void OnForbiddenEventArgsPathCanBeSet()
+    {
+        // Arrange
+        var baseUri = "scheme://host/";
+        var testNavManager = new TestNavigationManager(baseUri);
+        ForbiddenEventArgs receivedArgs = null;
+
+        testNavManager.OnForbidden += (sender, args) =>
+        {
+            args.Path = "/forbidden-page";
+            receivedArgs = args;
+        };
+
+        // Simulate a component triggered Forbidden
+        testNavManager.Forbidden();
+
+        // Assert
+        Assert.NotNull(receivedArgs);
+        Assert.Equal("/forbidden-page", receivedArgs.Path);
+    }
  
     private class TestNavigationManager : NavigationManager
     {
diff --git a/src/Components/Components/test/Routing/RouterTest.cs b/src/Components/Components/test/Routing/RouterTest.cs
index e3c7f5dafaae..cf36b757b40c 100644
--- a/src/Components/Components/test/Routing/RouterTest.cs
+++ b/src/Components/Components/test/Routing/RouterTest.cs
@@ -488,6 +488,210 @@ await _renderer.Dispatcher.InvokeAsync(() =>
         Assert.Contains("No component found for route '/nonexistent-route'", exception.Message);
     }
 
+    [Fact]
+    public async Task OnForbidden_WithForbiddenPageSet_UsesForbiddenPage()
+    {
+        // Create a new router instance for this test to control Attach() timing
+        var services = new ServiceCollection();
+        var testNavManager = new TestNavigationManager();
+        services.AddSingleton<ILoggerFactory>(NullLoggerFactory.Instance);
+        services.AddSingleton<NavigationManager>(testNavManager);
+        services.AddSingleton<INavigationInterception, TestNavigationInterception>();
+        services.AddSingleton<IScrollToLocationHash, TestScrollToLocationHash>();
+        var serviceProvider = services.BuildServiceProvider();
+
+        var testRenderer = new TestRenderer(serviceProvider);
+        testRenderer.ShouldHandleExceptions = true;
+        var testRouter = (Router)testRenderer.InstantiateComponent<Router>();
+        testRouter.AppAssembly = Assembly.GetExecutingAssembly();
+        testRouter.Found = routeData => (builder) => builder.AddContent(0, $"Rendering route matching {routeData.PageType}");
+
+        var parameters = new Dictionary<string, object>
+        {
+            { nameof(Router.AppAssembly), typeof(RouterTest).Assembly },
+            { nameof(Router.ForbiddenPage), typeof(ForbiddenTestComponent) }
+        };
+
+        // Assign the root component ID which will call Attach()
+        testRenderer.AssignRootComponentId(testRouter);
+
+        // Act
+        await testRenderer.Dispatcher.InvokeAsync(() =>
+            testRouter.SetParametersAsync(ParameterView.FromDictionary(parameters)));
+
+        // Trigger the NavigationManager's OnForbidden event
+        await testRenderer.Dispatcher.InvokeAsync(() => testNavManager.TriggerForbidden());
+
+        // Assert
+        var lastBatch = testRenderer.Batches.Last();
+        var renderedFrame = lastBatch.ReferenceFrames.First();
+        Assert.Equal(RenderTreeFrameType.Component, renderedFrame.FrameType);
+        Assert.Equal(typeof(RouteView), renderedFrame.ComponentType);
+
+        // Verify that the RouteData contains the ForbiddenTestComponent
+        var routeViewFrame = lastBatch.ReferenceFrames.Skip(1).First();
+        Assert.Equal(RenderTreeFrameType.Attribute, routeViewFrame.FrameType);
+        var routeData = (RouteData)routeViewFrame.AttributeValue;
+        Assert.Equal(typeof(ForbiddenTestComponent), routeData.PageType);
+    }
+
+    [Fact]
+    public async Task OnForbidden_WithArgsPathSet_RendersComponentByRoute()
+    {
+        // Create a new router instance for this test to control Attach() timing
+        var services = new ServiceCollection();
+        var testNavManager = new TestNavigationManager();
+        services.AddSingleton<ILoggerFactory>(NullLoggerFactory.Instance);
+        services.AddSingleton<NavigationManager>(testNavManager);
+        services.AddSingleton<INavigationInterception, TestNavigationInterception>();
+        services.AddSingleton<IScrollToLocationHash, TestScrollToLocationHash>();
+        var serviceProvider = services.BuildServiceProvider();
+
+        var testRenderer = new TestRenderer(serviceProvider);
+        testRenderer.ShouldHandleExceptions = true;
+        var testRouter = (Router)testRenderer.InstantiateComponent<Router>();
+        testRouter.AppAssembly = Assembly.GetExecutingAssembly();
+        testRouter.Found = routeData => (builder) => builder.AddContent(0, $"Rendering route matching {routeData.PageType}");
+
+        var parameters = new Dictionary<string, object>
+        {
+            { nameof(Router.AppAssembly), typeof(RouterTest).Assembly }
+        };
+
+        // Subscribe to OnForbidden event BEFORE router attaches and set args.Path
+        testNavManager.OnForbidden += (sender, args) =>
+        {
+            args.Path = "/jan"; // Point to an existing route
+        };
+
+        // Assign the root component ID which will call Attach()
+        testRenderer.AssignRootComponentId(testRouter);
+
+        // Act
+        await testRenderer.Dispatcher.InvokeAsync(() =>
+            testRouter.SetParametersAsync(ParameterView.FromDictionary(parameters)));
+
+        // Trigger the NavigationManager's OnForbidden event
+        await testRenderer.Dispatcher.InvokeAsync(() => testNavManager.TriggerForbidden());
+
+        // Assert
+        var lastBatch = testRenderer.Batches.Last();
+        var renderedFrame = lastBatch.ReferenceFrames.First();
+        Assert.Equal(RenderTreeFrameType.Component, renderedFrame.FrameType);
+        Assert.Equal(typeof(RouteView), renderedFrame.ComponentType);
+
+        // Verify that the RouteData contains the correct component type
+        var routeViewFrame = lastBatch.ReferenceFrames.Skip(1).First();
+        Assert.Equal(RenderTreeFrameType.Attribute, routeViewFrame.FrameType);
+        var routeData = (RouteData)routeViewFrame.AttributeValue;
+        Assert.Equal(typeof(JanComponent), routeData.PageType);
+    }
+
+    [Fact]
+    public async Task OnForbidden_WithoutForbiddenPage_UsesDefaultContent()
+    {
+        // Create a new router instance for this test to control Attach() timing
+        var services = new ServiceCollection();
+        var testNavManager = new TestNavigationManager();
+        services.AddSingleton<ILoggerFactory>(NullLoggerFactory.Instance);
+        services.AddSingleton<NavigationManager>(testNavManager);
+        services.AddSingleton<INavigationInterception, TestNavigationInterception>();
+        services.AddSingleton<IScrollToLocationHash, TestScrollToLocationHash>();
+        var serviceProvider = services.BuildServiceProvider();
+
+        var testRenderer = new TestRenderer(serviceProvider);
+        testRenderer.ShouldHandleExceptions = true;
+        var testRouter = (Router)testRenderer.InstantiateComponent<Router>();
+        testRouter.AppAssembly = Assembly.GetExecutingAssembly();
+        testRouter.Found = routeData => (builder) => builder.AddContent(0, $"Rendering route matching {routeData.PageType}");
+
+        var parameters = new Dictionary<string, object>
+        {
+            { nameof(Router.AppAssembly), typeof(RouterTest).Assembly }
+        };
+
+        // Assign the root component ID which will call Attach()
+        testRenderer.AssignRootComponentId(testRouter);
+
+        // Act
+        await testRenderer.Dispatcher.InvokeAsync(() =>
+            testRouter.SetParametersAsync(ParameterView.FromDictionary(parameters)));
+
+        // Trigger the NavigationManager's OnForbidden event
+        // Without ForbiddenPage set, it should not render anything
+        await testRenderer.Dispatcher.InvokeAsync(() => testNavManager.TriggerForbidden());
+
+        // Assert - When ForbiddenPage is not set and no args.Path is provided, nothing is rendered
+        // The number of batches should remain the same (no new batch for forbidden content)
+        Assert.Single(testRenderer.Batches);
+    }
+
+    [Fact]
+    public async Task ForbiddenPage_RequiresRouteAttribute()
+    {
+        // Arrange
+        var services = new ServiceCollection();
+        services.AddSingleton<ILoggerFactory>(NullLoggerFactory.Instance);
+        services.AddSingleton<NavigationManager>(_navigationManager);
+        services.AddSingleton<INavigationInterception, TestNavigationInterception>();
+        services.AddSingleton<IScrollToLocationHash, TestScrollToLocationHash>();
+        var serviceProvider = services.BuildServiceProvider();
+
+        var renderer = new TestRenderer(serviceProvider);
+        renderer.ShouldHandleExceptions = true;
+        var router = (Router)renderer.InstantiateComponent<Router>();
+        router.AppAssembly = Assembly.GetExecutingAssembly();
+        router.Found = routeData => (builder) => builder.AddContent(0, $"Rendering route matching {routeData.PageType}");
+        renderer.AssignRootComponentId(router);
+
+        var parameters = new Dictionary<string, object>
+        {
+            { nameof(Router.AppAssembly), typeof(RouterTest).Assembly },
+            { nameof(Router.ForbiddenPage), typeof(ComponentWithoutRoute) }
+        };
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<InvalidOperationException>(async () =>
+            await renderer.Dispatcher.InvokeAsync(() =>
+                router.SetParametersAsync(ParameterView.FromDictionary(parameters))));
+
+        Assert.Contains("does not have a", exception.Message);
+        Assert.Contains("RouteAttribute", exception.Message);
+    }
+
+    [Fact]
+    public async Task ForbiddenPage_RequiresIComponentType()
+    {
+        // Arrange
+        var services = new ServiceCollection();
+        services.AddSingleton<ILoggerFactory>(NullLoggerFactory.Instance);
+        services.AddSingleton<NavigationManager>(_navigationManager);
+        services.AddSingleton<INavigationInterception, TestNavigationInterception>();
+        services.AddSingleton<IScrollToLocationHash, TestScrollToLocationHash>();
+        var serviceProvider = services.BuildServiceProvider();
+
+        var renderer = new TestRenderer(serviceProvider);
+        renderer.ShouldHandleExceptions = true;
+        var router = (Router)renderer.InstantiateComponent<Router>();
+        router.AppAssembly = Assembly.GetExecutingAssembly();
+        router.Found = routeData => (builder) => builder.AddContent(0, $"Rendering route matching {routeData.PageType}");
+        renderer.AssignRootComponentId(router);
+
+        var parameters = new Dictionary<string, object>
+        {
+            { nameof(Router.AppAssembly), typeof(RouterTest).Assembly },
+            { nameof(Router.ForbiddenPage), typeof(object) } // object does not implement IComponent
+        };
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<InvalidOperationException>(async () =>
+            await renderer.Dispatcher.InvokeAsync(() =>
+                router.SetParametersAsync(ParameterView.FromDictionary(parameters))));
+
+        Assert.Contains("does not implement", exception.Message);
+        Assert.Contains("IComponent", exception.Message);
+    }
+
     internal class TestNavigationManager : NavigationManager
     {
         public TestNavigationManager() =>
@@ -503,6 +707,11 @@ public void TriggerNotFound()
         {
             base.NotFound();
         }
+
+        public void TriggerForbidden()
+        {
+            base.Forbidden();
+        }
     }
 
     internal sealed class TestNavigationInterception : INavigationInterception
@@ -538,4 +747,9 @@ public class MultiSegmentRouteComponent : ComponentBase { }
     [Route("not-found")]
     public class NotFoundTestComponent : ComponentBase { }
 
+    [Route("forbidden")]
+    public class ForbiddenTestComponent : ComponentBase { }
+
+    public class ComponentWithoutRoute : ComponentBase { }
+
 }

From 0311790cfa3813591023473a234c02ddf882eff3 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 3 Dec 2025 23:43:11 +0000
Subject: [PATCH 4/7] Fix code review comment to clarify
 ForbiddenEventArgs.Path reference

Co-authored-by: javiercn <6995051+javiercn@users.noreply.github.com>
---
 src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs b/src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs
index 28316b4b9355..94a6dae82aac 100644
--- a/src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs
+++ b/src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs
@@ -204,7 +204,7 @@ await _renderer.InitializeStandardComponentServicesAsync(
             !isReExecuted &&
             string.IsNullOrEmpty(_renderer.ForbiddenEventArgs?.Path))
         {
-            // Router did not handle the Forbidden event, otherwise this would not be empty.
+            // Router did not handle the Forbidden event, otherwise ForbiddenEventArgs.Path would not be empty.
             // Don't flush the response if we have an unhandled 403 rendering
             // This will allow the StatusCodePages middleware to re-execute the request
             context.Response.ContentType = null;

From 807aa9b8c50f0009af2da59e7e28b7bbce8167ce Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 4 Dec 2025 09:53:05 +0000
Subject: [PATCH 5/7] Redesign: Move ForbiddenPage to AuthorizeRouteView as
 NotAuthorizedPage

Based on reviewer feedback:
- Removed all changes from Router, NavigationManager, and SSR endpoints
- Added NotAuthorizedPage property to AuthorizeRouteView only
- When set, renders the specified page component instead of NotAuthorized content

Co-authored-by: javiercn <6995051+javiercn@users.noreply.github.com>
---
 .../Authorization/src/AuthorizeRouteView.cs   |  37 ++-
 .../Authorization/src/PublicAPI.Unshipped.txt |   2 +
 .../Components/src/NavigationManager.cs       |  37 ---
 .../Components/src/PublicAPI.Unshipped.txt    |   8 -
 .../src/Routing/ForbiddenEventArgs.cs         |  15 --
 .../Components/src/Routing/Router.cs          |  78 -------
 .../Components/test/NavigationManagerTest.cs  |  38 ----
 .../Components/test/Routing/RouterTest.cs     | 214 ------------------
 .../src/RazorComponentEndpointInvoker.cs      |  20 --
 .../EndpointHtmlRenderer.EventDispatch.cs     |  45 ----
 .../EndpointHtmlRenderer.Streaming.cs         |   6 -
 .../src/Rendering/EndpointHtmlRenderer.cs     |   3 -
 12 files changed, 37 insertions(+), 466 deletions(-)
 delete mode 100644 src/Components/Components/src/Routing/ForbiddenEventArgs.cs

diff --git a/src/Components/Authorization/src/AuthorizeRouteView.cs b/src/Components/Authorization/src/AuthorizeRouteView.cs
index f44afadff3ea..1f1284483b74 100644
--- a/src/Components/Authorization/src/AuthorizeRouteView.cs
+++ b/src/Components/Authorization/src/AuthorizeRouteView.cs
@@ -51,6 +51,14 @@ public AuthorizeRouteView()
     [Parameter]
     public RenderFragment<AuthenticationState>? NotAuthorized { get; set; }
 
+    /// <summary>
+    /// The page type that will be displayed if the user is not authorized.
+    /// The page type must implement <see cref="IComponent"/> and have a <see cref="RouteAttribute"/>.
+    /// </summary>
+    [Parameter]
+    [DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.All)]
+    public Type? NotAuthorizedPage { get; set; }
+
     /// <summary>
     /// The content that will be displayed while asynchronous authorization is in progress.
     /// </summary>
@@ -111,8 +119,33 @@ private void RenderContentInDefaultLayout(RenderTreeBuilder builder, RenderFragm
 
     private void RenderNotAuthorizedInDefaultLayout(RenderTreeBuilder builder, AuthenticationState authenticationState)
     {
-        var content = NotAuthorized ?? _defaultNotAuthorizedContent;
-        RenderContentInDefaultLayout(builder, content(authenticationState));
+        if (NotAuthorizedPage is not null)
+        {
+            RenderPageInDefaultLayout(builder, NotAuthorizedPage);
+        }
+        else
+        {
+            var content = NotAuthorized ?? _defaultNotAuthorizedContent;
+            RenderContentInDefaultLayout(builder, content(authenticationState));
+        }
+    }
+
+    [UnconditionalSuppressMessage("ReflectionAnalysis", "IL2111:RequiresUnreferencedCode",
+        Justification = "OpenComponent already has the right set of attributes")]
+    [UnconditionalSuppressMessage("ReflectionAnalysis", "IL2110:RequiresUnreferencedCode",
+        Justification = "OpenComponent already has the right set of attributes")]
+    [UnconditionalSuppressMessage("ReflectionAnalysis", "IL2118:RequiresUnreferencedCode",
+        Justification = "OpenComponent already has the right set of attributes")]
+    private void RenderPageInDefaultLayout(RenderTreeBuilder builder, [DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.All)] Type pageType)
+    {
+        builder.OpenComponent<LayoutView>(0);
+        builder.AddComponentParameter(1, nameof(LayoutView.Layout), DefaultLayout);
+        builder.AddComponentParameter(2, nameof(LayoutView.ChildContent), (RenderFragment)(pageBuilder =>
+        {
+            pageBuilder.OpenComponent(0, pageType);
+            pageBuilder.CloseComponent();
+        }));
+        builder.CloseComponent();
     }
 
     private void RenderAuthorizingInDefaultLayout(RenderTreeBuilder builder)
diff --git a/src/Components/Authorization/src/PublicAPI.Unshipped.txt b/src/Components/Authorization/src/PublicAPI.Unshipped.txt
index 7dc5c58110bf..dc6a95dda497 100644
--- a/src/Components/Authorization/src/PublicAPI.Unshipped.txt
+++ b/src/Components/Authorization/src/PublicAPI.Unshipped.txt
@@ -1 +1,3 @@
 #nullable enable
+Microsoft.AspNetCore.Components.Authorization.AuthorizeRouteView.NotAuthorizedPage.get -> System.Type?
+Microsoft.AspNetCore.Components.Authorization.AuthorizeRouteView.NotAuthorizedPage.set -> void
diff --git a/src/Components/Components/src/NavigationManager.cs b/src/Components/Components/src/NavigationManager.cs
index 4fe7b4b3bbd4..fecbfaca6c28 100644
--- a/src/Components/Components/src/NavigationManager.cs
+++ b/src/Components/Components/src/NavigationManager.cs
@@ -54,25 +54,6 @@ public event EventHandler<NotFoundEventArgs> OnNotFound
 
     private EventHandler<NotFoundEventArgs>? _notFound;
 
-    /// <summary>
-    /// An event that fires when access to a page is forbidden.
-    /// </summary>
-    public event EventHandler<ForbiddenEventArgs> OnForbidden
-    {
-        add
-        {
-            AssertInitialized();
-            _forbidden += value;
-        }
-        remove
-        {
-            AssertInitialized();
-            _forbidden -= value;
-        }
-    }
-
-    private EventHandler<ForbiddenEventArgs>? _forbidden;
-
     // For the baseUri it's worth storing as a System.Uri so we can do operations
     // on that type. System.Uri gives us access to the original string anyway.
     private Uri? _baseUri;
@@ -233,24 +214,6 @@ private void NotFoundCore()
         }
     }
 
-    /// <summary>
-    /// Handles setting the Forbidden state.
-    /// </summary>
-    public void Forbidden() => ForbiddenCore();
-
-    private void ForbiddenCore()
-    {
-        if (_forbidden is null)
-        {
-            // global router doesn't exist, no events were registered
-            return;
-        }
-        else
-        {
-            _forbidden.Invoke(this, new ForbiddenEventArgs());
-        }
-    }
-
     /// <summary>
     /// Called to initialize BaseURI and current URI before these values are used for the first time.
     /// Override <see cref="EnsureInitialized" /> and call this method to dynamically calculate these values.
diff --git a/src/Components/Components/src/PublicAPI.Unshipped.txt b/src/Components/Components/src/PublicAPI.Unshipped.txt
index 76decbd60bb6..7dc5c58110bf 100644
--- a/src/Components/Components/src/PublicAPI.Unshipped.txt
+++ b/src/Components/Components/src/PublicAPI.Unshipped.txt
@@ -1,9 +1 @@
 #nullable enable
-Microsoft.AspNetCore.Components.NavigationManager.Forbidden() -> void
-Microsoft.AspNetCore.Components.NavigationManager.OnForbidden -> System.EventHandler<Microsoft.AspNetCore.Components.Routing.ForbiddenEventArgs!>!
-Microsoft.AspNetCore.Components.Routing.ForbiddenEventArgs
-Microsoft.AspNetCore.Components.Routing.ForbiddenEventArgs.ForbiddenEventArgs() -> void
-Microsoft.AspNetCore.Components.Routing.ForbiddenEventArgs.Path.get -> string?
-Microsoft.AspNetCore.Components.Routing.ForbiddenEventArgs.Path.set -> void
-Microsoft.AspNetCore.Components.Routing.Router.ForbiddenPage.get -> System.Type?
-Microsoft.AspNetCore.Components.Routing.Router.ForbiddenPage.set -> void
diff --git a/src/Components/Components/src/Routing/ForbiddenEventArgs.cs b/src/Components/Components/src/Routing/ForbiddenEventArgs.cs
deleted file mode 100644
index 5f532dfcea4b..000000000000
--- a/src/Components/Components/src/Routing/ForbiddenEventArgs.cs
+++ /dev/null
@@ -1,15 +0,0 @@
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-
-namespace Microsoft.AspNetCore.Components.Routing;
-
-/// <summary>
-/// <see cref="EventArgs" /> for <see cref="NavigationManager.OnForbidden" />.
-/// </summary>
-public sealed class ForbiddenEventArgs : EventArgs
-{
-    /// <summary>
-    /// Gets the path of ForbiddenPage. If the path is set, it indicates that a subscriber has handled the rendering of the Forbidden contents.
-    /// </summary>
-    public string? Path { get; set; }
-}
diff --git a/src/Components/Components/src/Routing/Router.cs b/src/Components/Components/src/Routing/Router.cs
index 128db4c6ed47..ecb69fe2cf63 100644
--- a/src/Components/Components/src/Routing/Router.cs
+++ b/src/Components/Components/src/Routing/Router.cs
@@ -30,7 +30,6 @@ static readonly IReadOnlyDictionary<string, object> _emptyParametersDictionary
     bool _navigationInterceptionEnabled;
     ILogger<Router> _logger;
     string _notFoundPageRoute;
-    string _forbiddenPageRoute;
 
     private string _updateScrollPositionForHashLastLocation;
     private bool _updateScrollPositionForHash;
@@ -82,13 +81,6 @@ static readonly IReadOnlyDictionary<string, object> _emptyParametersDictionary
     [DynamicallyAccessedMembers(LinkerFlags.Component)]
     public Type? NotFoundPage { get; set; }
 
-    /// <summary>
-    /// Gets or sets the page content to display when access to a page is forbidden.
-    /// </summary>
-    [Parameter]
-    [DynamicallyAccessedMembers(LinkerFlags.Component)]
-    public Type? ForbiddenPage { get; set; }
-
     /// <summary>
     /// Gets or sets the content to display when a match is found for the requested route.
     /// </summary>
@@ -125,7 +117,6 @@ public void Attach(RenderHandle renderHandle)
         _locationAbsolute = NavigationManager.Uri;
         NavigationManager.LocationChanged += OnLocationChanged;
         NavigationManager.OnNotFound += OnNotFound;
-        NavigationManager.OnForbidden += OnForbidden;
         RoutingStateProvider = ServiceProvider.GetService<IRoutingStateProvider>();
 
         if (HotReloadManager.Default.MetadataUpdateSupported)
@@ -180,28 +171,6 @@ public async Task SetParametersAsync(ParameterView parameters)
             }
         }
 
-        if (ForbiddenPage != null)
-        {
-            if (!typeof(IComponent).IsAssignableFrom(ForbiddenPage))
-            {
-                throw new InvalidOperationException($"The type {ForbiddenPage.FullName} " +
-                    $"does not implement {typeof(IComponent).FullName}.");
-            }
-
-            var routeAttributes = ForbiddenPage.GetCustomAttributes(typeof(RouteAttribute), inherit: true);
-            if (routeAttributes.Length == 0)
-            {
-                throw new InvalidOperationException($"The type {ForbiddenPage.FullName} " +
-                    $"does not have a {typeof(RouteAttribute).FullName} applied to it.");
-            }
-
-            var routeAttribute = (RouteAttribute)routeAttributes[0];
-            if (routeAttribute.Template != null)
-            {
-                _forbiddenPageRoute = routeAttribute.Template;
-            }
-        }
-
         if (!_onNavigateCalled)
         {
             _onNavigateCalled = true;
@@ -218,7 +187,6 @@ public void Dispose()
     {
         NavigationManager.LocationChanged -= OnLocationChanged;
         NavigationManager.OnNotFound -= OnNotFound;
-        NavigationManager.OnForbidden -= OnForbidden;
         if (HotReloadManager.Default.MetadataUpdateSupported)
         {
             HotReloadManager.Default.OnDeltaApplied -= ClearRouteCaches;
@@ -441,26 +409,6 @@ private void OnNotFound(object sender, NotFoundEventArgs args)
         }
     }
 
-    private void OnForbidden(object sender, ForbiddenEventArgs args)
-    {
-        bool renderContentIsProvided = ForbiddenPage != null || args.Path != null;
-        if (_renderHandle.IsInitialized && renderContentIsProvided)
-        {
-            if (!string.IsNullOrEmpty(args.Path))
-            {
-                // The path can be set by a subscriber not defined in blazor framework.
-                _renderHandle.Render(builder => RenderComponentByRoute(builder, args.Path));
-            }
-            else
-            {
-                // Having the path set signals to the endpoint renderer that router handled rendering.
-                args.Path = _forbiddenPageRoute;
-                RenderForbidden();
-            }
-            Log.DisplayingForbidden(_logger, args.Path);
-        }
-    }
-
     internal void RenderComponentByRoute(RenderTreeBuilder builder, string route)
     {
         var componentType = FindComponentTypeByRoute(route);
@@ -518,29 +466,6 @@ private void RenderNotFound()
         });
     }
 
-    private void RenderForbidden()
-    {
-        _renderHandle.Render(builder =>
-        {
-            if (ForbiddenPage != null)
-            {
-                builder.OpenComponent<RouteView>(0);
-                builder.AddAttribute(1, nameof(RouteView.RouteData),
-                    new RouteData(ForbiddenPage, _emptyParametersDictionary));
-                builder.CloseComponent();
-            }
-            else
-            {
-                DefaultForbiddenContent(builder);
-            }
-        });
-    }
-
-    private static void DefaultForbiddenContent(RenderTreeBuilder builder)
-    {
-        builder.AddContent(0, "Forbidden");
-    }
-
     async Task IHandleAfterRender.OnAfterRenderAsync()
     {
         if (!_navigationInterceptionEnabled)
@@ -570,9 +495,6 @@ private static partial class Log
 
         [LoggerMessage(4, LogLevel.Debug, $"Displaying contents of {{displayedContentPath}} on request", EventName = "DisplayingNotFoundOnRequest")]
         internal static partial void DisplayingNotFound(ILogger logger, string displayedContentPath);
-
-        [LoggerMessage(5, LogLevel.Debug, $"Displaying contents of {{displayedContentPath}} on forbidden request", EventName = "DisplayingForbiddenOnRequest")]
-        internal static partial void DisplayingForbidden(ILogger logger, string displayedContentPath);
 #pragma warning restore CS0618 // Type or member is obsolete
     }
 }
diff --git a/src/Components/Components/test/NavigationManagerTest.cs b/src/Components/Components/test/NavigationManagerTest.cs
index f793499503dd..3f6e680d0c8b 100644
--- a/src/Components/Components/test/NavigationManagerTest.cs
+++ b/src/Components/Components/test/NavigationManagerTest.cs
@@ -886,44 +886,6 @@ public void OnNotFoundSubscriptionIsTriggeredWhenNotFoundCalled()
         // Assert
         Assert.True(notFoundTriggered, "The OnNotFound event was not triggered as expected.");
     }
-
-    [Fact]
-    public void OnForbiddenSubscriptionIsTriggeredWhenForbiddenCalled()
-    {
-        // Arrange
-        var baseUri = "scheme://host/";
-        var testNavManager = new TestNavigationManager(baseUri);
-        bool forbiddenTriggered = false;
-        testNavManager.OnForbidden += (sender, args) => forbiddenTriggered = true;
-
-        // Simulate a component triggered Forbidden
-        testNavManager.Forbidden();
-
-        // Assert
-        Assert.True(forbiddenTriggered, "The OnForbidden event was not triggered as expected.");
-    }
-
-    [Fact]
-    public void OnForbiddenEventArgsPathCanBeSet()
-    {
-        // Arrange
-        var baseUri = "scheme://host/";
-        var testNavManager = new TestNavigationManager(baseUri);
-        ForbiddenEventArgs receivedArgs = null;
-
-        testNavManager.OnForbidden += (sender, args) =>
-        {
-            args.Path = "/forbidden-page";
-            receivedArgs = args;
-        };
-
-        // Simulate a component triggered Forbidden
-        testNavManager.Forbidden();
-
-        // Assert
-        Assert.NotNull(receivedArgs);
-        Assert.Equal("/forbidden-page", receivedArgs.Path);
-    }
  
     private class TestNavigationManager : NavigationManager
     {
diff --git a/src/Components/Components/test/Routing/RouterTest.cs b/src/Components/Components/test/Routing/RouterTest.cs
index cf36b757b40c..e3c7f5dafaae 100644
--- a/src/Components/Components/test/Routing/RouterTest.cs
+++ b/src/Components/Components/test/Routing/RouterTest.cs
@@ -488,210 +488,6 @@ await _renderer.Dispatcher.InvokeAsync(() =>
         Assert.Contains("No component found for route '/nonexistent-route'", exception.Message);
     }
 
-    [Fact]
-    public async Task OnForbidden_WithForbiddenPageSet_UsesForbiddenPage()
-    {
-        // Create a new router instance for this test to control Attach() timing
-        var services = new ServiceCollection();
-        var testNavManager = new TestNavigationManager();
-        services.AddSingleton<ILoggerFactory>(NullLoggerFactory.Instance);
-        services.AddSingleton<NavigationManager>(testNavManager);
-        services.AddSingleton<INavigationInterception, TestNavigationInterception>();
-        services.AddSingleton<IScrollToLocationHash, TestScrollToLocationHash>();
-        var serviceProvider = services.BuildServiceProvider();
-
-        var testRenderer = new TestRenderer(serviceProvider);
-        testRenderer.ShouldHandleExceptions = true;
-        var testRouter = (Router)testRenderer.InstantiateComponent<Router>();
-        testRouter.AppAssembly = Assembly.GetExecutingAssembly();
-        testRouter.Found = routeData => (builder) => builder.AddContent(0, $"Rendering route matching {routeData.PageType}");
-
-        var parameters = new Dictionary<string, object>
-        {
-            { nameof(Router.AppAssembly), typeof(RouterTest).Assembly },
-            { nameof(Router.ForbiddenPage), typeof(ForbiddenTestComponent) }
-        };
-
-        // Assign the root component ID which will call Attach()
-        testRenderer.AssignRootComponentId(testRouter);
-
-        // Act
-        await testRenderer.Dispatcher.InvokeAsync(() =>
-            testRouter.SetParametersAsync(ParameterView.FromDictionary(parameters)));
-
-        // Trigger the NavigationManager's OnForbidden event
-        await testRenderer.Dispatcher.InvokeAsync(() => testNavManager.TriggerForbidden());
-
-        // Assert
-        var lastBatch = testRenderer.Batches.Last();
-        var renderedFrame = lastBatch.ReferenceFrames.First();
-        Assert.Equal(RenderTreeFrameType.Component, renderedFrame.FrameType);
-        Assert.Equal(typeof(RouteView), renderedFrame.ComponentType);
-
-        // Verify that the RouteData contains the ForbiddenTestComponent
-        var routeViewFrame = lastBatch.ReferenceFrames.Skip(1).First();
-        Assert.Equal(RenderTreeFrameType.Attribute, routeViewFrame.FrameType);
-        var routeData = (RouteData)routeViewFrame.AttributeValue;
-        Assert.Equal(typeof(ForbiddenTestComponent), routeData.PageType);
-    }
-
-    [Fact]
-    public async Task OnForbidden_WithArgsPathSet_RendersComponentByRoute()
-    {
-        // Create a new router instance for this test to control Attach() timing
-        var services = new ServiceCollection();
-        var testNavManager = new TestNavigationManager();
-        services.AddSingleton<ILoggerFactory>(NullLoggerFactory.Instance);
-        services.AddSingleton<NavigationManager>(testNavManager);
-        services.AddSingleton<INavigationInterception, TestNavigationInterception>();
-        services.AddSingleton<IScrollToLocationHash, TestScrollToLocationHash>();
-        var serviceProvider = services.BuildServiceProvider();
-
-        var testRenderer = new TestRenderer(serviceProvider);
-        testRenderer.ShouldHandleExceptions = true;
-        var testRouter = (Router)testRenderer.InstantiateComponent<Router>();
-        testRouter.AppAssembly = Assembly.GetExecutingAssembly();
-        testRouter.Found = routeData => (builder) => builder.AddContent(0, $"Rendering route matching {routeData.PageType}");
-
-        var parameters = new Dictionary<string, object>
-        {
-            { nameof(Router.AppAssembly), typeof(RouterTest).Assembly }
-        };
-
-        // Subscribe to OnForbidden event BEFORE router attaches and set args.Path
-        testNavManager.OnForbidden += (sender, args) =>
-        {
-            args.Path = "/jan"; // Point to an existing route
-        };
-
-        // Assign the root component ID which will call Attach()
-        testRenderer.AssignRootComponentId(testRouter);
-
-        // Act
-        await testRenderer.Dispatcher.InvokeAsync(() =>
-            testRouter.SetParametersAsync(ParameterView.FromDictionary(parameters)));
-
-        // Trigger the NavigationManager's OnForbidden event
-        await testRenderer.Dispatcher.InvokeAsync(() => testNavManager.TriggerForbidden());
-
-        // Assert
-        var lastBatch = testRenderer.Batches.Last();
-        var renderedFrame = lastBatch.ReferenceFrames.First();
-        Assert.Equal(RenderTreeFrameType.Component, renderedFrame.FrameType);
-        Assert.Equal(typeof(RouteView), renderedFrame.ComponentType);
-
-        // Verify that the RouteData contains the correct component type
-        var routeViewFrame = lastBatch.ReferenceFrames.Skip(1).First();
-        Assert.Equal(RenderTreeFrameType.Attribute, routeViewFrame.FrameType);
-        var routeData = (RouteData)routeViewFrame.AttributeValue;
-        Assert.Equal(typeof(JanComponent), routeData.PageType);
-    }
-
-    [Fact]
-    public async Task OnForbidden_WithoutForbiddenPage_UsesDefaultContent()
-    {
-        // Create a new router instance for this test to control Attach() timing
-        var services = new ServiceCollection();
-        var testNavManager = new TestNavigationManager();
-        services.AddSingleton<ILoggerFactory>(NullLoggerFactory.Instance);
-        services.AddSingleton<NavigationManager>(testNavManager);
-        services.AddSingleton<INavigationInterception, TestNavigationInterception>();
-        services.AddSingleton<IScrollToLocationHash, TestScrollToLocationHash>();
-        var serviceProvider = services.BuildServiceProvider();
-
-        var testRenderer = new TestRenderer(serviceProvider);
-        testRenderer.ShouldHandleExceptions = true;
-        var testRouter = (Router)testRenderer.InstantiateComponent<Router>();
-        testRouter.AppAssembly = Assembly.GetExecutingAssembly();
-        testRouter.Found = routeData => (builder) => builder.AddContent(0, $"Rendering route matching {routeData.PageType}");
-
-        var parameters = new Dictionary<string, object>
-        {
-            { nameof(Router.AppAssembly), typeof(RouterTest).Assembly }
-        };
-
-        // Assign the root component ID which will call Attach()
-        testRenderer.AssignRootComponentId(testRouter);
-
-        // Act
-        await testRenderer.Dispatcher.InvokeAsync(() =>
-            testRouter.SetParametersAsync(ParameterView.FromDictionary(parameters)));
-
-        // Trigger the NavigationManager's OnForbidden event
-        // Without ForbiddenPage set, it should not render anything
-        await testRenderer.Dispatcher.InvokeAsync(() => testNavManager.TriggerForbidden());
-
-        // Assert - When ForbiddenPage is not set and no args.Path is provided, nothing is rendered
-        // The number of batches should remain the same (no new batch for forbidden content)
-        Assert.Single(testRenderer.Batches);
-    }
-
-    [Fact]
-    public async Task ForbiddenPage_RequiresRouteAttribute()
-    {
-        // Arrange
-        var services = new ServiceCollection();
-        services.AddSingleton<ILoggerFactory>(NullLoggerFactory.Instance);
-        services.AddSingleton<NavigationManager>(_navigationManager);
-        services.AddSingleton<INavigationInterception, TestNavigationInterception>();
-        services.AddSingleton<IScrollToLocationHash, TestScrollToLocationHash>();
-        var serviceProvider = services.BuildServiceProvider();
-
-        var renderer = new TestRenderer(serviceProvider);
-        renderer.ShouldHandleExceptions = true;
-        var router = (Router)renderer.InstantiateComponent<Router>();
-        router.AppAssembly = Assembly.GetExecutingAssembly();
-        router.Found = routeData => (builder) => builder.AddContent(0, $"Rendering route matching {routeData.PageType}");
-        renderer.AssignRootComponentId(router);
-
-        var parameters = new Dictionary<string, object>
-        {
-            { nameof(Router.AppAssembly), typeof(RouterTest).Assembly },
-            { nameof(Router.ForbiddenPage), typeof(ComponentWithoutRoute) }
-        };
-
-        // Act & Assert
-        var exception = await Assert.ThrowsAsync<InvalidOperationException>(async () =>
-            await renderer.Dispatcher.InvokeAsync(() =>
-                router.SetParametersAsync(ParameterView.FromDictionary(parameters))));
-
-        Assert.Contains("does not have a", exception.Message);
-        Assert.Contains("RouteAttribute", exception.Message);
-    }
-
-    [Fact]
-    public async Task ForbiddenPage_RequiresIComponentType()
-    {
-        // Arrange
-        var services = new ServiceCollection();
-        services.AddSingleton<ILoggerFactory>(NullLoggerFactory.Instance);
-        services.AddSingleton<NavigationManager>(_navigationManager);
-        services.AddSingleton<INavigationInterception, TestNavigationInterception>();
-        services.AddSingleton<IScrollToLocationHash, TestScrollToLocationHash>();
-        var serviceProvider = services.BuildServiceProvider();
-
-        var renderer = new TestRenderer(serviceProvider);
-        renderer.ShouldHandleExceptions = true;
-        var router = (Router)renderer.InstantiateComponent<Router>();
-        router.AppAssembly = Assembly.GetExecutingAssembly();
-        router.Found = routeData => (builder) => builder.AddContent(0, $"Rendering route matching {routeData.PageType}");
-        renderer.AssignRootComponentId(router);
-
-        var parameters = new Dictionary<string, object>
-        {
-            { nameof(Router.AppAssembly), typeof(RouterTest).Assembly },
-            { nameof(Router.ForbiddenPage), typeof(object) } // object does not implement IComponent
-        };
-
-        // Act & Assert
-        var exception = await Assert.ThrowsAsync<InvalidOperationException>(async () =>
-            await renderer.Dispatcher.InvokeAsync(() =>
-                router.SetParametersAsync(ParameterView.FromDictionary(parameters))));
-
-        Assert.Contains("does not implement", exception.Message);
-        Assert.Contains("IComponent", exception.Message);
-    }
-
     internal class TestNavigationManager : NavigationManager
     {
         public TestNavigationManager() =>
@@ -707,11 +503,6 @@ public void TriggerNotFound()
         {
             base.NotFound();
         }
-
-        public void TriggerForbidden()
-        {
-            base.Forbidden();
-        }
     }
 
     internal sealed class TestNavigationInterception : INavigationInterception
@@ -747,9 +538,4 @@ public class MultiSegmentRouteComponent : ComponentBase { }
     [Route("not-found")]
     public class NotFoundTestComponent : ComponentBase { }
 
-    [Route("forbidden")]
-    public class ForbiddenTestComponent : ComponentBase { }
-
-    public class ComponentWithoutRoute : ComponentBase { }
-
 }
diff --git a/src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs b/src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs
index 94a6dae82aac..22119d0522c9 100644
--- a/src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs
+++ b/src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs
@@ -135,11 +135,6 @@ await _renderer.InitializeStandardComponentServicesAsync(
             _renderer.SetNotFoundWhenResponseNotStarted();
         }
 
-        if (_renderer.ForbiddenEventArgs != null)
-        {
-            _renderer.SetForbiddenWhenResponseNotStarted();
-        }
-
         if (!quiesceTask.IsCompleted)
         {
             // An incomplete QuiescenceTask indicates there may be streaming rendering updates.
@@ -172,10 +167,6 @@ await _renderer.InitializeStandardComponentServicesAsync(
             {
                 await _renderer.SetNotFoundWhenResponseHasStarted();
             }
-            if (_renderer.ForbiddenEventArgs != null)
-            {
-                await _renderer.SetForbiddenWhenResponseHasStarted();
-            }
         }
         else
         {
@@ -200,17 +191,6 @@ await _renderer.InitializeStandardComponentServicesAsync(
             return;
         }
 
-        if (context.Response.StatusCode == StatusCodes.Status403Forbidden &&
-            !isReExecuted &&
-            string.IsNullOrEmpty(_renderer.ForbiddenEventArgs?.Path))
-        {
-            // Router did not handle the Forbidden event, otherwise ForbiddenEventArgs.Path would not be empty.
-            // Don't flush the response if we have an unhandled 403 rendering
-            // This will allow the StatusCodePages middleware to re-execute the request
-            context.Response.ContentType = null;
-            return;
-        }
-
         // Invoke FlushAsync to ensure any buffered content is asynchronously written to the underlying
         // response asynchronously. In the absence of this line, the buffer gets synchronously written to the
         // response as part of the Dispose which has a perf impact.
diff --git a/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.EventDispatch.cs b/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.EventDispatch.cs
index 5605ea0e033c..a06d3e66d622 100644
--- a/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.EventDispatch.cs
+++ b/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.EventDispatch.cs
@@ -108,35 +108,6 @@ internal async Task SetNotFoundWhenResponseHasStarted()
         SignalRendererToFinishRendering();
     }
 
-    internal void SetForbiddenWhenResponseNotStarted()
-    {
-        _httpContext.Response.StatusCode = StatusCodes.Status403Forbidden;
-
-        // When the application triggers a Forbidden event, we continue rendering the current batch.
-        // However, after completing this batch, we do not want to process any further UI updates,
-        // as we are going to return a 403 status and discard the UI updates generated so far.
-        SignalRendererToFinishRendering();
-    }
-
-    internal async Task SetForbiddenWhenResponseHasStarted()
-    {
-        if (string.IsNullOrEmpty(_forbiddenUrl))
-        {
-            var baseUri = $"{_httpContext.Request.Scheme}://{_httpContext.Request.Host}{_httpContext.Request.PathBase}/";
-            _forbiddenUrl = GetForbiddenUrl(baseUri, ForbiddenEventArgs);
-        }
-        var defaultBufferSize = 16 * 1024;
-        await using var writer = new HttpResponseStreamWriter(_httpContext.Response.Body, Encoding.UTF8, defaultBufferSize, ArrayPool<byte>.Shared, ArrayPool<char>.Shared);
-        using var bufferWriter = new BufferedTextWriter(writer);
-        HandleForbiddenAfterResponseStarted(bufferWriter, _httpContext, _forbiddenUrl);
-        await bufferWriter.FlushAsync();
-
-        // When the application triggers a Forbidden event, we continue rendering the current batch.
-        // However, after completing this batch, we do not want to process any further UI updates,
-        // as we are going to return a 403 status and discard the UI updates generated so far.
-        SignalRendererToFinishRendering();
-    }
-
     private string GetNotFoundUrl(string baseUri, NotFoundEventArgs? args)
     {
         string? path = args?.Path;
@@ -153,22 +124,6 @@ private string GetNotFoundUrl(string baseUri, NotFoundEventArgs? args)
         return $"{baseUri}{path.TrimStart('/')}";
     }
 
-    private string GetForbiddenUrl(string baseUri, ForbiddenEventArgs? args)
-    {
-        string? path = args?.Path;
-        if (string.IsNullOrEmpty(path))
-        {
-            var pathFormat = _httpContext.Items[nameof(StatusCodePagesOptions)] as string;
-            if (string.IsNullOrEmpty(pathFormat))
-            {
-                throw new InvalidOperationException($"The {nameof(Router.ForbiddenPage)} route must be specified or re-execution middleware has to be set to render forbidden content.");
-            }
-
-            path = pathFormat;
-        }
-        return $"{baseUri}{path.TrimStart('/')}";
-    }
-
     private async Task OnNavigateTo(string uri)
     {
         if (_httpContext.Response.HasStarted)
diff --git a/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.Streaming.cs b/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.Streaming.cs
index 4c9174917696..50728a8c3271 100644
--- a/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.Streaming.cs
+++ b/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.Streaming.cs
@@ -231,12 +231,6 @@ private static void HandleNotFoundAfterResponseStarted(TextWriter writer, HttpCo
         WriteResponseTemplate(writer, httpContext, notFoundUrl, useEnhancedNav: true);
     }
 
-    private static void HandleForbiddenAfterResponseStarted(TextWriter writer, HttpContext httpContext, string forbiddenUrl)
-    {
-        writer.Write("<blazor-ssr><template type=\"forbidden\"");
-        WriteResponseTemplate(writer, httpContext, forbiddenUrl, useEnhancedNav: true);
-    }
-
     private static void HandleNavigationAfterResponseStarted(TextWriter writer, HttpContext httpContext, string destinationUrl)
     {
         writer.Write("<blazor-ssr><template type=\"redirection\"");
diff --git a/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.cs b/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.cs
index 5bb927ab072b..ac24baa2f7d5 100644
--- a/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.cs
+++ b/src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.cs
@@ -53,7 +53,6 @@ internal partial class EndpointHtmlRenderer : StaticHtmlRenderer, IComponentPrer
     private readonly List<Task> _nonStreamingPendingTasks = new();
 
     private string _notFoundUrl = string.Empty;
-    private string _forbiddenUrl = string.Empty;
 
     public EndpointHtmlRenderer(IServiceProvider serviceProvider, ILoggerFactory loggerFactory)
         : base(serviceProvider, loggerFactory)
@@ -65,7 +64,6 @@ public EndpointHtmlRenderer(IServiceProvider serviceProvider, ILoggerFactory log
 
     internal HttpContext? HttpContext => _httpContext;
     internal NotFoundEventArgs? NotFoundEventArgs { get; private set; }
-    internal ForbiddenEventArgs? ForbiddenEventArgs { get; private set; }
 
     internal void SetHttpContext(HttpContext httpContext)
     {
@@ -92,7 +90,6 @@ internal async Task InitializeStandardComponentServicesAsync(
             uri => GetErrorHandledTask(OnNavigateTo(uri)));
 
         navigationManager?.OnNotFound += (sender, args) => NotFoundEventArgs = args;
-        navigationManager?.OnForbidden += (sender, args) => ForbiddenEventArgs = args;
 
         var authenticationStateProvider = httpContext.RequestServices.GetService<AuthenticationStateProvider>();
         if (authenticationStateProvider is IHostEnvironmentAuthenticationStateProvider hostEnvironmentAuthenticationStateProvider)

From 1a6bcee171bf2a7d9967062e524d5da93ff31e6f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 4 Dec 2025 10:06:53 +0000
Subject: [PATCH 6/7] Add unit tests, E2E tests, and test infrastructure for
 NotAuthorizedPage

Co-authored-by: javiercn <6995051+javiercn@users.noreply.github.com>
---
 .../test/AuthorizeRouteViewTest.cs            | 75 +++++++++++++++++++
 src/Components/test/E2ETest/Tests/AuthTest.cs | 19 +++++
 .../AuthHomeWithNotAuthorizedPage.razor       |  7 ++
 .../AuthRouterWithNotAuthorizedPage.razor     | 33 ++++++++
 .../AuthTest/NotAuthorizedPage.razor          |  4 +
 .../test/testassets/BasicTestApp/Index.razor  |  1 +
 6 files changed, 139 insertions(+)
 create mode 100644 src/Components/test/testassets/BasicTestApp/AuthTest/AuthHomeWithNotAuthorizedPage.razor
 create mode 100644 src/Components/test/testassets/BasicTestApp/AuthTest/AuthRouterWithNotAuthorizedPage.razor
 create mode 100644 src/Components/test/testassets/BasicTestApp/AuthTest/NotAuthorizedPage.razor

diff --git a/src/Components/Authorization/test/AuthorizeRouteViewTest.cs b/src/Components/Authorization/test/AuthorizeRouteViewTest.cs
index 912301e8b893..a76cf31f7ed5 100644
--- a/src/Components/Authorization/test/AuthorizeRouteViewTest.cs
+++ b/src/Components/Authorization/test/AuthorizeRouteViewTest.cs
@@ -367,6 +367,73 @@ public void UpdatesOutputWhenRouteDataChanges()
             });
     }
 
+    [Fact]
+    public void WhenNotAuthorized_RendersNotAuthorizedPageInsideLayout()
+    {
+        // Arrange
+        var routeData = new RouteData(typeof(TestPageRequiringAuthorization), EmptyParametersDictionary);
+        _testAuthorizationService.NextResult = AuthorizationResult.Failed();
+
+        // Act
+        _renderer.RenderRootComponent(_authorizeRouteViewComponentId, ParameterView.FromDictionary(new Dictionary<string, object>
+            {
+                { nameof(AuthorizeRouteView.RouteData), routeData },
+                { nameof(AuthorizeRouteView.DefaultLayout), typeof(TestLayout) },
+                { nameof(AuthorizeRouteView.NotAuthorizedPage), typeof(TestNotAuthorizedPage) },
+            }));
+
+        // Assert: renders layout containing the NotAuthorizedPage component
+        var batch = _renderer.Batches.Single();
+        var layoutDiff = batch.GetComponentDiffs<TestLayout>().Single();
+        Assert.Collection(layoutDiff.Edits,
+            edit => AssertPrependText(batch, edit, "Layout starts here"),
+            edit =>
+            {
+                Assert.Equal(RenderTreeEditType.PrependFrame, edit.Type);
+                AssertFrame.Component<TestNotAuthorizedPage>(batch.ReferenceFrames[edit.ReferenceFrameIndex]);
+            },
+            edit => AssertPrependText(batch, edit, "Layout ends here"));
+
+        // Assert: renders the not authorized page content
+        var pageDiff = batch.GetComponentDiffs<TestNotAuthorizedPage>().Single();
+        Assert.Collection(pageDiff.Edits,
+            edit => AssertPrependText(batch, edit, "This is the not authorized page"));
+    }
+
+    [Fact]
+    public void WhenNotAuthorized_NotAuthorizedPageTakesPriorityOverNotAuthorizedContent()
+    {
+        // Arrange: set both NotAuthorizedPage and NotAuthorized content
+        var routeData = new RouteData(typeof(TestPageRequiringAuthorization), EmptyParametersDictionary);
+        _testAuthorizationService.NextResult = AuthorizationResult.Failed();
+        _authenticationStateProvider.CurrentAuthStateTask = Task.FromResult(new AuthenticationState(
+            new ClaimsPrincipal(new TestIdentity { Name = "Bert" })));
+
+        RenderFragment<AuthenticationState> customNotAuthorized =
+            state => builder => builder.AddContent(0, $"Go away, {state.User.Identity.Name}");
+
+        // Act
+        _renderer.RenderRootComponent(_authorizeRouteViewComponentId, ParameterView.FromDictionary(new Dictionary<string, object>
+            {
+                { nameof(AuthorizeRouteView.RouteData), routeData },
+                { nameof(AuthorizeRouteView.DefaultLayout), typeof(TestLayout) },
+                { nameof(AuthorizeRouteView.NotAuthorizedPage), typeof(TestNotAuthorizedPage) },
+                { nameof(AuthorizeRouteView.NotAuthorized), customNotAuthorized },
+            }));
+
+        // Assert: renders layout containing the NotAuthorizedPage component (not the custom content)
+        var batch = _renderer.Batches.Single();
+        var layoutDiff = batch.GetComponentDiffs<TestLayout>().Single();
+        Assert.Collection(layoutDiff.Edits,
+            edit => AssertPrependText(batch, edit, "Layout starts here"),
+            edit =>
+            {
+                Assert.Equal(RenderTreeEditType.PrependFrame, edit.Type);
+                AssertFrame.Component<TestNotAuthorizedPage>(batch.ReferenceFrames[edit.ReferenceFrameIndex]);
+            },
+            edit => AssertPrependText(batch, edit, "Layout ends here"));
+    }
+
     private static void AssertPrependText(CapturedBatch batch, RenderTreeEdit edit, string text)
     {
         Assert.Equal(RenderTreeEditType.PrependFrame, edit.Type);
@@ -387,6 +454,14 @@ protected override void BuildRenderTree(RenderTreeBuilder builder)
         }
     }
 
+    class TestNotAuthorizedPage : ComponentBase
+    {
+        protected override void BuildRenderTree(RenderTreeBuilder builder)
+        {
+            builder.AddContent(0, "This is the not authorized page");
+        }
+    }
+
     class TestLayout : LayoutComponentBase
     {
         protected override void BuildRenderTree(RenderTreeBuilder builder)
diff --git a/src/Components/test/E2ETest/Tests/AuthTest.cs b/src/Components/test/E2ETest/Tests/AuthTest.cs
index e1f0fc12cada..519a9196e009 100644
--- a/src/Components/test/E2ETest/Tests/AuthTest.cs
+++ b/src/Components/test/E2ETest/Tests/AuthTest.cs
@@ -220,6 +220,16 @@ public void Router_RequireRole_NotAuthorized()
         AssertExpectedLayoutUsed();
     }
 
+    [Fact]
+    public void AuthorizeRouteView_NotAuthorizedPage_DisplaysPage()
+    {
+        SignInAs(null, null);
+        var appElement = MountAndNavigateToAuthTestWithNotAuthorizedPage(PageRequiringAuthorization);
+        Browser.Equal("You are not authorized to access this resource. This is the NotAuthorizedPage component.", () =>
+            appElement.FindElement(By.CssSelector("#not-authorized-page-content")).Text);
+        AssertExpectedLayoutUsed();
+    }
+
     private void AssertExpectedLayoutUsed()
     {
         Browser.Exists(By.Id("auth-links"));
@@ -234,6 +244,15 @@ protected IWebElement MountAndNavigateToAuthTest(string authLinkText)
         return appElement;
     }
 
+    protected IWebElement MountAndNavigateToAuthTestWithNotAuthorizedPage(string authLinkText)
+    {
+        Navigate(ServerPathBase);
+        var appElement = Browser.MountTestComponent<BasicTestApp.AuthTest.AuthRouterWithNotAuthorizedPage>();
+        Browser.Exists(By.Id("auth-links"));
+        appElement.FindElement(By.LinkText(authLinkText)).Click();
+        return appElement;
+    }
+
     private void SignInAs(string userName, string roles, bool useSeparateTab = false) =>
         Browser.SignInAs(new Uri(_serverFixture.RootUri, "/subdir"), userName, roles, useSeparateTab);
 }
diff --git a/src/Components/test/testassets/BasicTestApp/AuthTest/AuthHomeWithNotAuthorizedPage.razor b/src/Components/test/testassets/BasicTestApp/AuthTest/AuthHomeWithNotAuthorizedPage.razor
new file mode 100644
index 000000000000..bc0b0f6b7175
--- /dev/null
+++ b/src/Components/test/testassets/BasicTestApp/AuthTest/AuthHomeWithNotAuthorizedPage.razor
@@ -0,0 +1,7 @@
+@page "/AuthHomeWithNotAuthorizedPage"
+
+<p>This router uses NotAuthorizedPage for unauthorized access. Select an auth test below.</p>
+
+<p id="auth-links">
+    <a href="PageRequiringAuthorization">Page requiring authorization</a>
+</p>
diff --git a/src/Components/test/testassets/BasicTestApp/AuthTest/AuthRouterWithNotAuthorizedPage.razor b/src/Components/test/testassets/BasicTestApp/AuthTest/AuthRouterWithNotAuthorizedPage.razor
new file mode 100644
index 000000000000..a7a67daeaad5
--- /dev/null
+++ b/src/Components/test/testassets/BasicTestApp/AuthTest/AuthRouterWithNotAuthorizedPage.razor
@@ -0,0 +1,33 @@
+@using Microsoft.AspNetCore.Components.Authorization
+@using Microsoft.AspNetCore.Components.Routing
+@inject NavigationManager NavigationManager
+
+@*
+    This router is independent of any other router that may exist within the same project.
+    It exists to test the AuthorizeRouteView.NotAuthorizedPage feature.
+*@
+
+<Router AppAssembly="@typeof(BasicTestApp.Program).Assembly">
+    <Found Context="routeData">
+        <AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(AuthRouterLayout)"
+                            NotAuthorizedPage="@typeof(NotAuthorizedPage)">
+            <Authorizing>Authorizing...</Authorizing>
+        </AuthorizeRouteView>
+    </Found>
+    <NotFound>
+        <p>There's nothing here</p>
+    </NotFound>
+</Router>
+
+@code {
+    protected override void OnInitialized()
+    {
+        // Start at AuthHomeWithNotAuthorizedPage, not at any other component in the same app
+        var absoluteUriPath = new Uri(NavigationManager.Uri).GetLeftPart(UriPartial.Path);
+        var relativeUri = NavigationManager.ToBaseRelativePath(absoluteUriPath);
+        if (relativeUri == string.Empty)
+        {
+            NavigationManager.NavigateTo("AuthHomeWithNotAuthorizedPage");
+        }
+    }
+}
diff --git a/src/Components/test/testassets/BasicTestApp/AuthTest/NotAuthorizedPage.razor b/src/Components/test/testassets/BasicTestApp/AuthTest/NotAuthorizedPage.razor
new file mode 100644
index 000000000000..6d78e4dddcd4
--- /dev/null
+++ b/src/Components/test/testassets/BasicTestApp/AuthTest/NotAuthorizedPage.razor
@@ -0,0 +1,4 @@
+@page "/not-authorized-page"
+<div id="not-authorized-page-content">
+    You are not authorized to access this resource. This is the NotAuthorizedPage component.
+</div>
diff --git a/src/Components/test/testassets/BasicTestApp/Index.razor b/src/Components/test/testassets/BasicTestApp/Index.razor
index f9cc718f7ca1..4b872f8a7adc 100644
--- a/src/Components/test/testassets/BasicTestApp/Index.razor
+++ b/src/Components/test/testassets/BasicTestApp/Index.razor
@@ -11,6 +11,7 @@
         <option value="BasicTestApp.AfterRenderInteropComponent">After-render interop component</option>
         <option value="BasicTestApp.AsyncEventHandlerComponent">Async event handlers</option>
         <option value="BasicTestApp.AuthTest.AuthRouter">Auth cases</option>
+        <option value="BasicTestApp.AuthTest.AuthRouterWithNotAuthorizedPage">Auth cases with NotAuthorizedPage</option>
         <option value="BasicTestApp.AuthTest.CascadingAuthenticationStateParent">Cascading authentication state</option>
         <option value="BasicTestApp.BindCasesComponent">bind cases</option>
         <option value="BasicTestApp.CascadingValueTest.CascadingValueSupplier">Cascading values</option>

From 0fa988ed880085dea7074b63302da86fd499cec6 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 4 Dec 2025 10:12:11 +0000
Subject: [PATCH 7/7] Add IComponent validation and improve documentation for
 NotAuthorizedPage

Co-authored-by: javiercn <6995051+javiercn@users.noreply.github.com>
---
 .../Authorization/src/AuthorizeRouteView.cs   |  8 ++++++-
 .../test/AuthorizeRouteViewTest.cs            | 22 +++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/src/Components/Authorization/src/AuthorizeRouteView.cs b/src/Components/Authorization/src/AuthorizeRouteView.cs
index 1f1284483b74..2521957b86d7 100644
--- a/src/Components/Authorization/src/AuthorizeRouteView.cs
+++ b/src/Components/Authorization/src/AuthorizeRouteView.cs
@@ -53,7 +53,7 @@ public AuthorizeRouteView()
 
     /// <summary>
     /// The page type that will be displayed if the user is not authorized.
-    /// The page type must implement <see cref="IComponent"/> and have a <see cref="RouteAttribute"/>.
+    /// The page type must implement <see cref="IComponent"/>.
     /// </summary>
     [Parameter]
     [DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.All)]
@@ -121,6 +121,12 @@ private void RenderNotAuthorizedInDefaultLayout(RenderTreeBuilder builder, Authe
     {
         if (NotAuthorizedPage is not null)
         {
+            if (!typeof(IComponent).IsAssignableFrom(NotAuthorizedPage))
+            {
+                throw new InvalidOperationException($"The type {NotAuthorizedPage.FullName} " +
+                    $"does not implement {typeof(IComponent).FullName}.");
+            }
+
             RenderPageInDefaultLayout(builder, NotAuthorizedPage);
         }
         else
diff --git a/src/Components/Authorization/test/AuthorizeRouteViewTest.cs b/src/Components/Authorization/test/AuthorizeRouteViewTest.cs
index a76cf31f7ed5..678a01521bdf 100644
--- a/src/Components/Authorization/test/AuthorizeRouteViewTest.cs
+++ b/src/Components/Authorization/test/AuthorizeRouteViewTest.cs
@@ -434,6 +434,28 @@ public void WhenNotAuthorized_NotAuthorizedPageTakesPriorityOverNotAuthorizedCon
             edit => AssertPrependText(batch, edit, "Layout ends here"));
     }
 
+    [Fact]
+    public void WhenNotAuthorized_ThrowsForInvalidNotAuthorizedPageType()
+    {
+        // Arrange: set NotAuthorizedPage to a type that doesn't implement IComponent
+        var routeData = new RouteData(typeof(TestPageRequiringAuthorization), EmptyParametersDictionary);
+        _testAuthorizationService.NextResult = AuthorizationResult.Failed();
+
+        // Act & Assert
+        var exception = Assert.Throws<InvalidOperationException>(() =>
+        {
+            _renderer.RenderRootComponent(_authorizeRouteViewComponentId, ParameterView.FromDictionary(new Dictionary<string, object>
+            {
+                { nameof(AuthorizeRouteView.RouteData), routeData },
+                { nameof(AuthorizeRouteView.DefaultLayout), typeof(TestLayout) },
+                { nameof(AuthorizeRouteView.NotAuthorizedPage), typeof(string) }, // string doesn't implement IComponent
+            }));
+        });
+
+        Assert.Contains("does not implement", exception.Message);
+        Assert.Contains("IComponent", exception.Message);
+    }
+
     private static void AssertPrependText(CapturedBatch batch, RenderTreeEdit edit, string text)
     {
         Assert.Equal(RenderTreeEditType.PrependFrame, edit.Type);