diff --git a/samples/Balosar/Balosar.Client/Program.cs b/samples/Balosar/Balosar.Client/Program.cs
index ff436acf8..77e472b78 100644
--- a/samples/Balosar/Balosar.Client/Program.cs
+++ b/samples/Balosar/Balosar.Client/Program.cs
@@ -30,7 +30,13 @@ public static Task Main(string[] args)
                 options.ProviderOptions.ClientId = "balosar-blazor-client";
                 options.ProviderOptions.Authority = "https://localhost:44310/";
                 options.ProviderOptions.ResponseType = "code";
-                options.ProviderOptions.ResponseMode = "fragment";
+
+                // Note: response_mode=fragment is the best option for a SPA. Unfortunately, the Blazor WASM
+                // authentication stack is impacted by a bug that prevents it from correctly extracting
+                // authorization error responses (e.g error=access_denied responses) from the URL fragment.
+                // For more information about this bug, visit https://github.com/dotnet/aspnetcore/issues/28344.
+                //
+                options.ProviderOptions.ResponseMode = "query";
                 options.AuthenticationPaths.RemoteRegisterPath = "https://localhost:44310/Identity/Account/Register";
             });