Add documentation for .NET 10 API endpoint authentication behavior changes #35895
Conversation
Co-authored-by: wadepickett <10985336+wadepickett@users.noreply.github.com>
There was a problem hiding this comment.
Update the PR based on this additional instruction:
The placement of the new api-endpoint-auth.md include does not follow the updated guidance.
Please update the PR as follows:
- Do not place the include at the very top or very bottom of the file.
- Insert the include after the introductory/contextual paragraphs and before the first major heading or section (such as a list of return types or code/configuration sections).
- If the file has a section specifically about authentication, responses, or API behavior, place the include at the start of that section.
- Ensure the include is in the natural reading flow, after the context/intent is established but before technical details.
- If unsure, place the include after any “not latest version” banners and after the first paragraph introducing the main topic, but before technical/code content.
There was a problem hiding this comment.
Update the PR based on this additional instruction:
The placement of the new api-endpoint-auth.md include does not follow the updated guidance.
Please update the PR as follows:
Do not place the include at the very top or very bottom of the file.
Insert the include after the introductory/contextual paragraphs and before the first major heading or section (such as a list of return types or code/configuration sections).
If the file has a section specifically about authentication, responses, or API behavior, place the include at the start of that section.
Ensure the include is in the natural reading flow, after the context/intent is established but before technical details.
If unsure, place the include after any “not latest version” banners and after the first paragraph introducing the main topic, but before technical/code content.
…back Co-authored-by: wadepickett <10985336+wadepickett@users.noreply.github.com>
Updated the placement of the API endpoint authentication include based on your guidance. Changes made:
The other two files (cookie.md and web-api/index.md) already had good placement following the guidelines. Fixed in commit f99f5dd.
Updated the placement of the API endpoint authentication include following your updated guidance. The include is now positioned after introductory/contextual paragraphs and before major sections in all files. Fixed in commit f99f5dd. |
Moved include for api-endpoint-auth further below the intro
Moved include to within .NET 10 moniker range.
Moved include to moniker range 10
Moved include to version 10 moniker range.
fixed moniker range authn-and-authz.md
Co-authored-by: wadepickett <10985336+wadepickett@users.noreply.github.com>
Added the API endpoint authentication behavior document to the TOC under Security > Authentication section, positioned after the cookie authentication entry since it's specifically about cookie authentication behavior for APIs. Commit 636a0e5. |
Fixes #35894.
This PR adds comprehensive documentation for a significant authentication behavior change introduced in ASP.NET Core 10, where known API endpoints no longer redirect to login pages when using cookie authentication.
Changes Made
New Documentation:
aspnetcore/security/authentication/api-endpoint-auth.md- A comprehensive guide explaining the new behavior, why it was needed, and how it worksaspnetcore/includes/api-endpoint-auth.md- A reusable important notice that can be referenced across multiple topicsUpdated Topics:
The include notice has been added to four key documentation files where this behavior change is most relevant:
aspnetcore/security/authentication/cookie.md- Cookie authentication documentationaspnetcore/web-api/index.md- Web API overviewaspnetcore/fundamentals/minimal-apis/responses.md- Minimal API responsesaspnetcore/signalr/authn-and-authz.md- SignalR authenticationTable of Contents:
What This Addresses
In previous versions of ASP.NET Core, API endpoints using cookie authentication would incorrectly redirect unauthenticated requests to login pages (returning 302 status codes), which is inappropriate for programmatic API access. Starting with ASP.NET Core 10, the framework automatically detects API endpoints and returns proper 401/403 status codes instead, while continuing to redirect web pages to login pages as expected.
The new documentation explains:
Fixes #35894.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.