From 121411a6116e36b40ebf840ff509b6d66c5d8bf5 Mon Sep 17 00:00:00 2001
From: wadepickett <wpickett@microsoft.com>
Date: Fri, 8 Aug 2025 13:03:27 -0700
Subject: [PATCH] WN: Prev7: Add include: Avoid Cookie Login on API endpoint

---
 .../includes/avoid-cookie-login-redirects.md  | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 aspnetcore/release-notes/aspnetcore-10/includes/avoid-cookie-login-redirects.md

diff --git a/aspnetcore/release-notes/aspnetcore-10/includes/avoid-cookie-login-redirects.md b/aspnetcore/release-notes/aspnetcore-10/includes/avoid-cookie-login-redirects.md
new file mode 100644
index 000000000000..bed7a85bad6c
--- /dev/null
+++ b/aspnetcore/release-notes/aspnetcore-10/includes/avoid-cookie-login-redirects.md
@@ -0,0 +1,36 @@
+### Avoid cookie login redirects for known API endpoints
+
+By default, unauthenticated and unauthorized requests made to known API endpoints protected by cookie authentication now result in 401 and 403 responses rather than redirecting to a login or access denied URI.
+
+This change was [highly requested](https://github.com/dotnet/aspnetcore/issues/9039), because redirecting unauthenticated requests to a login page doesn't usually make sense for API endpoints which typically rely on 401 and 403 status codes rather than HTML redirects to communicate auth failures.
+
+Known API [Endpoints](https://learn.microsoft.com/aspnet/core/fundamentals/routing) are identified using the new `IApiEndpointMetadata` interface, and metadata implementing the new interface has been added automatically to the following:
+
+- `[ApiController]` endpoints
+- Minimal API endpoints that read JSON request bodies or write JSON responses
+- Endpoints using `TypedResults` return types
+- SignalR endpoints
+
+When `IApiEndpointMetadata` is present, the cookie authentication handler now returns appropriate HTTP status codes (401 for unauthenticated requests, 403 for forbidden requests) instead of redirecting.
+
+If you want to prevent this new behavior, and always redirect to the login and access denied URIs for unauthenticated or unauthorized requests regardless of the target endpoint, you can override the `RedirectToLogin` and `RedirectToAccessDenied` events as follows:
+
+```csharp
+builder.Services.AddAuthentication()
+    .AddCookie(options =>
+    {
+        options.Events.OnRedirectToLogin = context =>
+        {
+            context.Response.Redirect(context.RedirectUri);
+            return Task.CompletedTask;
+        };
+
+        options.Events.OnRedirectToAccessDenied = context =>
+        {
+            context.Response.Redirect(context.RedirectUri);
+            return Task.CompletedTask;
+        };
+    });
+```
+
+For more information about this breaking change, see [ASP.NET Core breaking changes announcement](https://github.com/aspnet/Announcements/issues/525).
\ No newline at end of file