dotnet · guardrex · Jun 9, 2025 · Jun 4, 2025 · Jun 4, 2025 · Jun 5, 2025
diff --git a/aspnetcore/blazor/call-web-api.md b/aspnetcore/blazor/call-web-api.md
@@ -60,7 +60,7 @@ In the app's `Program` file, call:
 <!-- UPDATE 10.0 - Missing API doc for 'AddDownstreamApi' -->
 
 * <xref:Microsoft.Identity.Web.MicrosoftIdentityWebApiAuthenticationBuilder.EnableTokenAcquisitionToCallDownstreamApi%2A>: Enables token acquisition to call web APIs.
-* `AddDownstreamApi`: Adds a named downstream web service related to a specific configuration section.
+* `AddDownstreamApi`: Microsoft Identity Web packages provide API to create a named downstream web service for making web API calls. <xref:Microsoft.Identity.Abstractions.IDownstreamApi> is injected into a server-side class, which is used to call <xref:Microsoft.Identity.Abstractions.IDownstreamApi.CallApiForUserAsync%2A> to obtain weather data from an external web API (`MinimalApiJwt` project).
 * <xref:Microsoft.Identity.Web.TokenCacheProviders.Distributed.DistributedTokenCacheAdapterExtension.AddDistributedTokenCaches%2A>: Adds the .NET Core distributed token caches to the service collection.
 * <xref:Microsoft.Extensions.DependencyInjection.MemoryCacheServiceCollectionExtensions.AddDistributedMemoryCache%2A>: Adds a default implementation of <xref:Microsoft.Extensions.Caching.Distributed.IDistributedCache> that stores cache items in memory.
 * Configure the distributed token cache options (<xref:Microsoft.Identity.Web.TokenCacheProviders.Distributed.MsalDistributedTokenCacheAdapterOptions>):
@@ -234,6 +234,7 @@ This approach is used by the `BlazorWebAppEntra` and `BlazorWebAppEntraBff` samp
 For more information, see the following resources:
 
 * [Web API documentation | Microsoft identity platform](/entra/identity-platform/index-web-api)
+* [A web API that calls web APIs: Call an API: Option 2: Call a downstream web API with the helper class](/entra/identity-platform/scenario-web-api-call-api-call-api?tabs=aspnetcore#option-2-call-a-downstream-web-api-with-the-helper-class)
 * <xref:Microsoft.Identity.Abstractions.IDownstreamApi>
 * *Secure an ASP.NET Core Blazor Web App with Microsoft Entra ID*
   * [Non-BFF pattern (Interactive Auto)](xref:blazor/security/blazor-web-app-entra?pivots=non-bff-pattern)

diff --git a/aspnetcore/blazor/security/blazor-web-app-with-entra.md b/aspnetcore/blazor/security/blazor-web-app-with-entra.md
@@ -30,7 +30,7 @@ The following specification is covered:
 * The app uses [Microsoft Entra ID](https://www.microsoft.com/security/business/microsoft-entra), based on [Microsoft Identity Web](/entra/msal/dotnet/microsoft-identity-web/) packages.
 * Automatic non-interactive token refresh is managed by the framework.
 * The app uses server-side and client-side service abstractions to display generated weather data:
-  * When rendering the `Weather` component on the server to display weather data, the component uses the `ServerWeatherForecaster` on the server to obtain weather data.
+  * When rendering the `Weather` component on the server to display weather data, the component uses the `ServerWeatherForecaster`. Microsoft Identity Web packages provide API to create a named downstream web service for making web API calls. <xref:Microsoft.Identity.Abstractions.IDownstreamApi> is injected into the `ServerWeatherForecaster`, which is used to call <xref:Microsoft.Identity.Abstractions.IDownstreamApi.CallApiForUserAsync%2A> to obtain weather data from an external web API (`MinimalApiJwt` project).
   * When the `Weather` component is rendered on the client, the component uses the `ClientWeatherForecaster` service implementation, which uses a preconfigured <xref:System.Net.Http.HttpClient> (in the client project's `Program` file) to make a web API call to the server project's Minimal API (`/weather-forecast`) for weather data. The Minimal API endpoint obtains the weather data from the `ServerWeatherForecaster` class and returns it to the client for rendering by the component.
 
 ## Sample solution
@@ -216,11 +216,13 @@ The following specification is covered:
 * The server project calls <xref:Microsoft.Extensions.DependencyInjection.WebAssemblyRazorComponentsBuilderExtensions.AddAuthenticationStateSerialization%2A> to add a server-side authentication state provider that uses <xref:Microsoft.AspNetCore.Components.PersistentComponentState> to flow the authentication state to the client. The client calls <xref:Microsoft.Extensions.DependencyInjection.WebAssemblyAuthenticationServiceCollectionExtensions.AddAuthenticationStateDeserialization%2A> to deserialize and use the authentication state passed by the server. The authentication state is fixed for the lifetime of the WebAssembly application.
 * The app uses [Microsoft Entra ID](https://www.microsoft.com/security/business/microsoft-entra), based on [Microsoft Identity Web](/entra/msal/dotnet/microsoft-identity-web/) packages.
 * Automatic non-interactive token refresh is managed by the framework.
-* The app uses server-side and client-side service abstractions to display generated weather data.
 * The [Backend for Frontend (BFF) pattern](/azure/architecture/patterns/backends-for-frontends) is adopted using [.NET Aspire](/dotnet/aspire/get-started/aspire-overview) for service discovery and [YARP](https://dotnet.github.io/yarp/) for proxying requests to a weather forecast endpoint on the backend app.
   * A backend web API uses JWT-bearer authentication to validate JWT tokens saved by the Blazor Web App in the sign-in cookie.
   * Aspire improves the experience of building .NET cloud-native apps. It provides a consistent, opinionated set of tools and patterns for building and running distributed apps.
   * YARP (Yet Another Reverse Proxy) is a library used to create a reverse proxy server.
+* The app uses server-side and client-side service abstractions to display generated weather data.
+  * When rendering the `Weather` component on the server to display weather data, the component uses the `ServerWeatherForecaster`. Microsoft Identity Web packages provide API to create a named downstream web service for making web API calls. <xref:Microsoft.Identity.Abstractions.IDownstreamApi> is injected into the `ServerWeatherForecaster`, which is used to call <xref:Microsoft.Identity.Abstractions.IDownstreamApi.CallApiForUserAsync%2A> to obtain weather data from an external web API (`MinimalApiJwt` project).
+  * When the `Weather` component is rendered on the client, the component uses the `ClientWeatherForecaster` service implementation, which uses a preconfigured <xref:System.Net.Http.HttpClient> (in the client project's `Program` file) to make a web API call to the server project's Minimal API (`/weather-forecast`) for weather data. The Minimal API endpoint obtains an access token for the user by calling <xref:Microsoft.Identity.Web.ITokenAcquisition.GetAccessTokenForUserAsync%2A>. Along with the correct scopes, a reverse proxy call is made to the external web API (`MinimalApiJwt` project) to obtain and return weather data to the client for rendering by the component.
 
 <!-- UPDATE 10.0 Remove at 10.0 -->
 
@@ -937,7 +939,10 @@ For more information on how this app secures its weather data, see [Secure data
 
 ## Additional resources
 
+* [Call a web API from an ASP.NET Core Blazor app: Microsoft identity platform for web API calls](xref:blazor/call-web-api#microsoft-identity-platform-for-web-api-calls)
 * [Microsoft identity platform documentation](/entra/identity-platform/)
+* [Web API documentation | Microsoft identity platform](/entra/identity-platform/index-web-api)
+* [A web API that calls web APIs: Call an API: Option 2: Call a downstream web API with the helper class](/entra/identity-platform/scenario-web-api-call-api-call-api?tabs=aspnetcore#option-2-call-a-downstream-web-api-with-the-helper-class)
 * [`AzureAD/microsoft-identity-web` GitHub repository](https://github.com/AzureAD/microsoft-identity-web/wiki): Helpful guidance on implementing Microsoft Identity Web for Microsoft Entra ID and Azure Active Directory B2C for ASP.NET Core apps, including links to sample apps and related Azure documentation. Currently, Blazor Web Apps aren't explicitly addressed by the Azure documentation, but the setup and configuration of a Blazor Web App for ME-ID and Azure hosting is the same as it is for any ASP.NET Core web app.
 * [`AuthenticationStateProvider` service](xref:blazor/security/index#authenticationstateprovider-service)
 * [Manage authentication state in Blazor Web Apps](xref:blazor/security/index#manage-authentication-state-in-blazor-web-apps)

diff --git a/aspnetcore/fundamentals/map-static-files.md b/aspnetcore/fundamentals/map-static-files.md
@@ -2,15 +2,19 @@
 title: Map static files in ASP.NET Core
 author: rick-anderson
 description: Learn how to serve and secure mapped static files and configure static file hosting middleware behaviors in an ASP.NET Core web app.
-monikerRange: '>= aspnetcore-8.0'
+monikerRange: '>= aspnetcore-9.0'
 ms.author: riande
 ms.custom: mvc
 ms.date: 3/18/2025
 uid: fundamentals/map-static-files
 ---
 # Map static files in ASP.NET Core
 
-:::moniker range=">= aspnetcore-9.0"
+<!-- UPDATE 10.0 - Activate at GA
+
+[!INCLUDE[](~/includes/not-latest-version.md)]
+
+-->
 
 By [Rick Anderson](https://twitter.com/RickAndMSFT)
 
@@ -209,5 +213,3 @@ The following code updates `IWebHostEnvironment.WebRootPath` to a non developmen
 * [Introduction to ASP.NET Core](xref:index)
 * <xref:blazor/file-uploads>
 * <xref:blazor/file-downloads>
-
-:::moniker-end
diff --git a/aspnetcore/fundamentals/servers/kestrel/http3.md b/aspnetcore/fundamentals/servers/kestrel/http3.md
@@ -27,18 +27,14 @@ uid: fundamentals/servers/kestrel/http3
 * Is the latest version of the Hypertext Transfer Protocol.
 * Builds on the strengths of `HTTP/2` while addressing some of its limitations, particularly in terms of performance, latency, reliability, and security.
 
-+---------------+-------------------------+-------------------------+
-| Feature | `HTTP/2` | `HTTP/3` |
-+---------------+-------------------------+-------------------------+
-| Transport | Uses [TCP](https://developer.mozilla.org/docs/Glossary/TCP) | Uses [QUIC](https://www.rfc-editor.org/rfc/rfc9000.html)  |
-| Layer | | |
-| Connection | Slower due to TCP + TLS | Faster with 0-RTT QUIC |
-| Setup | handshake | handshakes |
-| Head-of-Line | Affected by TCP-level | Eliminated with QUIC |
-| Blocking | blocking | stream multiplexing |
-| Encryption | TLS over TCP | TLS is built into QUIC |
-+---------------+-------------------------+-------------------------+
-
+| Feature      | `HTTP/2`                                                    | `HTTP/3`                                                 |
+|--------------|-------------------------------------------------------------|----------------------------------------------------------|
+| Transport    | Uses [TCP](https://developer.mozilla.org/docs/Glossary/TCP) | Uses [QUIC](https://www.rfc-editor.org/rfc/rfc9000.html) |
+| Connection   | Slower due to TCP + TLS                                     | Faster with 0-RTT QUIC                                   |
+| Setup        | handshake                                                   | handshakes                                               |
+| Head-of-Line | Affected by TCP-level                                       | Eliminated with QUIC                                     |
+| Blocking     | blocking                                                    | stream multiplexing                                      |
+| Encryption   | TLS over TCP                                                | TLS is built into QUIC                                   |
 
 The key differences from `HTTP/2` to `HTTP/3` are:
 

diff --git a/aspnetcore/mvc/views/razor.md b/aspnetcore/mvc/views/razor.md
@@ -261,9 +261,9 @@ Extra `@` characters in a Razor file can cause compiler errors at statements lat
 
 ### Conditional attribute rendering
 
-Razor automatically omits attributes that aren't needed. If the value passed in is `null` or `false`, the attribute isn't rendered.
+Razor automatically omits attributes that aren't required. If the value passed in is `null` or `false`, the attribute isn't rendered.
 
-For example,  consider the following razor:
+For example, consider the following Razor markup:
 
 ```cshtml
 <div class="@false">False</div>
@@ -289,6 +289,20 @@ The preceding Razor markup generates the following HTML:
 <input type="checkbox" name="null">
 ```
 
+Razor retains `data-` attributes if their values are `null` or `false`.
+
+Consider the following Razor markup:
+
+```cshtml
+<div data-id="@null" data-active="@false"></div>
+```
+
+The preceding Razor markup generates the following HTML:
+
+```html
+<div data-id="" data-active="False"></div>
+```
+
 ## Control structures
 
 Control structures are an extension of code blocks. All aspects of code blocks (transitioning to markup, inline C#) also apply to the following structures:

diff --git a/aspnetcore/release-notes/aspnetcore-2.2.md b/aspnetcore/release-notes/aspnetcore-2.2.md
@@ -77,7 +77,7 @@ For more information, see [in-process hosting for IIS](xref:host-and-deploy/aspn
 
 ASP.NET Core 2.2 introduces a Java Client for SignalR. This client supports connecting to an ASP.NET Core SignalR Server from Java code, including Android apps.
 
-For more information, see [ASP.NET Core SignalR Java client](../signalr/java-client.md?view=aspnetcore-2.2).
+For more information, see [ASP.NET Core SignalR Java client](../signalr/java-client.md?view=aspnetcore-2.2&preserve-view=true).
 
 ## CORS improvements
 

diff --git a/aspnetcore/security/authentication/identity.md b/aspnetcore/security/authentication/identity.md
@@ -253,7 +253,7 @@ To prevent publishing static Identity assets (stylesheets and JavaScript files f
 * <xref:security/authentication/identity-enable-qrcodes>
 * <xref:migration/identity>
 * <xref:security/authentication/accconfirm>
-* <xref:security/authentication/2fa>
+* <xref:security/authentication/mfa>
 * <xref:host-and-deploy/web-farm>
 
 :::moniker-end

diff --git a/aspnetcore/security/how-to-choose-identity-solution.md b/aspnetcore/security/how-to-choose-identity-solution.md
@@ -17,7 +17,7 @@ Most web apps support authentication to ensure that users are who they claim to
 ASP.NET Core ships with a built-in authentication provider: [ASP.NET Core Identity](xref:security/authentication/identity). The provider includes the APIs, UI, and backend database configuration to support managing user identities, storing user credentials, and granting or revoking permissions. Other features it supports include:
 
 * [External logins](xref:security/authentication/social/index)
-* [Two-factor authentication (2FA)](xref:security/authentication/2fa)
+* [Multi-factor authentication (MFA)](xref:security/authentication/mfa)
 * [Password management](xref:security/authentication/accconfirm)
 * Account lockout and reactivation
 * Authenticator apps