Skip to content

Document cookie authentication API endpoint breaking change for .NET 10 #47904

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Document cookie authentication API endpoint breaking change for .NET 10 #47904

wants to merge 4 commits into from

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Aug 8, 2025
edited by github-actions bot
Loading

This PR documents the breaking change introduced in .NET 10 Preview 7 where cookie authentication no longer redirects to login or access denied URIs for known API endpoints, as announced in aspnet/Announcements#525.

Summary

The breaking change affects how ASP.NET Core handles authentication failures for API endpoints. Previously, unauthenticated and unauthorized requests would redirect to a login or access denied URI. Now, known API endpoints return 401 and 403 status codes directly, which is more appropriate for API scenarios.

Changes Made

  1. Added comprehensive breaking change documentation at docs/core/compatibility/aspnet-core/10/cookie-authentication-api-endpoints.md:

    • Detailed description of the behavioral change
    • Clear explanation of affected endpoints (ApiController, Minimal APIs with JSON, TypedResults, SignalR)
    • Code examples showing how to revert to previous behavior if needed
    • Proper cross-references to affected APIs

  2. Updated the table of contents in docs/core/compatibility/toc.yml to include the new breaking change entry in the appropriate alphabetical position.

Key Details

  • Version: .NET 10 Preview 7
  • Breaking change type: Behavioral change
  • Affected APIs:
    • Microsoft.AspNetCore.Http.Metadata.IApiEndpointMetadata
    • Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationEvents.RedirectToLogin
    • Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationEvents.RedirectToAccessDenied

The documentation follows the established format and style guidelines, provides clear migration guidance, and includes complete code examples for developers who need to maintain the previous redirect behavior.

Fixes #47903.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Internal previews

📄 File 🔗 Preview link
docs/core/compatibility/10.0.md Breaking changes in .NET 10
docs/core/compatibility/aspnet-core/10/cookie-authentication-api-endpoints.md Cookie login redirects are disabled for known API endpoints
docs/core/compatibility/toc.yml docs/core/compatibility/toc

@Copilot Copilot AI changed the title [WIP] Document https://github.com/aspnet/Announcements/issues/525 Document cookie authentication API endpoint breaking change for .NET 10 Aug 8, 2025
@Copilot Copilot AI requested a review from gewarren August 8, 2025 22:21
Copilot finished work on behalf of gewarren August 8, 2025 22:21
@gewarren gewarren marked this pull request as ready for review August 8, 2025 22:40
@gewarren gewarren requested a review from a team as a code owner August 8, 2025 22:40
@gewarren gewarren requested a review from halter73 August 8, 2025 22:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gewarren gewarren gewarren approved these changes

@halter73 halter73 Awaiting requested review from halter73

At least 1 approving review is required to merge this pull request.

Assignees

@gewarren gewarren

Copilot code review Copilot

Labels
dotnet-fundamentals/svc
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Document https://github.com/aspnet/Announcements/issues/525
2 participants
@Copilot @gewarren