Skip to content

[release/10.0-preview7] Avoid cookie login redirects for known API endpoints #62894

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 24, 2025
Merged

[release/10.0-preview7] Avoid cookie login redirects for known API endpoints #62894

merged 6 commits into from
Jul 24, 2025
+1,170 −71

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Jul 24, 2025
edited by halter73
Loading

Backport of #62816 to release/10.0-preview7

/cc @halter73

Avoid cookie login redirects for known API endpoints

By default, the CookieAuthenticationHandler redirects to the login page for unauthenticated requests. This does not make sense as a default behavior for API endpoints like those defined in an [ApiController] and most minimal APIs.

This PR adds IApiEndpointMetadata automatically to [ApiController]-defined endpoints and many minimal APIs where we can definitely determine that it's not returning HTML or other endpoint intended for direct browser navigation.

Description

This adds IApiEndpointMetadata as new public API. It doesn't add any attributes or extension methods, but we do add it automatically for endpoints where RDF/RDG read a JSON request body or write a JSON response body. ApiController endpoints, SignalR endpoints and endpoints with TypedResults return-types that we know to be API-oriented also get this metadata automatically.

API Proposal: #62883

Fixes: #9039

Even though IApiEndpointMetadata has not yet been approved by API Review, most users will not need to directly interact with this API to benefit from it. The vast majority of developers will not need to make any changes to their code even if the API shape changes.

Customer Impact

#9039 is one of the most thumbs-upped issues in the aspnetcore repo. Without this change, customers need to apply workarounds like the following to prevent the CookieAuthenticationHandler from redirecting to the login page for unauthenticated API requests which is a hassle when you don't already know about the workaround given that we could provide a better experience by default which we do with this PR.

services.ConfigureApplicationCookie(o =>
{
    o.Events = new CookieAuthenticationEvents()
    {
        OnRedirectToLogin = (ctx) =>
        {
            if (ctx.Request.Path.StartsWithSegments("/api") && ctx.Response.StatusCode == 200)
            {
                ctx.Response.StatusCode = 401;
            }

            return Task.CompletedTask;
        },
        OnRedirectToAccessDenied = (ctx) =>
        {
            if (ctx.Request.Path.StartsWithSegments("/api") && ctx.Response.StatusCode == 200)
            {
                ctx.Response.StatusCode = 403;
            }

            return Task.CompletedTask;
        }
    };
});

Regression?

  • Yes
  • No

Risk

  • High
  • Medium
  • Low

We only add the new IApiEndpointMetadata to endpoints we are confident are not intended for direct browser navigation. Furthermore, this new metadata is only referenced by the default implementations of CookieAuthenticationEvents.OnRedirectToLogin and OnRedirectToAccessDenied which are overridable.

Verification

  • Manual (required)
  • Automated

Packaging changes reviewed?

  • Yes
  • No
  • N/A

@halter73 halter73 added the Servicing-consider Shiproom approval is required for the issue label Jul 24, 2025
@halter73 halter73 added this to the 10.0-preview7 milestone Jul 24, 2025
@Frulfump
Copy link

Hi @@github-actions[bot]. Please make sure you've updated the PR description to use the Shiproom Template. Also, make sure this PR is not marked as a draft and is ready-to-merge.

To learn more about how to prepare a servicing PR click here.

Lol @@

cc @halter73

@rbhanda rbhanda added Servicing-approved Shiproom has approved the issue and removed Servicing-consider Shiproom approval is required for the issue labels Jul 24, 2025
@wtgodbe wtgodbe enabled auto-merge (squash) July 24, 2025 17:29
@wtgodbe wtgodbe merged commit 50e6b08 into release/10.0-preview7 Jul 24, 2025
28 of 29 checks passed
@wtgodbe wtgodbe deleted the backport/pr-62816-to-release/10.0-preview7 branch July 24, 2025 18:07
@dotnet-policy-service dotnet-policy-service bot modified the milestone: 10.0-preview7 Jul 24, 2025
@Frulfump Frulfump mentioned this pull request Jul 25, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@captainsafia captainsafia captainsafia approved these changes

@BrennanConroy BrennanConroy Awaiting requested review from BrennanConroy BrennanConroy is a code owner

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

Assignees
No one assigned
Labels
Servicing-approved Shiproom has approved the issue
Projects
None yet
Milestone
10.0-preview7
Development

Successfully merging this pull request may close these issues.
5 participants
@Frulfump @captainsafia @halter73 @wtgodbe @rbhanda