Delivery API: Retain the Delivery API login redirect behavior in .NET 10 (closes #21000)#21023
Merged
kjac merged 2 commits intorelease/17.0from Dec 2, 2025
Merged
Conversation
kjac
changed the title
AndyButland
reviewed
Dec 2, 2025
Contributor
AndyButland
left a comment
AndyButland
left a comment
There was a problem hiding this comment.
I've gone through the documented process of setting up member authentication with the delivery API, and can confirm I now get the expected redirect to the login page instead of the 401 API response.
Once logged in as a member I can access the protected content via a request from the Swagger UI (and when not logged in, I can't).
Other than as discussed there are some failing tests indicating a breaking behavioural change that should be reinstated, this looks good to me. I'll save the approval for one last look when the tests are rectified.
AndyButland
approved these changes
Dec 2, 2025
This was referenced Dec 8, 2025
Closed
Bump Umbraco.Cms.Persistence.EFCore from 17.0.0 to 17.0.1
karl-sjogren/umbraco-extend-everything#134
Closed
Merged
This was referenced Jan 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Prerequisites
If there's an existing issue for this PR then this fixes #21000
Description
This PR re-introduces the Delivery API login redirect behavior in .NET 10, following this breaking change from MS.
Note that I have opted to make the same assumption as are made for the Management API (which are also outlined by the above-mentioned article from MS): Any XHR request should yield a status code, any non-XHR request should perform explicit redirect to the login (or access denied) page.
The current implementation sort of does this already for redirects for "access denied" resources, but it's based on
UmbracoApiController, which was obsoleted a long time ago. This is likely not at all sufficient to obtain the expected behavior, as new API controllers likely won't be implementingUmbracoApiController.Update: The current implementation (special handling for
UmbracoApiController) has been re-introduced to ensure backwards compatibility with Umbraco 16. The above-mentioned explicit inclusion of all XHR implicitly still works, as this is the default behavior for XHR.Testing this PR
It is a little cumbersome to test this PR. The article about protected content in the Delivery API describes how to set it all up.
The easiest way to test this PR is to configure Swagger UI for authentication against the Delivery API. This way you won't need an external client for testing, and you won't have to worry about CORS config and whatnot.
Reach out if you want to test with an external client - I have it all running locally.