I assume that this is (perhaps) simply the way webapi works, but I am trying to grok it.
If I remove the "Authorization" on the delete method it works fine on the API
however adding any kind of "Authorization" filter rather than returning a "Your not allowed" you get "Not supported"
I think I know WHY -> its because the "user" isn't signed-in (Auth fails (401?) - I'm not logged in so... redirect to "login" -> DELETE is still the "request" and valid and so "login doesn't support DELETE")
//UPDATE: looking at the logs, it looks like hte Auth failing to login produces a challenge, and then a 302 (redirect)? Is this right...? I would have thought a 401...
But I'm not sure what to do about it...
a) anyone can explain the background/architecture/flow of this so I can "get it" better... is it the way I've wired up the middleware/order?
b) anyone got solutions how to make this better/less confusing for API Client developers - or is this just a "learn that this means your tokens died" and get used to this as a troubleshooting thing.
Thanks