I am using Asp.net 6 web API in my project and I am confused about understanding routing functions. Previously when we build API we use to use following middleware

app.UseRouting()

...Other middleware

app.UseEndPoints()

But now in Asp.Net 6 the default way to use this

    app.UseAuthentication();
    app.UseAuthorization();

    app.MapControllers()

No need to use app.UseRouting() and app.UseEndPoints() rather use directly app.MapControllers() after other middlwares

I wonder what app.MapControllers() does internally? Does it mean that all routes are authorized by defualt?

How to use other middleware before registering routes? I am kind of confused to understand between these approaches

app.UseRouting() VS app.UseEndpoints() VS app.MapControllers();

You got couple sub-questions. Here is the list and my answer. Please comment if I miss any:

1. What app.MapControllers() does internally?

   app.MapControllers() is a helper used to map attribute routing. The app itself is also an IEndpointRouteBuilder and this helper will add end points from your attribute-routed controllers. To map conventional routing use the app.MapControllerRoute().

2. Does it mean that all routes are authorized by default?

   Adding app.UseAuthorization(); does not mean that the route is not "authorized by default" but the pipeline will try to determine if current user can be authorized to access this route.

3. How to use other middleware before registering routes?

   If you mean the UseAuthentication() and UseAuthorization(), they must be placed after the UseRouting() and before UseEndPoints(). You can check the middleware order for further info.

4. I am kind of confused to understand between these approaches app.UseRouting() VS app.UseEndpoints() VS app.MapControllers();:

   The UseRouting() and UseEndpoints() (also MapGet() and MapPost()) are used to manually craft a tailored routing to meet your need. The MapControllers(), as mentioned above, is a handy helper if you are using attribute routing with controllers in a typical Web API scenario.

UseRouting: Matches request to an endpoint.

UseEndpoints: Execute the matched endpoint.

MapControllers : This doesn't make any assumptions about routing and will rely on the user doing attribute routing (most commonly used in WebAPI controllers) to get requests to the right place.

This makes the ASP.NET Core framework more flexible and allows other middlewares to act between UseRouting and UseEndpoints. That allows those middlewares to utilize the information from endpoint routing, for example, the call to UseAuthentication must go after UseRouting, so that route information is available for authentication decisions and before UseEndpoints so that users are authenticated before accessing the endpoints.

I feel both of the provided answers didn't give a good explanation. I kept digging and found this. In short, I think OP used ASP.NET 6 generic IHostBuilder, while the newer versions rely on WebApplicationBuilder which adds a bunch of middleware behind the scenes (including .UseRouting() and .UseEndpoints(). And now a quote from the source above:

The following code is effectively what the automatic middleware being added to the app produces:

if (isDevelopment)
{
    app.UseDeveloperExceptionPage();
}

app.UseRouting();

if (isAuthenticationConfigured)
{
    app.UseAuthentication();
}

if (isAuthorizationConfigured)
{
    app.UseAuthorization();
}

// user middleware/endpoints
app.CustomMiddleware(...);
app.MapGet("/", () => "hello world");
// end user middleware/endpoints

app.UseEndpoints(e => {});