Move boilerplate code skills to IdWeb, and add Aspire DevApp demonstrating Blazor authentication components

[Copilot]

Adds AspireBlazorCallsWebApi DevApp to demonstrate BlazorAuthenticationChallengeHandler and MapLoginAndLogout() in a complete Aspire-orchestrated scenario.

Structure

4-project solution:

• AppHost: Aspire orchestration with service discovery
• ServiceDefaults: OpenTelemetry, health checks, resilience
• ApiService: Protected /weatherforecast endpoint requiring authentication
• Web: Blazor Server with Microsoft Identity authentication

Key Implementations

Incremental consent pattern in Weather.razor:

try {
    forecasts = await WeatherApiClient.GetWeatherAsync();
}
catch (Exception ex) {
    if (await ChallengeHandler.HandleExceptionAsync(ex)) {
        return; // Redirects for additional consent
    }
    error = $"Failed: {ex.Message}";
}

Authentication setup in Web/Program.cs:

builder.Services.AddMicrosoftIdentityWebAppAuthentication(builder.Configuration)
    .EnableTokenAcquisitionToCallDownstreamApi()
    .AddInMemoryTokenCaches();

builder.Services.AddScoped<BlazorAuthenticationChallengeHandler>();

// Enhanced OIDC endpoints with incremental consent support
app.MapGroup("/authentication").MapLoginAndLogout();

// Service discovery with automatic token acquisition
builder.Services.AddHttpClient<WeatherApiClient>(client => {
    client.BaseAddress = new Uri("https+http://apiservice");
})
.AddMicrosoftIdentityAppAuthenticationHandler("AzureAd", options => {
    options.Scopes = string.Join(" ", scopes);
});

Complete Blazor component structure:

• App.razor with Blazor Web JS
• Routes.razor with AuthorizeRouteView
• UserInfo.razor showing login/logout state
• Weather.razor demonstrating API calls with challenge handling
• Layout components (MainLayout, NavMenu)

Configuration

Uses test lab credentials matching WebAppCallsWebApiCallsGraph DevApp:

• API: a021aff4-57ad-453a-bae8-e4192e5860f3
• Web: a599ce88-0a5f-4a6e-beca-e67d3fc427f4
• Tenant: 10c419d4-4a50-45b2-aa4e-919fb84df24f

Build succeeds on .NET 9.0. README included with architecture, running instructions, and code highlights.

Original prompt

Goal

Integrate BlazorAuthenticationChallengeHandler and LoginLogoutEndpointRouteBuilderExtensions from .github/skills/entra-id-aspire-authentication/ into the main Microsoft.Identity.Web NuGet package.

Tasks

1. Create new Blazor subfolder and move files

Create src/Microsoft.Identity.Web/Blazor/ folder with these files (copy from .github/skills/entra-id-aspire-authentication/):

• BlazorAuthenticationChallengeHandler.cs - Handles authentication challenges for Blazor Server components (incremental consent, Conditional Access)
• LoginLogoutEndpointRouteBuilderExtensions.cs - Extension method MapLoginAndLogout() for OIDC endpoints

Keep the namespace as Microsoft.Identity.Web (already correct in source files).

Add XML doc <remarks> noting these are for Blazor Server scenarios.

2. Unit Tests

Create tests/Microsoft.Identity.Web.Test/Blazor/ folder with:

• BlazorAuthenticationChallengeHandlerTests.cs - Test:

  • GetUserAsync returns ClaimsPrincipal from AuthenticationStateProvider
  • IsAuthenticatedAsync returns correct bool based on identity state
  • HandleExceptionAsync detects MicrosoftIdentityWebChallengeUserException (and as InnerException)
  • ChallengeUser builds correct URL with scopes, loginHint, domainHint, claims parameters
  • GetLoginHint extracts from "preferred_username" or "login_hint" claims
  • GetDomainHint returns "consumers" for MSA tenant, "organizations" otherwise

• LoginLogoutEndpointRouteBuilderExtensionsTests.cs - Test:

  • /login endpoint sets correct AuthProperties with scope, loginHint, domainHint, claims
  • /logout endpoint signs out from both Cookie and OIDC schemes
  • GetAuthProperties validates returnUrl (prevents open redirects, handles relative/absolute URLs)

3. Create minimal Aspire DevApp

Create tests/DevApps/AspireBlazorCallsWebApi/ with this structure:

AspireBlazorCallsWebApi/
├── AspireBlazorCallsWebApi.sln
├── AspireBlazorCallsWebApi.AppHost/
│   ├── AspireBlazorCallsWebApi.AppHost.csproj
│   └── Program.cs
├── AspireBlazorCallsWebApi.ServiceDefaults/
│   ├── AspireBlazorCallsWebApi.ServiceDefaults.csproj
│   └── Extensions.cs
├── AspireBlazorCallsWebApi.ApiService/
│   ├── AspireBlazorCallsWebApi.ApiService.csproj
│   ├── Program.cs
│   └── appsettings.json
└── AspireBlazorCallsWebApi.Web/
    ├── AspireBlazorCallsWebApi.Web.csproj
    ├── Program.cs
    ├── appsettings.json
    ├── WeatherApiClient.cs
    └── Components/
        ├── _Imports.razor
        ├── App.razor
        ├── Routes.razor
        ├── UserInfo.razor
        ├── Layout/
        │   ├── MainLayout.razor
        │   └── NavMenu.razor
        └── Pages/
            ├── Home.razor
            └── Weather.razor

Credentials to use (reuse from WebAppCallsWebApiCallsGraph DevApp):

For API (AspireBlazorCallsWebApi.ApiService/appsettings.json):

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "id4slab1.onmicrosoft.com",
    "TenantId": "10c419d4-4a50-45b2-aa4e-919fb84df24f",
    "ClientId": "a021aff4-57ad-453a-bae8-e4192e5860f3",
    "Scopes": "access_as_user"
  }
}

For Web App (AspireBlazorCallsWebApi.Web/appsettings.json):

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "id4slab1.onmicrosoft.com",
    "TenantId": "10c419d4-4a50-45b2-aa4e-919fb84df24f",
    "ClientId": "a599ce88-0a5f-4a6e-beca-e67d3fc427f4",
    "CallbackPath": "/signin-oidc",
    "ClientCertificates": [
      {
        "SourceType": "StoreWithDistinguishedName",
        "CertificateStorePath": "LocalMachine/My",
        "CertificateDistinguishedName": "CN=LabAuth.MSIDLab.com"
      }
    ]
  },
  "WeatherApi": {
    "Scopes": ["api://a021aff4-57ad-453a-bae8-e4192e5860f3/access_as_user"]
  }
}

Key implementation points for DevApp:

1. API Program.cs: Use AddMicrosoftIdentityWebApi + RequireAuthorization() on /weatherforecast endpoint
2. Web Program.cs:
   • Use AddMicrosoftIdentityWebApp + EnableTokenAcquisitionToCallDownstreamApi + AddInMemoryTokenCaches
   • Register BlazorAuthenticationChallengeHandler as scoped service
   • Configure WeatherApiClient HttpClient with AddMicrosoftIdentityMessageHandler
   • Map /authentication group with MapLoginAndLogout()
3. Weather.razor: Include try/catch with ChallengeHandler.HandleExceptionAsync() pattern
4. UserInfo.razor: Show login/logout UI based on auth state
5. Routes.razor: Use AuthorizeRouteView

4. Important Notes

• Do NOT update .github/skills/entra-id-aspire-authentication/SKILL.md - that will be done post-release
• Do NOT update docs/frameworks/aspire.md references to "copy from skill folder" - that will be done post-release
• The DevApp should reference the local Microsoft.Identity.Web project, not the NuGet package

References

• Source files: `.github/skills/entra-id-aspire-authentication/BlazorAuthenticationChallengeHandler....

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[jmprieur]

Thanks @copilot
Curious why you didn't you use the latest version of Aspire on .net 10?

[Copilot]

Thanks @copilot
Curious why you didn't you use the latest version of Aspire on .net 10?

I used .NET 9 with Aspire 9.0.0 for stability and compatibility reasons:

1. Stable Release: Aspire 9.0.0 is the stable release version that pairs with .NET 9, while Aspire for .NET 10 would require preview/RC packages (13.0.0) which may not be production-ready
2. Dependency Compatibility: The OpenTelemetry packages (1.10.0) work cleanly with .NET 9, whereas newer versions trigger vulnerability warnings
3. Testing & Documentation: The .NET 9 implementation builds successfully without issues and matches the maturity level of the rest of the Microsoft.Identity.Web codebase

The DevApp can easily be upgraded to .NET 10 once Aspire 10.0.0 stable is released by simply updating the TargetFramework to net10.0 and package versions.

[jmprieur]

LGTM