Blazor security updates (#28922)

aspnetcore/blazor/security/includes/wasm-aad-b2c-custom-policies.md

@@ -0,0 +1 @@
+The Microsoft Authentication Library (<xref:Microsoft.Authentication.WebAssembly.Msal>, [NuGet package](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal/)) doesn't support [AAD B2C custom policies](/azure/active-directory-b2c/user-flow-overview) by default.

aspnetcore/blazor/security/includes/wasm-aad-b2c-userflows.md

@@ -1 +0,0 @@
-The Microsoft Authentication Library (<xref:Microsoft.Authentication.WebAssembly.Msal>, [NuGet package](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal/)) doesn't support [AAD B2C user flows](/azure/active-directory-b2c/user-flow-overview) by default. Create custom user flows in developer code. For more information on how to build a challenge for a custom user flow, see [User flows in Azure Active Directory B2C](/azure/active-directory-b2c/user-flow-overview).

aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md

@@ -14,6 +14,8 @@ uid: blazor/security/webassembly/hosted-with-azure-active-directory-b2c
 
 This article explains how to create a [hosted Blazor WebAssembly solution](xref:blazor/hosting-models#blazor-webassembly) that uses [Azure Active Directory (AAD) B2C](/azure/active-directory-b2c/overview) for authentication.
 
+For additional security scenario coverage after reading this article, see <xref:blazor/security/webassembly/additional-scenarios>.
+
 ## Walkthrough
 
 The subsections of the walkthrough explain how to:
@@ -36,7 +38,7 @@ Register an AAD B2C app for the *Server API app*:
 1. Navigate to **Azure AD B2C** in the Azure portal. Select **App registrations** in the sidebar. Select the **New registration** button.
 1. Provide a **Name** for the app (for example, **Blazor Server AAD B2C**).
 1. For **Supported account types**, select the multi-tenant option: **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**
-1. The *Server API app* doesn't require a **Redirect URI** in this scenario, so skip the **Redirect URI** setting don't enter a redirect URI.
+1. The *Server API app* doesn't require a **Redirect URI** in this scenario, so leave the **Select a platform** dropdown list unselected and don't enter a redirect URI.
 1. If you're using an [unverified publisher domain](/azure/active-directory/develop/howto-configure-publisher-domain), confirm that **Permissions** > **Grant admin consent to openid and offline_access permissions** is selected. If the publisher domain is verified, this checkbox isn't present.
 1. Select **Register**.
 
@@ -152,9 +154,9 @@ If the scope is incorrect, update the value now.
 
 [!INCLUDE[](~/blazor/security/includes/run-the-app.md)]
 
-## Custom user flows
+## Custom policies
 
-[!INCLUDE[](~/blazor/security/includes/wasm-aad-b2c-userflows.md)]
+[!INCLUDE[](~/blazor/security/includes/wasm-aad-b2c-custom-policies.md)]
 
 ## Configure `User.Identity.Name`
 

aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory.md

@@ -16,6 +16,8 @@ This article explains how to create a [hosted Blazor WebAssembly solution](xref:
 
 This article doesn't cover a *multi-tenant Azure Active Directory registration*. For more information, see [Making your application multi-tenant](/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant).
 
+For additional security scenario coverage after reading this article, see <xref:blazor/security/webassembly/additional-scenarios>.
+
 ## Walkthrough
 
 The subsections of the walkthrough explain how to:
@@ -39,7 +41,7 @@ Register an AAD app for the *Server API app*:
 1. Navigate to **Azure Active Directory** in the Azure portal. Select **App registrations** in the sidebar. Select the **New registration** button.
 1. Provide a **Name** for the app (for example, **Blazor Server AAD**).
 1. Choose a **Supported account types**. You may select **Accounts in this organizational directory only** (single tenant) for this experience.
-1. The *Server API app* doesn't require a **Redirect URI** in this scenario, so leave the dropdown list set to **Web** and don't enter a redirect URI.
+1. The *Server API app* doesn't require a **Redirect URI** in this scenario, so leave the **Select a platform** dropdown list unselected and don't enter a redirect URI.
 1. If you're using an [unverified publisher domain](/azure/active-directory/develop/howto-configure-publisher-domain), clear the **Permissions** > **Grant admin consent to openid and offline_access permissions** checkbox. If the publisher domain is verified, this checkbox isn't present.
 1. Select **Register**.
 

aspnetcore/blazor/security/webassembly/hosted-with-identity-server.md

@@ -24,6 +24,8 @@ This article explains how to create a [hosted Blazor WebAssembly solution](xref:
 > [!NOTE]
 > To configure a standalone or hosted Blazor WebAssembly app to use an existing, external Identity Server instance, follow the guidance in <xref:blazor/security/webassembly/standalone-with-authentication-library>.
 
+For additional security scenario coverage after reading this article, see <xref:blazor/security/webassembly/additional-scenarios>.
+
 ## Walkthrough
 
 The subsections of the walkthrough explain how to:

aspnetcore/blazor/security/webassembly/index.md

@@ -14,6 +14,8 @@ uid: blazor/security/webassembly/index
 
 Blazor WebAssembly apps are secured in the same manner as single-page applications (SPAs). There are several approaches for authenticating users to SPAs, but the most common and comprehensive approach is to use an implementation based on the [OAuth 2.0 protocol](https://oauth.net/), such as [OpenID Connect (OIDC)](https://openid.net/connect/).
 
+The Blazor WebAssembly security documentation primarily focuses on how to accomplish user authentication and authorization tasks. For OAuth 2.0/OIDC general concept coverage, see the resources in the [main overview article's *Additional resources* section](xref:blazor/security/index#additional-resources).
+
 ## Authentication library
 
 Blazor WebAssembly supports authenticating and authorizing apps using OIDC via the [`Microsoft.AspNetCore.Components.WebAssembly.Authentication`](https://www.nuget.org/packages/Microsoft.AspNetCore.Components.WebAssembly.Authentication) library. The library provides a set of primitives for seamlessly authenticating against ASP.NET Core backends. The library integrates ASP.NET Core Identity with API authorization support built on top of [Duende Identity Server](https://docs.duendesoftware.com). The library can authenticate against any third-party Identity Provider (IP) that supports OIDC, which are called OpenID Providers (OP).

aspnetcore/blazor/security/webassembly/standalone-with-authentication-library.md

@@ -16,6 +16,8 @@ This article explains how to secure an ASP.NET Core Blazor WebAssembly standalon
 
 *For Azure Active Directory (AAD) and Azure Active Directory B2C (AAD B2C) guidance, don't follow the guidance in this topic. See <xref:blazor/security/webassembly/standalone-with-azure-active-directory> or <xref:blazor/security/webassembly/standalone-with-azure-active-directory-b2c>.*
 
+For additional security scenario coverage after reading this article, see <xref:blazor/security/webassembly/additional-scenarios>.
+
 ## Walkthrough
 
 The subsections of the walkthrough explain how to:

aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md

@@ -14,6 +14,8 @@ uid: blazor/security/webassembly/standalone-with-azure-active-directory-b2c
 
 This article explains how to create a [standalone Blazor WebAssembly app](xref:blazor/hosting-models#blazor-webassembly) that uses [Azure Active Directory (AAD) B2C](/azure/active-directory-b2c/overview) for authentication.
 
+For additional security scenario coverage after reading this article, see <xref:blazor/security/webassembly/additional-scenarios>.
+
 ## Walkthrough
 
 The subsections of the walkthrough explain how to:
@@ -205,9 +207,9 @@ For more information, see the following sections of the *Additional scenarios* a
 
 [!INCLUDE[](~/blazor/security/includes/authentication-component.md)]
 
-### Custom user flows
+### Custom policies
 
-[!INCLUDE[](~/blazor/security/includes/wasm-aad-b2c-userflows.md)]
+[!INCLUDE[](~/blazor/security/includes/wasm-aad-b2c-custom-policies.md)]
 
 ## Troubleshoot
 

aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory.md

@@ -14,6 +14,8 @@ uid: blazor/security/webassembly/standalone-with-azure-active-directory
 
 This article explains how to create a [standalone Blazor WebAssembly app](xref:blazor/hosting-models#blazor-webassembly) that uses [Azure Active Directory (AAD)](https://azure.microsoft.com/services/active-directory/) for authentication.
 
+For additional security scenario coverage after reading this article, see <xref:blazor/security/webassembly/additional-scenarios>.
+
 ## Walkthrough
 
 The subsections of the walkthrough explain how to:

aspnetcore/blazor/security/webassembly/standalone-with-microsoft-accounts.md

@@ -14,6 +14,8 @@ uid: blazor/security/webassembly/standalone-with-microsoft-accounts
 
 This article explains how to create a [standalone Blazor WebAssembly app](xref:blazor/hosting-models#blazor-webassembly) that uses [Microsoft Accounts with Azure Active Directory (AAD)](/azure/active-directory/develop/quickstart-register-app#register-a-new-application-using-the-azure-portal) for authentication.
 
+For additional security scenario coverage after reading this article, see <xref:blazor/security/webassembly/additional-scenarios>.
+
 ## Walkthrough
 
 The subsections of the walkthrough explain how to: