add minimal auth endpoint, remove savetokens, re-order things

TimHess · TimHess · commit 558884a93bab · 2025-09-02T11:43:05.000-05:00
diff --git a/docs/docs/v4/welcome/migrate-quick-steps.md b/docs/docs/v4/welcome/migrate-quick-steps.md
@@ -1293,16 +1293,15 @@ using Steeltoe.Security.Authentication.CloudFoundry;
 var builder = WebApplication.CreateBuilder(args);
 builder.AddCloudFoundryConfiguration();
 builder.Services.AddAuthentication(options =>
-{
-    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
-    options.DefaultChallengeScheme = CloudFoundryDefaults.AuthenticationScheme;
-})
+    {
+        options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+        options.DefaultChallengeScheme = CloudFoundryDefaults.AuthenticationScheme;
+    })
     .AddCookie(options => options.AccessDeniedPath = new PathString("/Home/AccessDenied"))
 -    .AddCloudFoundryOAuth(builder.Configuration);
 +    .AddCloudFoundryOpenIdConnect(builder.Configuration);
 builder.Services.AddAuthorizationBuilder()
-    .AddPolicy("read", policy => policy.RequireClaim("scope", "sampleapi.read"))
-    .AddPolicy("write", policy => policy.RequireClaim("scope", "sampleapi.write"));
+    .AddPolicy("read", policy => policy.RequireClaim("scope", "sampleapi.read"));
 
 var app = builder.Build();
 
@@ -1314,6 +1313,12 @@ app.UseForwardedHeaders(new ForwardedHeadersOptions
 app.UseAuthentication();
 app.UseAuthorization();
 
+app.MapGet("/test-auth", async httpContext =>
+    {
+        httpContext.Response.StatusCode = 200;
+        httpContext.Response.ContentType = "text/plain";
+        await httpContext.Response.WriteAsync("You are logged in and carry the required claim.");
+    }).RequireAuthorization("read");
 ```
 
 ### OpenID Connect
@@ -1341,27 +1346,25 @@ appsettings.json:
 -    "Oauth2": {
 -      "Client": {
 -        "Authority": "http://localhost:8080/uaa",
--        "CallbackPath": "/signin-oidc",
--        "ClientId": "steeltoesamplesclient",
--        "ClientSecret": "client_secret",
 -        "MetadataAddress": "http://localhost:8080/.well-known/openid-configuration",
 -        "RequireHttpsMetadata": false,
--        "SaveTokens": true,
--        "AdditionalScopes": "sampleapi.read"
+-        "AdditionalScopes": "sampleapi.read",
+-        "CallbackPath": "/signin-oidc",
+-        "ClientId": "steeltoesamplesclient",
+-        "ClientSecret": "client_secret"
 -      }
 -    }
 -  }
 +  "Authentication": {
 +    "Schemes": {
 +      "OpenIdConnect": {
 +        "Authority": "http://localhost:8080/uaa",
-+        "CallbackPath": "/signin-oidc",
-+        "ClientId": "steeltoesamplesclient",
-+        "ClientSecret": "client_secret",
 +        "MetadataAddress": "http://localhost:8080/.well-known/openid-configuration",
 +        "RequireHttpsMetadata": false,
-+        "SaveTokens": true,
-+        "Scope": [ "openid", "sampleapi.read" ]
++        "Scope": [ "openid", "sampleapi.read" ],
++        "CallbackPath": "/signin-oidc",
++        "ClientId": "steeltoesamplesclient",
++        "ClientSecret": "client_secret"
 +      }
 +    }
 +  }
@@ -1388,17 +1391,16 @@ var builder = WebApplication.CreateBuilder(args);
 builder.AddCloudFoundryConfiguration();
 +builder.Configuration.AddCloudFoundryServiceBindings();
 builder.Services.AddAuthentication(options =>
-{
-    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
--    options.DefaultChallengeScheme = CloudFoundryDefaults.AuthenticationScheme;
-+    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
-})
+    {
+        options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+-        options.DefaultChallengeScheme = CloudFoundryDefaults.AuthenticationScheme;
++        options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
+    })
     .AddCookie(options => options.AccessDeniedPath = new PathString("/Home/AccessDenied"))
 -    .AddCloudFoundryOpenIdConnect(builder.Configuration);
 +    .AddOpenIdConnect().ConfigureOpenIdConnectForCloudFoundry();
 builder.Services.AddAuthorizationBuilder()
-    .AddPolicy("read", policy => policy.RequireClaim("scope", "sampleapi.read"))
-    .AddPolicy("write", policy => policy.RequireClaim("scope", "sampleapi.write"));
+    .AddPolicy("read", policy => policy.RequireClaim("scope", "sampleapi.read"));
 
 var app = builder.Build();
 
@@ -1409,6 +1411,13 @@ var app = builder.Build();
 
 app.UseAuthentication();
 app.UseAuthorization();
+
+app.MapGet("/test-auth", async httpContext =>
+    {
+        httpContext.Response.StatusCode = 200;
+        httpContext.Response.ContentType = "text/plain";
+        await httpContext.Response.WriteAsync("You are logged in and carry the required claim.");
+    }).RequireAuthorization("read");
 ```
 
 ### JWT Bearer
@@ -1515,6 +1524,19 @@ Project file:
 </Project>
 ```
 
+launchsettings.json (server-side):
+
+```diff
+{
+  "profiles": {
+    "http": {
+      "commandName": "Project",
+      "applicationUrl": "https://localhost:7107"
+    }
+  }
+}
+```
+
 Program.cs (server-side):
 
 ```diff
@@ -1559,19 +1581,6 @@ app.MapGet("/test-same-space", async httpContext =>
 > The code shown above is provided for compatibility between the versions. The preferred header name is `X-Client-Cert`.
 > In Steeltoe 4.0, the default header is `X-Client-Cert`, so the parameter can be omitted if cross-compatibility is not required.
 
-launchsettings.json (server-side):
-
-```diff
-{
-  "profiles": {
-    "http": {
-      "commandName": "Project",
-      "applicationUrl": "https://localhost:7107"
-    }
-  }
-}
-```
-
 Program.cs (client-side):
 
 ```diff
