[Epic]: Configuring minimal APIs for auth should be suitably simple & featured

[DamianEdwards]

Configuring authentication and authorization requirements for minimal APIs should be suitably inline with the overall experience.

• Add support for reading default scheme from config #41987
• Add dotnet user-jwts tool and runtime support #41520
• [ ] Introduce support for defining Authorization policies via Configuration #42172
• Allow direct configuration of authorization policies via endpoint metadata #39840
• [ ] Automatically infer OpenApiSecuritySchemes from authentication configuration #39761
• user-jwts issues #42113
• Simplify Authentication and Authorization configuration when using WebApplicationBuilder #39855
  [ ] Support config-based options for different authentication schemes #42170
• Support O DateTime(Offset) format in dotnet user-jwts tool #41973

Thanks for contacting us.

We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[bradygaster]

@DamianEdwards @davidfowl @LadyNaggaga do we have a minimum set of authz providers we wish to support? "that which we support now," meaning Microsoft Identity Platform (MIP/AAD), ASP.NET Core identity, and identity server? I'd prioritize them in that order, tbh.

[davidfowl]

I don't know the scope of this work, this doesn't even work by default (AFAIK) using MVC, so it's low on the priority list IMO.

[DamianEdwards]

Right, we need to figure out what's required here. It wasn't intended to be a "make the thing work automagically" but rather to force us to actually try it (I think @glennc started) and if anything falls out of that that's considered a real showstopper then it would get paged-in.

[LadyNaggaga]

Here is @glennc sample. This is how Glenn got auth to work with minimal APIs. I don't know if this is the experience we want

[DamianEdwards]

Wow OK, so the actual adding auth & CORS to the app isn't bad at all, but configuring Swashbuckle to support the auth scheme is quite a lot of code.