Configure built-in auth for Azure Container Apps

[pamelafox]

Purpose

Fixes #2181

This PR configures built-in auth for the new default deployment target, Azure Container Apps.
It also configures CORS correctly, based on Matt's old PR with a few fixes, so that logout works as expected.

This uses a currently undocumented way of connecting the token storage container, which uses managed identity instead of keys. I've asked the team about timeline for documenting that feature. Note that built-in auth for ACA is considered a preview feature.

One potential issue: if you've got an app with built-in auth deployed already, then our frontend code will only logout the user from MSAL, not from built-in auth, because it checks for an MSAL token first. We could potentially change that to be based on whether the ".auth/me" endpoint returned anything.

Does this introduce a breaking change?

When developers merge from main and run the server, azd up, or azd deploy, will this produce an error?
If you're not sure, try it out on an old environment.

[X] Yes - Somewhat, in that it's a different experience, and if users are already logged in via MSAL, their logout won't work (as it'll be a MSAL logout only).
[ ] No

Does this require changes to learn.microsoft.com docs?

This repository is referenced by this tutorial
which includes deployment, settings and usage instructions. If text or screenshot need to change in the tutorial,
check the box below and notify the tutorial author. A Microsoft employee can do this for you if you're an external contributor.

[ ] Yes
[X] No

Type of change

[X] Bugfix
[X] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Documentation content changes
[ ] Other... Please describe:

Code quality checklist

See CONTRIBUTING.md for more details.

• The current tests all pass (python -m pytest).
• I added tests that prove my fix is effective or that my feature works
• I ran python -m pytest --cov to verify 100% coverage of added lines
• I ran python -m mypy to check for type errors
• I either used the pre-commit hooks or ran ruff and black manually on my code.

[rgrey]

Ooh great. I think :-) I deployed to a container app which was behind Entra Auth and app correctly asks for auth before displaying the chat page, however, the login context was not set (with the Login button saying just that!). Clicking would then log the user in without any further interaction. Hopefully, this resolves that so the user context is logged in from the outset?

[pamelafox]

With this change, it will prompt the user to login, then fetch the token from .auth/me, so that the user appears as logged in as soon as they see the chat screen.

If you already were using built-in auth though, you may want to clear your cookies/localStorage.