Remove Entra ID remnants, simplify to Identity-only auth (#87)

- Remove Microsoft.Identity.Web NuGet packages from API, Web, and WebApp
- Remove Entra ID code paths from all Program.cs files (API, Web, WebApp)
- Remove MsalAuthService.cs and AuthenticatedApiDelegatingHandler.cs
- Remove AzureAd parameter definitions from AppHost
- Remove AzureAd/Auth config sections from all appsettings files
- Simplify LoginDisplay.razor to Identity-only auth UI
- Simplify AppLib ServiceCollectionExtentions to always use IdentityAuthService
- Clean AuthenticatedHttpMessageHandler of AzureAd:Scopes dependency
- Fix test factories for new JWT Bearer scheme naming
- Clean CI workflow of Auth:UseEntraId env var
- All 16 tests passing

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: davidortinau

.github/workflows/ci.yml

@@ -15,7 +15,6 @@ env:
   DOTNET_NOLOGO: true
   DOTNET_CLI_TELEMETRY_OPTOUT: true
   DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
-  Auth__UseEntraId: "false"
 
 jobs:
   build:

src/SentenceStudio.Api/Program.cs

@@ -11,7 +11,6 @@
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.AI;
-using Microsoft.Identity.Web;
 using Microsoft.IdentityModel.Tokens;
 using OpenAI;
 using SentenceStudio.Api.Auth;
@@ -32,36 +31,6 @@
 // Add services to the container.
 // Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi
 builder.Services.AddOpenApi();
-var useEntraId = builder.Configuration.GetValue<bool>("Auth:UseEntraId");
-
-if (useEntraId)
-{
-    builder.Services.AddAuthentication(Microsoft.Identity.Web.Constants.Bearer)
-        .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));
-
-    builder.Services.AddAuthorization(options =>
-    {
-        options.AddPolicy("RequireUserRead", policy =>
-            policy.RequireScope("user.read"));
-        options.AddPolicy("RequireUserWrite", policy =>
-            policy.RequireScope("user.write"));
-        options.AddPolicy("RequireAiAccess", policy =>
-            policy.RequireScope("ai.access"));
-        options.AddPolicy("RequireSyncReadWrite", policy =>
-            policy.RequireScope("sync.readwrite"));
-    });
-}
-else if (builder.Environment.IsDevelopment())
-{
-    builder.Services.AddAuthentication(DevAuthHandler.SchemeName)
-        .AddScheme<AuthenticationSchemeOptions, DevAuthHandler>(DevAuthHandler.SchemeName, _ => { });
-    builder.Services.AddAuthorization();
-}
-else
-{
-    throw new InvalidOperationException(
-        "Entra ID authentication must be enabled in non-development environments. Set Auth:UseEntraId=true.");
-}
 
 // ASP.NET Core Identity for local account management
 builder.Services.AddIdentityCore<ApplicationUser>(options =>
@@ -74,12 +43,12 @@
     .AddEntityFrameworkStores<ApplicationDbContext>()
     .AddDefaultTokenProviders();
 
-// JWT Bearer validation for Identity-issued tokens
+// JWT Bearer authentication for Identity-issued tokens
 var jwtSigningKey = builder.Configuration["Jwt:SigningKey"];
 if (!string.IsNullOrWhiteSpace(jwtSigningKey))
 {
-    builder.Services.AddAuthentication()
-        .AddJwtBearer("IdentityJwt", options =>
+    builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+        .AddJwtBearer(options =>
         {
             options.TokenValidationParameters = new TokenValidationParameters
             {
@@ -95,6 +64,19 @@
             };
         });
 }
+else if (builder.Environment.IsDevelopment())
+{
+    // Fallback to dev auth handler when no JWT key is configured
+    builder.Services.AddAuthentication(DevAuthHandler.SchemeName)
+        .AddScheme<AuthenticationSchemeOptions, DevAuthHandler>(DevAuthHandler.SchemeName, _ => { });
+}
+else
+{
+    throw new InvalidOperationException(
+        "Jwt:SigningKey must be configured in non-development environments.");
+}
+
+builder.Services.AddAuthorization();
 
 builder.Services.AddScoped<JwtTokenService>();
 

src/SentenceStudio.Api/SentenceStudio.Api.csproj

@@ -16,7 +16,6 @@
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="Microsoft.Identity.Web" Version="3.8.2" />
   </ItemGroup>
 
   <ItemGroup>

src/SentenceStudio.Api/appsettings.Development.json

@@ -4,14 +4,5 @@
       "Default": "Information",
       "Microsoft.AspNetCore": "Warning"
     }
-  },
-  "Auth": {
-    "UseEntraId": false
-  },
-  "AzureAd": {
-    "Instance": "https://login.microsoftonline.com/",
-    "TenantId": "49c0cd14-bc68-4c6d-b87b-9d65a56fa6df",
-    "ClientId": "8c051bcf-bd3a-4051-9cd3-0556ba5df2d8",
-    "Audience": "api://8c051bcf-bd3a-4051-9cd3-0556ba5df2d8"
   }
 }

src/SentenceStudio.AppHost/AppHost.cs

@@ -6,10 +6,6 @@
 var syncfusionkey = builder.AddParameter("syncfusionkey", secret: true);
 var elevenlabskey = builder.AddParameter("elevenlabskey", secret: true);
 
-var azureAdTenantId = builder.AddParameter("AzureAdTenantId", secret: false);
-var azureAdClientId = builder.AddParameter("AzureAdClientId", secret: false);
-var azureAdAudience = builder.AddParameter("AzureAdAudience", secret: false);
-
 var postgres = builder.AddPostgres("db")
     .AddDatabase("sentencestudio");
 
@@ -21,11 +17,7 @@
 
 var api = builder.AddProject<SentenceStudio_Api>("api")
     .WithEnvironment("AI__OpenAI__ApiKey", openaikey)
-    .WithEnvironment("ElevenLabsKey", elevenlabskey)
-    .WithEnvironment("AzureAd__Instance", "https://login.microsoftonline.com/")
-    .WithEnvironment("AzureAd__TenantId", azureAdTenantId)
-    .WithEnvironment("AzureAd__ClientId", azureAdClientId)
-    .WithEnvironment("AzureAd__Audience", azureAdAudience);
+    .WithEnvironment("ElevenLabsKey", elevenlabskey);
     // Email (production only -- dev mode uses ConsoleEmailSender automatically):
     //   .WithEnvironment("Email__SmtpHost", "<smtp-host>")
     //   .WithEnvironment("Email__SmtpPort", "587")

src/SentenceStudio.AppLib/ServiceCollectionExtentions.cs

@@ -63,16 +63,7 @@ public static void AddSyncServices(this IServiceCollection services, string data
 
     public static IServiceCollection AddAuthServices(this IServiceCollection services, IConfiguration configuration)
     {
-        var useEntraId = configuration.GetValue<bool>("Auth:UseEntraId");
-
-        if (useEntraId)
-        {
-            services.AddSingleton<IAuthService, MsalAuthService>();
-        }
-        else
-        {
-            services.AddSingleton<IAuthService, IdentityAuthService>();
-        }
+        services.AddSingleton<IAuthService, IdentityAuthService>();
 
         // Register a named HttpClient for auth endpoints (login, register, refresh).
         // Uses the same API base URL as other clients but without the auth handler

src/SentenceStudio.AppLib/Services/AuthenticatedHttpMessageHandler.cs

@@ -2,43 +2,35 @@
 using System.Net.Http.Headers;
 using System.Threading;
 using System.Threading.Tasks;
-using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Logging;
 
 namespace SentenceStudio.Services;
 
 /// <summary>
 /// Delegating handler that attaches a Bearer token to outgoing requests.
-/// For Entra ID, uses configured scopes. For Identity auth (no scopes configured),
-/// requests the token with an empty scope array — IdentityAuthService returns the
-/// stored JWT regardless of scopes.
+/// Gets the token from IAuthService (IdentityAuthService).
 /// If token acquisition returns null, the request proceeds unauthenticated so the
 /// server's DevAuthHandler can handle it during development.
 /// </summary>
 public class AuthenticatedHttpMessageHandler : DelegatingHandler
 {
-    private readonly string[] _defaultScopes;
     private readonly IAuthService _authService;
     private readonly ILogger<AuthenticatedHttpMessageHandler> _logger;
 
     public AuthenticatedHttpMessageHandler(
         IAuthService authService,
-        IConfiguration configuration,
         ILogger<AuthenticatedHttpMessageHandler> logger)
     {
         _authService = authService;
         _logger = logger;
-
-        _defaultScopes = configuration.GetSection("AzureAd:Scopes").Get<string[]>()
-            ?? Array.Empty<string>();
     }
 
     protected override async Task<HttpResponseMessage> SendAsync(
         HttpRequestMessage request, CancellationToken cancellationToken)
     {
         try
         {
-            var token = await _authService.GetAccessTokenAsync(_defaultScopes);
+            var token = await _authService.GetAccessTokenAsync(Array.Empty<string>());
             if (!string.IsNullOrEmpty(token))
             {
                 request.Headers.Authorization =