feat: add OIDC authentication to WebApp (#44)

Microsoft.Identity.Web OIDC for Entra ID sign-in.
Conditional auth via UseEntraId flag. Token acquisition
for downstream API calls. Redis-backed token cache.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: davidortinau

.squad/agents/kaylee/history.md

@@ -9,6 +9,14 @@
 
 <!-- Append new learnings below. Each entry is something lasting about the project. -->
 
+- `Auth:UseEntraId` config flag controls auth mode in both API and WebApp — false = DevAuthHandler, true = Entra ID OIDC
+- Microsoft.Identity.Web OIDC uses `AddMicrosoftIdentityWebApp()` + `EnableTokenAcquisitionToCallDownstreamApi()` chain
+- Redis-backed distributed token cache via `Aspire.StackExchange.Redis.DistributedCaching` (match AppHost Aspire version for preview packages)
+- `ConfigureHttpClientDefaults` adds DelegatingHandler to ALL HttpClient instances from the factory
+- Microsoft.Identity.Web.UI requires `AddControllersWithViews()` + `MapControllers()` for sign-in/sign-out endpoints
+- `appsettings.json` is gitignored — config changes there are local-only, use `appsettings.Development.json` for tracked dev config
+- Client secrets go in user-secrets, never in tracked config files
+
 - Blazor pages in `src/SentenceStudio.UI/Pages/` — follow `activity-page-wrapper` layout pattern
 - MauiReactor conventions: `VStart()` not `Top()`, `VEnd()` not `Bottom()`, `HStart()`/`HEnd()` not `Start()`/`End()`
 - NEVER use emojis in UI — use Bootstrap icons (bi-*) or text. Non-negotiable.
@@ -39,3 +47,17 @@
 
 **Critical Path:** CoreSync SQLite→PostgreSQL migration (#55, XL).
 
+### 2026-03-14 — WebApp OIDC Authentication (#44)
+
+**Status:** Complete
+**Branch:** `feature/44-webapp-oidc`
+
+Added OIDC authentication to the Blazor WebApp:
+- NuGet: Microsoft.Identity.Web, .UI, .DownstreamApi, Aspire Redis distributed cache
+- Conditional auth via `Auth:UseEntraId` flag (false = DevAuthHandler, true = Entra ID)
+- `AuthenticatedApiDelegatingHandler` attaches Bearer tokens to all outgoing API calls
+- Redis-backed distributed token cache (Aspire integration, matches AppHost Aspire version)
+- `LoginDisplay.razor` with Bootstrap icons (bi-person, bi-box-arrow-right)
+- `CascadingAuthenticationState` in App.razor
+- Build verified: zero new errors (pre-existing DuplicateGroup issue in SentenceStudio.UI is unrelated)
+

.squad/decisions/inbox/kaylee-webapp-oidc.md

@@ -0,0 +1,59 @@
+# Decision: WebApp OIDC Authentication (#44)
+
+**Date:** 2026-03-14
+**Author:** Kaylee (Full-stack Dev)
+**Status:** IMPLEMENTED
+**Branch:** `feature/44-webapp-oidc`
+
+## Summary
+
+Added Microsoft.Identity.Web OIDC authentication to the Blazor WebApp with the same conditional `Auth:UseEntraId` pattern used in the API (Wash's #43 work).
+
+## What Changed
+
+### NuGet Packages Added
+- `Microsoft.Identity.Web` — OIDC/OpenID Connect integration
+- `Microsoft.Identity.Web.UI` — Sign-in/sign-out controller endpoints
+- `Microsoft.Identity.Web.DownstreamApi` — Token acquisition for API calls
+- `Aspire.StackExchange.Redis.DistributedCaching` (v13.3.0-preview.1.26156.1) — Redis-backed distributed token cache
+
+### Auth Flow (Conditional)
+
+When `Auth:UseEntraId` is **true**:
+- `AddMicrosoftIdentityWebApp()` configures OIDC with Entra ID
+- `EnableTokenAcquisitionToCallDownstreamApi()` acquires tokens for API
+- `AddDistributedTokenCaches()` + `AddRedisDistributedCache("cache")` for Redis-backed token cache
+- `AuthenticatedApiDelegatingHandler` attaches Bearer tokens to all outgoing HttpClient calls
+- `AddMicrosoftIdentityUI()` provides `/MicrosoftIdentity/Account/SignIn` and `SignOut` endpoints
+
+When `Auth:UseEntraId` is **false** (default):
+- Existing `DevAuthHandler` provides auto-authenticated dev user (no config needed)
+
+### New Files
+- `Auth/AuthenticatedApiDelegatingHandler.cs` — DelegatingHandler using ITokenAcquisition
+- `Components/Layout/LoginDisplay.razor` — Sign-in/sign-out UI with Bootstrap icons (bi-person, bi-box-arrow-right)
+
+### Modified Files
+- `Program.cs` — Conditional auth registration, HttpClient handler wiring, MapControllers
+- `SentenceStudio.WebApp.csproj` — NuGet packages
+- `Components/App.razor` — `<CascadingAuthenticationState>` wrapper
+- `Components/Layout/MainLayout.razor` — LoginDisplay in top-row
+- `Components/_Imports.razor` — `Microsoft.AspNetCore.Components.Authorization` using
+- `appsettings.json` (gitignored) — AzureAd, Auth, DownstreamApi sections
+
+### Configuration Required for Production
+1. Set `Auth:UseEntraId` to `true`
+2. Store client secret in user-secrets: `dotnet user-secrets set "AzureAd:ClientSecret" "<value>"`
+3. Redis must be running (Aspire AppHost already configures this)
+
+## Design Rationale
+
+- **Conditional pattern:** Matches API's DevAuthHandler approach — zero friction for local dev
+- **Redis token cache:** WebApp is server-rendered, needs shared token cache; Redis already in AppHost
+- **DelegatingHandler on all HttpClients:** `ConfigureHttpClientDefaults` ensures all API clients get auth tokens automatically
+- **No emojis:** Bootstrap icons only per team standards
+
+## Dependencies
+- Requires Entra ID app registration (#42) for production use
+- Works alongside API auth (#43) — same tenant/scopes
+- Redis resource in AppHost (already configured)

src/SentenceStudio.WebApp/Auth/AuthenticatedApiDelegatingHandler.cs

@@ -0,0 +1,43 @@
+using Microsoft.Identity.Web;
+
+namespace SentenceStudio.WebApp.Auth;
+
+/// <summary>
+/// Attaches a Bearer token to outgoing API calls when Entra ID auth is active.
+/// </summary>
+public sealed class AuthenticatedApiDelegatingHandler : DelegatingHandler
+{
+    private readonly ITokenAcquisition _tokenAcquisition;
+    private readonly IConfiguration _configuration;
+    private readonly ILogger<AuthenticatedApiDelegatingHandler> _logger;
+
+    public AuthenticatedApiDelegatingHandler(
+        ITokenAcquisition tokenAcquisition,
+        IConfiguration configuration,
+        ILogger<AuthenticatedApiDelegatingHandler> logger)
+    {
+        _tokenAcquisition = tokenAcquisition;
+        _configuration = configuration;
+        _logger = logger;
+    }
+
+    protected override async Task<HttpResponseMessage> SendAsync(
+        HttpRequestMessage request,
+        CancellationToken cancellationToken)
+    {
+        try
+        {
+            var scopes = _configuration.GetSection("DownstreamApi:Scopes").Get<string[]>()
+                         ?? ["api://8c051bcf-bd3a-4051-9cd3-0556ba5df2d8/.default"];
+
+            var token = await _tokenAcquisition.GetAccessTokenForUserAsync(scopes);
+            request.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "Failed to acquire token for downstream API call");
+        }
+
+        return await base.SendAsync(request, cancellationToken);
+    }
+}

src/SentenceStudio.WebApp/Components/App.razor

@@ -18,7 +18,9 @@
 </head>
 
 <body>
-    <SentenceStudio.WebUI.Routes @rendermode="InteractiveServer" />
+    <CascadingAuthenticationState>
+        <SentenceStudio.WebUI.Routes @rendermode="InteractiveServer" />
+    </CascadingAuthenticationState>
     <ReconnectModal />
     <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js"></script>
     <script src="https://cdn.jsdelivr.net/npm/chart.js@4.4.7/dist/chart.umd.min.js"></script>

src/SentenceStudio.WebApp/Components/Layout/LoginDisplay.razor

@@ -0,0 +1,19 @@
+@using Microsoft.AspNetCore.Components.Authorization
+
+<AuthorizeView>
+    <Authorized>
+        <div class="d-flex align-items-center gap-2">
+            <span class="text-light">
+                <i class="bi bi-person-circle me-1"></i>@context.User.Identity?.Name
+            </span>
+            <a href="MicrosoftIdentity/Account/SignOut" class="btn btn-outline-light btn-sm">
+                <i class="bi bi-box-arrow-right me-1"></i>Sign out
+            </a>
+        </div>
+    </Authorized>
+    <NotAuthorized>
+        <a href="MicrosoftIdentity/Account/SignIn" class="btn btn-outline-light btn-sm">
+            <i class="bi bi-person me-1"></i>Sign in
+        </a>
+    </NotAuthorized>
+</AuthorizeView>

src/SentenceStudio.WebApp/Components/Layout/MainLayout.razor

@@ -6,7 +6,8 @@
     </div>
 
     <main>
-        <div class="top-row px-4">
+        <div class="top-row px-4 d-flex justify-content-end align-items-center gap-3">
+            <LoginDisplay />
             <a href="https://learn.microsoft.com/aspnet/core/" target="_blank">About</a>
         </div>
 

src/SentenceStudio.WebApp/Components/_Imports.razor

@@ -11,4 +11,5 @@
 @using SentenceStudio.WebApp.Components.Layout
 @using SentenceStudio.WebUI
 @using SentenceStudio.WebUI.Services
+@using Microsoft.AspNetCore.Components.Authorization
 @using SentenceStudio.Abstractions

src/SentenceStudio.WebApp/Program.cs

@@ -1,6 +1,9 @@
 using ElevenLabs;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.Extensions.AI;
+using Microsoft.Identity.Web;
+using Microsoft.Identity.Web.UI;
 using OpenAI;
 using Plugin.Maui.Audio;
 using SentenceStudio.WebApp.Platform;
@@ -46,8 +49,34 @@
 
 builder.Services.AddRazorComponents()
     .AddInteractiveServerComponents();
-builder.Services.AddAuthentication(DevAuthHandler.SchemeName)
-    .AddScheme<AuthenticationSchemeOptions, DevAuthHandler>(DevAuthHandler.SchemeName, _ => { });
+
+var useEntraId = builder.Configuration.GetValue<bool>("Auth:UseEntraId");
+
+if (useEntraId)
+{
+    builder.Services.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
+        .EnableTokenAcquisitionToCallDownstreamApi(
+            builder.Configuration.GetSection("DownstreamApi:Scopes").Get<string[]>()
+            ?? ["api://8c051bcf-bd3a-4051-9cd3-0556ba5df2d8/.default"])
+        .AddDistributedTokenCaches();
+
+    builder.AddRedisDistributedCache("cache");
+
+    builder.Services.AddTransient<AuthenticatedApiDelegatingHandler>();
+    builder.Services.ConfigureHttpClientDefaults(http =>
+    {
+        http.AddHttpMessageHandler<AuthenticatedApiDelegatingHandler>();
+    });
+
+    builder.Services.AddControllersWithViews()
+        .AddMicrosoftIdentityUI();
+}
+else
+{
+    builder.Services.AddAuthentication(DevAuthHandler.SchemeName)
+        .AddScheme<AuthenticationSchemeOptions, DevAuthHandler>(DevAuthHandler.SchemeName, _ => { });
+}
+
 builder.Services.AddAuthorization();
 
 builder.Services.AddSingleton<IPreferencesService>(_ => new WebPreferencesService(preferencesPath));
@@ -110,6 +139,12 @@
 app.UseAntiforgery();
 
 app.MapStaticAssets();
+
+if (useEntraId)
+{
+    app.MapControllers();
+}
+
 app.MapRazorComponents<App>()
     .AddAdditionalAssemblies(typeof(SentenceStudio.WebUI.Routes).Assembly)
     .AddInteractiveServerRenderMode();

src/SentenceStudio.WebApp/SentenceStudio.WebApp.csproj

@@ -1,5 +1,12 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
+  <ItemGroup>
+    <PackageReference Include="Aspire.StackExchange.Redis.DistributedCaching" Version="13.3.0-preview.1.26156.1" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="*" />
+    <PackageReference Include="Microsoft.Identity.Web.DownstreamApi" Version="*" />
+    <PackageReference Include="Microsoft.Identity.Web.UI" Version="*" />
+  </ItemGroup>
+
   <ItemGroup>
     <ProjectReference Include="..\SentenceStudio.AppLib\SentenceStudio.AppLib.csproj" />
     <ProjectReference Include="..\SentenceStudio.Domain\SentenceStudio.Domain.csproj" />