Add guidance on V1 and V2 STS tokens

[guardrex]

Fixes #36978
Fixes #37030
Fixes #37031

Stephen ...

• The convo that led to this is at the Blazor samples repo: BlazorWebAppEntraBff endpoints might need updating blazor-samples#654 (comment)
• TL;DR on that convo (I wrote a 📖🙈😆) ... We spoke years ago about this and decided to just go with V1 tokens. I'm seeing now if we can expand coverage to include guidance on V2 STS tokens.
• IDK if the 🧀 moved (perhaps ME-ID is less flexible on it than AAD of yesteryear), but the ME-ID authority URL requires a trailing slash now. This PR adds it where we show the V1 (sts.windows.net) URLs.
• Adding a section on how to get the token (and token details) logged at an endpoint during development. I do not plan to add the code to the samples, only show it in the article in the Troubleshoot section. Thanks, @GC-brian-taylor! 🚀
• Open questions for the new V2 STS token guidance section ...
  1. I'm currently only showing explicit token issuer validation with TokenValidationParameters for the web API (MinimalApiJwt). Should I also be doing that in the Blazor app's Program file?
  2. In the web API config for TokenValidationParameters, why is the ValidAudience just the client id and not the full audience passed to jwtOptions.Audience? If I try to use the full audience value there, it 💥 with a mismatch error with Azure and explicitly tells me that its just looking for the client id.

---

Internal previews

📄 File	🔗 Preview link
aspnetcore/blazor/security/blazor-web-app-with-entra.md	aspnetcore/blazor/security/blazor-web-app-with-entra
aspnetcore/blazor/security/blazor-web-app-with-oidc.md	aspnetcore/blazor/security/blazor-web-app-with-oidc

[Copilot]

Pull request overview

Adds documentation to clarify V1 vs V2 Microsoft Entra STS token issuer formats and links OIDC guidance to the new Entra-specific section so readers can choose the correct authority/issuer settings.

Changes:

• Adds a new STS token version section to the Entra Blazor Web App security article with V1/V2 authority examples and V2 migration notes.
• Adds cross-references from the OIDC Blazor Web App security article to the Entra article’s STS token version guidance.
• Expands authority examples in the Entra article to explicitly show both V1 and V2 issuer URL formats for ME-ID tenants.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

File	Description
aspnetcore/blazor/security/blazor-web-app-with-oidc.md	Adds repeated notes/cross-links pointing readers to Entra STS token version guidance.
aspnetcore/blazor/security/blazor-web-app-with-entra.md	Adds V1/V2 authority examples and a new STS token version section with V2 migration guidance.

[tdykstra]

I'll wait to see @halter73's review before adding mine.

[guardrex]

Thanks again, @GC-brian-taylor! If you look at the last commit, I'm going to see if we can add that troubleshooting guidance here. Makes sense, given that @halter73 has to review this for the other items anyway ... a time saver for him.

I changed it up a bit from what you did ...

• Slightly different approach for the code that gets the header and token.
• Used structured logging calls.
• Logs the full token, so the dev can take it to an online decoder.
• DEBUG config only, and I have a red warning (caution) about not logging tokens in production.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.