Add guidance on V1 and V2 STS tokens

[guardrex]

Fixes #36978

Stephen ...

• The convo that led to this is at the Blazor samples repo: BlazorWebAppEntraBff endpoints might need updating blazor-samples#654 (comment)
• TL;DR on that convo (I wrote a 📖🙈😆) ... We spoke years ago about this and decided to just go with V1 tokens. I'm seeing now if we can expand coverage to include guidance on V2 STS tokens.
• Open questions

  1. I'm currently only showing explicit token issuer validation with TokenValidationParameters for the web API (MinimalApiJwt). Should I also be doing that in the Blazor app's Program file?

  2. In the web API config for TokenValidationParameters, why is the ValidAudience just the client id and not the full audience passed to jwtOptions.Audience? If I try to use the full audience value there, it 💥 with a mismatch error with Azure and explicitly tells me that its just looking for the client id.

  3. Is there anything we can do in ServerWeatherForcaster to help devs troubleshoot the issuer (iss) that await downstreamApi.CallApiForUserAsync is going to use? We can't give them ...

     response.RequestMessage?.Headers.TryGetValues("Authorization", out var authHeaderValues)

     ... because the call will fail on a 401 (e.g., invalid token due to an invalid issuer or anything else), throwing an exception that prevents finding out what the issuer is. That would work fine for a working call, but that's not helpful when CallApiForUserAsync goes 💥 on you, and you would like to see the decoded token in jwt.ms. What's the best way to get the token out of the Microsoft.Identity API for troubleshooting?

---

Internal previews

📄 File	🔗 Preview link
aspnetcore/blazor/security/blazor-web-app-with-entra.md	aspnetcore/blazor/security/blazor-web-app-with-entra
aspnetcore/blazor/security/blazor-web-app-with-oidc.md	aspnetcore/blazor/security/blazor-web-app-with-oidc

[Copilot]

Pull request overview

Adds documentation to clarify V1 vs V2 Microsoft Entra STS token issuer formats and links OIDC guidance to the new Entra-specific section so readers can choose the correct authority/issuer settings.

Changes:

• Adds a new STS token version section to the Entra Blazor Web App security article with V1/V2 authority examples and V2 migration notes.
• Adds cross-references from the OIDC Blazor Web App security article to the Entra article’s STS token version guidance.
• Expands authority examples in the Entra article to explicitly show both V1 and V2 issuer URL formats for ME-ID tenants.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

File	Description
aspnetcore/blazor/security/blazor-web-app-with-oidc.md	Adds repeated notes/cross-links pointing readers to Entra STS token version guidance.
aspnetcore/blazor/security/blazor-web-app-with-entra.md	Adds V1/V2 authority examples and a new STS token version section with V2 migration guidance.