Claim-based authz article overhaul

[guardrex]

Fixes #36933
Fixes #17174 ... Note tho that claim-based authz still relies on a policy-based approach. What is "fixing" that issue is that Razor components (Blazor) are demoed as the focused UI stack approach in the main doc set article going forward.

Wade and Stephen .....

NOTE: If you don't get a chance to review today (Wednesday), no rush for sure. A lot was written this morning, and I plan to perform another edit pass on Thursday morning.

• Stephen, it's best for you to run an 👁️ over the updates here, too. Also, I'm adding a bit more to the Roles authz article to cover the UseAuthorization call requirement for Blazor Server apps, which was an oversight on the Roles PR. I'm adding it there, and it will appear in the Claims authz article.
• I didn't like the idea of adding a new BWA for this, so I created a BWA that can be the sample app for both the role- and claim-based authz articles. The new sample is at https://github.com/dotnet/AspNetCore.Docs.Samples/tree/main/security/authorization/BlazorWebAppAuthorization. I anticipate that this app can also cover BWA scenarios for policy- and resource-based authz. We'll see as I go how it plays out.
• Moved the claims samples to the main doc set sample repo.
  • Add claims samples AspNetCore.Docs.Samples#297
  • https://github.com/dotnet/AspNetCore.Docs.Samples/tree/main/security/authorization/claims
• Simplified the coverage and refactored the versioning ... NO more broken bookmark links in these articles. 🎉
• Updated code snippet links to use modern triple-dot syntax.
• Location change placed articles in the new, dedicated razor-pages/security/authorization and mvc/security/authorization nodes with cross-links.
• Updated the ToC.
• Going with "claim-based" (singular) over "claims-based" (plural) to align with "role-based" and "policy-based" phrasing.

NOTE TO SELF 🦖

💀 the main doc set repo sample apps after review/approval. I'm not going to do it until then because it hoses the diff and makes the PR much harder to review.

Also, 💀 the prior BWA role-based auth sample app. This PR updates the Roles authz article to point to the new sample that will be used for both the role-based and claim-based authz coverage.

---

Internal previews

📄 File	🔗 Preview link
aspnetcore/blazor/security/index.md	aspnetcore/blazor/security/index
aspnetcore/mvc/security/authorization/claims.md	aspnetcore/mvc/security/authorization/claims
aspnetcore/razor-pages/security/authorization/claims.md	aspnetcore/razor-pages/security/authorization/claims
aspnetcore/razor-pages/security/authorization/roles.md	aspnetcore/razor-pages/security/authorization/roles
aspnetcore/security/authorization/claims.md	aspnetcore/security/authorization/claims
aspnetcore/security/authorization/policies.md	aspnetcore/security/authorization/policies
aspnetcore/security/authorization/roles.md	aspnetcore/security/authorization/roles
aspnetcore/toc.yml	aspnetcore/toc

[Copilot]

Pull request overview

This PR overhauls the claim-based authorization documentation set to align terminology (“claim-based”), focus the main article on Blazor (Razor component) scenarios, and add dedicated MVC and Razor Pages variants with updated navigation.

Changes:

• Reworked the main claim-based authorization article to use Blazor-focused examples and added cross-links to new MVC/Razor Pages versions.
• Added new MVC and Razor Pages claim-based authorization articles under their respective security/authorization nodes.
• Updated ToC entries and adjusted “claims-based” → “claim-based” wording in related authorization docs.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
aspnetcore/toc.yml	Adds Razor Pages/MVC “Claim-based authorization” nodes and renames the main entry.
aspnetcore/security/authorization/roles.md	Updates sample-app link and adds Blazor Server UseAuthorization requirement guidance.
aspnetcore/security/authorization/policies/includes/policies5.md	Updates terminology to “claim-based authorization”.
aspnetcore/security/authorization/policies.md	Updates terminology to “claim-based authorization”.
aspnetcore/security/authorization/claims.md	Major rewrite of the main claim-based authorization article with Blazor-focused examples and new structure.
aspnetcore/razor-pages/security/authorization/claims.md	New Razor Pages-focused claim-based authorization article.
aspnetcore/mvc/security/authorization/claims.md	New MVC-focused claim-based authorization article.
aspnetcore/blazor/security/index.md	Updates wording to “Claim-based authorization”.

[wadepickett]

Approved with some minor suggestions. Looks great. Note the issue on "Founders" vs "Founder" for the policy code vs the text referring to it.

[guardrex]

Thanks @wadepickett ... I refactored the content on UseAuthorization calls for BWAs/Blazor Server. I did go in the direction that you suggested to make >=8.0, >=6.0/<8.0, and <6.0 sections. I worked on the paragraph topic sentences to clarify the BWA vs. Blazor Server distinction in the >=8.0 section.

... and @halter73 should look at that bit to make sure that I'm stating it correctly. The 🧀 moves a bit among BWA, Blazor Server, and MVC/RP. I think what I have is correct based on project template API; however, it's a little tricky given the deltas.

Note @halter73 that I'm adding a bit Blazor WASM stating that AddAuthorizationCore is called in the Program file. The rubber 🦆 says to add it to the Roles article, too, because our Blazor WASM with Identity sample adds it and has attributes for role-base auth (e.g., @attribute [Authorize(Roles = "Editor")]). I assume thus far that I'm stating the correct guidance on it ... it's needed for role- and claim-based authz (and any other authz) in Blazor WASM apps.

[guardrex]

@wadepickett ... A few small changes this morning ...

• I felt it was kind'a goofy to have a "founder" check with a "human resources" check for the multiple policy bit. It makes more business sense to have two departments, so I went with "customer service" and "human resources" policies where it checks for both departments. This required doing something different than a Dictionary for the seeding due to unique key requirements. I could've used the modern Lookup<> over a List<KeyValuePair<>>, but Lookup<> is overkill IMO for just iterating a bunch of claims into a user's identity in this scenario. If a Lookup<> is preferred anyway, and perhaps we'll yield to @halter73 to make the call, then I'll update the seeding code in the sample app, which has no bearing on the article content. Here are the new bits in the sample app ...
  • https://github.com/dotnet/AspNetCore.Docs.Samples/blob/main/security/authorization/BlazorWebAppAuthorization/Program.cs#L61-L68
  • https://github.com/dotnet/AspNetCore.Docs.Samples/blob/main/security/authorization/BlazorWebAppAuthorization/Components/Pages/PassCustomerServiceMemberAndHumanResourcesMemberPoliciesWithAuthorizeAttributes.razor
  • https://github.com/dotnet/AspNetCore.Docs.Samples/blob/main/security/authorization/BlazorWebAppAuthorization/Components/Pages/PassCustomerServiceMemberAndHumanResourcesMemberPoliciesWithAuthorizeViews.razor
  • https://github.com/dotnet/AspNetCore.Docs.Samples/blob/main/security/authorization/BlazorWebAppAuthorization/Identity/SeedData.cs
• Caught and fixed a 😈 in one of the Program file examples.
• I updated two section headings.
  • "Adding claims checks" 👉 "Add claim checks"
  • "Multiple Policy Evaulation" 👉 "Evaluate multiple policies"
• I updated the article dates.