microsoft
diff --git a/‎plugin/skills/azure-prepare/references/services/app-service/README.md‎
Lines changed: 4 additions & 0 deletions b/‎plugin/skills/azure-prepare/references/services/app-service/README.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎plugin/skills/azure-prepare/references/services/app-service/templates/recipes/README.md‎
Lines changed: 72 additions & 0 deletions b/‎plugin/skills/azure-prepare/references/services/app-service/templates/recipes/README.md‎
Lines changed: 72 additions & 0 deletions
diff --git a/‎plugin/skills/azure-prepare/references/services/app-service/templates/recipes/auth/README.md‎
Lines changed: 96 additions & 0 deletions b/‎plugin/skills/azure-prepare/references/services/app-service/templates/recipes/auth/README.md‎
Lines changed: 96 additions & 0 deletions
diff --git a/‎plugin/skills/azure-prepare/references/services/app-service/templates/recipes/auth/source/dotnet.md‎
Lines changed: 55 additions & 0 deletions b/‎plugin/skills/azure-prepare/references/services/app-service/templates/recipes/auth/source/dotnet.md‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎plugin/skills/azure-prepare/references/services/app-service/templates/recipes/auth/source/nodejs.md‎
Lines changed: 90 additions & 0 deletions b/‎plugin/skills/azure-prepare/references/services/app-service/templates/recipes/auth/source/nodejs.md‎
Lines changed: 90 additions & 0 deletions
@@ -69,6 +69,10 @@ siteConfig: {
 
 Endpoint should return 200 OK when healthy.
 
+## Templates
+
+For App Service templates with composable recipes (SQL, Cosmos DB, Auth, Redis), see [Template Selection](templates/selection.md).
+
 ## Common Data Backends
 
 When pairing App Service with a data layer, load the corresponding service references:
 
@@ -0,0 +1,72 @@
+# App Service Template Recipes — REFERENCE ONLY
+
+Composable IaC + source code modules that extend the Web API or Web App base template to support specific Azure service integrations.
+
+## Architecture
+
+```
+Base Template (per language/scenario, from AZD gallery)
+       │
+       ├── Source code (REST API or full-stack web app)
+       ├── IaC (App Service Plan, App Service, App Insights, UAMI, RBAC)
+       └── AZD config (azure.yaml, parameters)
+
+       + Recipe (per integration)
+       │
+       ├── Source code delta (service client, middleware, config)
+       ├── IaC delta (new resource + RBAC + networking modules)
+       └── App settings delta
+       │
+       = Complete deployable project → `azd up`
+```
+
+## Available Recipes
+
+| Recipe | IaC Delta? | Source Delta? | Status |
+|--------|-----------|--------------|--------|
+| [sql](sql/README.md) | ✅ SQL Server + DB + firewall + RBAC | ✅ EF Core (.NET), SQLAlchemy (Python), Prisma (Node.js) · ⏳ Spring Data JPA (Java): planned | ✅ Available |
+| [cosmos](cosmos/README.md) | ✅ Cosmos account + DB + container + RBAC + PE | ✅ Cosmos SDK (.NET, Python, Node.js) · ⏳ Spring Data Cosmos (Java): planned | ✅ Available |
+| [auth](auth/README.md) | ✅ App registration + Easy Auth config | ✅ MSAL / Identity middleware (.NET, Python, Node.js) · ⏳ Spring Security (Java): planned | ✅ Available |
+| [redis](redis/README.md) | ✅ Redis cache + RBAC + PE | ✅ Distributed cache client (.NET, Python, Node.js) · ⏳ Spring Session (Java): planned | ✅ Available |
+
+## How It Works
+
+### Step 1: Fetch Base Template
+
+```bash
+# Pick template by language + scenario (see selection.md)
+azd init -t <template> -e "$ENV_NAME" --no-prompt
+```
+
+### Step 2: Apply Recipe
+
+The skill reads the recipe's README.md for:
+- **IaC module files** to copy into `infra/`
+- **App settings** to add to web app configuration
+- **RBAC roles** with exact GUIDs (never generated by LLM)
+- **Source code** to add alongside existing application code
+- **Networking** to add private endpoints (conditional on VNET_ENABLED)
+
+### Step 3: Wire Into Base
+
+**Bicep:** Add `module` reference in `main.bicep`, pass `appServicePrincipalId`
+**Terraform:** Copy `.tf` file into `infra/`, merge locals into web app settings
+
+### Step 4: Deploy
+
+```bash
+azd env set AZURE_LOCATION eastus2
+azd provision --no-prompt
+sleep 60
+azd deploy --no-prompt
+```
+
+## Design Principles
+
+| Principle | Why |
+|-----------|-----|
+| **Never synthesize base IaC** | Always use proven AZD template repos |
+| **Never modify base; only extend** | Recipes are additive — no risk of breaking core |
+| **Recipes own their RBAC** | Exact role GUIDs, no LLM guessing |
+| **Managed identity by default** | No passwords or connection strings in app settings |
+| **Health checks required** | Every app must expose `/health` |
@@ -0,0 +1,96 @@
+# Entra ID / Easy Auth Recipe — REFERENCE ONLY
+
+Adds authentication and authorization to an App Service base template using Microsoft Entra ID.
+
+## Overview
+
+This recipe configures authentication for App Service apps using either Easy Auth (built-in authentication) or MSAL SDK-based authentication. Easy Auth requires zero code changes; MSAL gives full control.
+
+## Integration Type
+
+| Aspect | Value |
+|--------|-------|
+| **Provider** | Microsoft Entra ID (Azure AD) |
+| **Method** | Easy Auth (built-in) or MSAL SDK |
+| **Protocols** | OpenID Connect, OAuth 2.0 |
+| **Token validation** | Automatic (Easy Auth) or middleware (MSAL) |
+
+## Option A: Easy Auth (Recommended for most apps)
+
+Zero-code authentication built into App Service. Handles login, token management, and session cookies.
+
+### Bicep Configuration
+
+> 💡 Call `mcp_bicep_get_az_resource_type_schema` with resource type `Microsoft.Web/sites/config` to validate properties before generating this resource.
+
+```bicep
+resource authSettings 'Microsoft.Web/sites/config@2023-12-01' = {
+  parent: webApp
+  name: 'authsettingsV2'
+  properties: {
+    globalValidation: {
+      requireAuthentication: true
+      unauthenticatedClientAction: 'RedirectToLoginPage'
+    }
+    identityProviders: {
+      azureActiveDirectory: {
+        enabled: true
+        registration: {
+          openIdIssuer: 'https://login.microsoftonline.com/${tenant().tenantId}/v2.0'
+          clientId: appRegistration.properties.appId
+        }
+        validation: {
+          defaultAuthorizationPolicy: {
+            allowedApplications: []
+          }
+        }
+      }
+    }
+    login: {
+      tokenStore: {
+        enabled: true
+      }
+    }
+  }
+}
+```
+
+### App Registration
+
+> 💡 Call `mcp_bicep_get_az_resource_type_schema` with resource type `Microsoft.Graph/applications` to validate properties before generating this resource. The `microsoftGraphV1_0` extension is required — declare it at the top of the Bicep file.
+
+```bicep
+extension microsoftGraphV1_0
+
+resource appRegistration 'Microsoft.Graph/applications@v1.0' = {
+  displayName: '${name}-app'
+  web: {
+    redirectUris: [
+      'https://${webApp.properties.defaultHostName}/.auth/login/aad/callback'
+    ]
+  }
+}
+```
+
+## Option B: MSAL SDK (Full control)
+
+Use when you need custom token validation, API-only auth, or multi-tenant support.
+
+| Language | Source File |
+|----------|-------------|
+| C# (ASP.NET Core) | [source/dotnet.md](source/dotnet.md) |
+| Python (FastAPI) | [source/python.md](source/python.md) |
+| Node.js (Express) | [source/nodejs.md](source/nodejs.md) |
+
+## App Settings
+
+| Setting | Value | Purpose |
+|---------|-------|---------|
+| `AZURE_TENANT_ID` | Entra tenant ID | Identity provider |
+| `AZURE_CLIENT_ID` | App registration client ID | Application identity |
+
+## References
+
+- [Easy Auth overview](https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization)
+- [Microsoft Identity Web](https://learn.microsoft.com/en-us/entra/msal/dotnet/microsoft-identity-web/)
+- [Configure Entra ID auth](https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad)
@@ -0,0 +1,55 @@
+# Auth Recipe — C# (.NET) — REFERENCE ONLY
+
+## Microsoft Identity Web (ASP.NET Core)
+
+### NuGet Packages
+
+```xml
+<PackageReference Include="Microsoft.Identity.Web" Version="3.*" />
+```
+
+### Program.cs (additions)
+
+Add these lines — do NOT replace the existing file:
+
+```csharp
+using Microsoft.Identity.Web;
+
+// Add after builder creation
+builder.Services.AddMicrosoftIdentityWebApiAuthentication(builder.Configuration);
+builder.Services.AddAuthorization();
+
+// Add after app build
+app.UseAuthentication();
+app.UseAuthorization();
+
+// Protected endpoint
+app.MapGet("/api/me", [Authorize] (HttpContext ctx) =>
+{
+    var name = ctx.User.FindFirst("name")?.Value;
+    return Results.Ok(new { name });
+});
+```
+
+### appsettings.json
+
+```json
+{
+  "AzureAd": {
+    "Instance": "https://login.microsoftonline.com/",
+    "TenantId": "<tenant-id>",
+    "ClientId": "<client-id>",
+    "Audience": "api://<client-id>"
+  }
+}
+```
+
+> ⚠️ The `Audience` must match the Application ID URI of the app registration (typically `api://<client-id>`). Set `AZURE_CLIENT_ID` and `AZURE_TENANT_ID` as app settings in Azure rather than hardcoding them.
+
+## Files to Modify
+
+| File | Action |
+|------|--------|
+| `Program.cs` | Add authentication middleware + protected endpoints |
+| `appsettings.json` | Add AzureAd configuration section |
+| `*.csproj` | Add Microsoft.Identity.Web NuGet package |
@@ -0,0 +1,90 @@
+# Auth Recipe — Node.js (Express) — REFERENCE ONLY
+
+## JWT Validation with jsonwebtoken + jwks-rsa
+
+### npm Packages
+
+```bash
+npm install jsonwebtoken jwks-rsa
+```
+
+### Auth Middleware
+
+Add `middleware/auth.js`:
+
+```javascript
+const jwt = require("jsonwebtoken");
+const jwksClient = require("jwks-rsa");
+
+const client = jwksClient({
+  jwksUri: `https://login.microsoftonline.com/${process.env.AZURE_TENANT_ID}/discovery/v2.0/keys`,
+  cache: true,
+  rateLimit: true,
+});
+
+// Use APP_ID_URI if set (e.g., "api://<client-id>"); fall back to CLIENT_ID
+const AUDIENCE = process.env.AZURE_APP_ID_URI || process.env.AZURE_CLIENT_ID;
+
+function authMiddleware(req, res, next) {
+  const token = req.headers.authorization?.split(" ")[1];
+  if (!token) return res.status(401).json({ error: "No token" });
+
+  const decoded = jwt.decode(token, { complete: true });
+  if (!decoded || !decoded.header || !decoded.header.kid) {
+    return res.status(401).json({ error: "Invalid token" });
+  }
+
+  client.getSigningKey(decoded.header.kid, (err, key) => {
+    if (err || !key) {
+      return res.status(401).json({ error: "Invalid token" });
+    }
+
+    jwt.verify(
+      token,
+      key.getPublicKey(),
+      {
+        algorithms: ["RS256"],
+        audience: AUDIENCE,
+        issuer: `https://login.microsoftonline.com/${process.env.AZURE_TENANT_ID}/v2.0`,
+      },
+      (err, payload) => {
+        if (err) return res.status(401).json({ error: "Invalid token" });
+        req.user = payload;
+        next();
+      }
+    );
+  });
+}
+
+module.exports = { authMiddleware };
+```
+
+> ⚠️ The `aud` claim in Entra ID tokens is often the Application ID URI (`api://<client-id>`), not the raw client ID. Set `AZURE_APP_ID_URI` in app settings to match your app registration's exposed API URI.
+
+### Protected Endpoint
+
+Add to `src/index.js`:
+
+```javascript
+const { authMiddleware } = require("./middleware/auth");
+
+app.get("/api/me", authMiddleware, (req, res) => {
+  res.json({ name: req.user?.name, oid: req.user?.oid });
+});
+```
+
+## App Settings Required
+
+| Setting | Value |
+|---------|-------|
+| `AZURE_TENANT_ID` | Entra tenant ID |
+| `AZURE_CLIENT_ID` | App registration client ID |
+| `AZURE_APP_ID_URI` | Application ID URI (e.g., `api://<client-id>`) — optional, defaults to CLIENT_ID |
+
+## Files to Modify
+
+| File | Action |
+|------|--------|
+| `middleware/auth.js` | Create — JWT validation middleware |
+| `src/index.js` | Modify — add protected routes |
+| `package.json` | Modify — add jsonwebtoken, jwks-rsa |