Authentication/Authorization API changes for preview.7

[DamianEdwards]

Following changes to be made to the authentication and authorization configuration APIs and behaviors:

- [ ] Change the WebApplicationBuilder.Authentication property to be a method AddAuthentication() with the same overloads as IServiceCollection.AddAuthentication()
- [ ] Add WebApplicationBuilder.AddAuthorization() method that is functional equivalent of IServiceCollection.AddAuthorizationBuilder()

• Remove Authentication property from WebApplicationBuilder
• Remove binding of AuthenticationOptions.DefaultScheme from configuration (and dotnet user-jwts setting it in applicationSettings.Development.json)
• When there is only a single AuthN scheme added, set AuthenticationOptions.DefaultPolicy to that scheme, and add a new bool property AuthenticationOptions.DisableAutoDefaultScheme to enable disabling this behavior
• Auto-add AuthN and AuthZ middleware if any AuthN scheme is added in all hosts (not just WebApplicationBuilder) WebApplicationBuilder and add new bool option to the various hosting options/APIs to enable disabling this behavior, e.g. WebApplicationOptions.DisableAutoAddAuthMiddleware
  • This behavior should apply whether adding AuthN schemes via IServiceCollection.AddAuthentication() or WebApplicationBuilder.AddAuthentication(), etc.

[HaoK]

@captainsafia how do you want to split this?

Maybe I do 1,2,4, and you take 3 and 5?

[captainsafia]

@HaoK I was gonna do 1 and 4 since I've touched those areas recently. Gotta a branch for #1 worked at the moment...

Did you knock out #2 as part of the PR that was just merged?

[HaoK]

No, I didn't do any part of this in the current PRs. I was working on 4 right now since that's orthogonal to everything else, so maybe you do 1 and I'll do 4 as the first step?

Its just a new PostConfigure on AuthenticationOptions so I should have a PR up for that soon hopefully

[captainsafia]

Sounds good. I just opened #42494. I'll go ahead and do #2 there as well then we can take both changes through the same API review since they are related.

[captainsafia]

Also, I realize I made a mistake in my original comment. I was planning on doing #1 (AddAuthentication) and #3 (moving default scheme from user-jwts to the runtime).

[HaoK]

Cool so we aren't duplicating any work right now

[captainsafia]

API review issue for the AddAuth(n)/(z) changes in #42577.