Secure BWA with Entra

[guardrex]

Fixes #33779

The sample app is at 👉 https://github.com/dotnet/blazor-samples/tree/main/9.0/BlazorWebAppEntra

---

Internal previews

📄 File	🔗 Preview link
aspnetcore/blazor/security/blazor-web-app-with-entra.md	aspnetcore/blazor/security/blazor-web-app-with-entra
aspnetcore/blazor/security/blazor-web-app-with-oidc.md	aspnetcore/blazor/security/blazor-web-app-with-oidc
aspnetcore/security/identity-management-solutions.md	aspnetcore/security/identity-management-solutions
aspnetcore/toc.yml	aspnetcore/toc

[guardrex]

UPDATED ...

The latest version of the remarks on security ...

Don't store app secrets, connection strings, credentials, passwords, personal identification numbers (PINs), private C#/.NET code, or private keys/tokens in client-side code, which is ***always insecure***. In test/staging and production environments, server-side Blazor code and web APIs should use secure authentication flows that avoid maintaining credentials within project code or configuration files. Outside of local development testing, we recommend avoiding the use of environment variables to store sensitive data, as environment variables aren't the most secure approach. For local development testing, the [Secret Manager tool](xref:security/app-secrets) is recommended for securing sensitive data.

I mirrored these updates on the Blazor ROPC PR, and I'm 👂 for further feedback on improving this guidance.

[guardrex]

@halter73 ... I think we're good to go here.

I'll review these articles again before GA.

I'm going get this in NOW 🏃‍♂️ ... you know ... before I die in a hurricane! 💀😨😆