Scope source for the request transformer (#36302)

guardrex · web-flow · commit 6f5dbe730067 · 2025-11-05T15:32:46.000-05:00
diff --git a/.github/workflows/blazor-hybrid-issue-processing.yml b/.github/workflows/blazor-hybrid-issue-processing.yml
@@ -17,9 +17,9 @@ jobs:
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
-              body: `### 🧟💀 ***Happy Halloween!!*** 🎃🧛
+              body: `### 🦃 ***Happy Thanksgiving!*** 🍽️
 
-            A green dinosaur 🦖 will be along shortly to assist. *Stand-by ........*`
+            *Stand-by!* A green dinosaur 🦖 will be along shortly to assist.`
             })
             await github.rest.issues.addLabels({
               issue_number: context.issue.number,
diff --git a/.github/workflows/blazor-issue-processing.yml b/.github/workflows/blazor-issue-processing.yml
@@ -23,9 +23,9 @@ jobs:
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
-              body: `### 🧟💀 ***Happy Halloween!!*** 🎃🧛
+              body: `### 🦃 ***Happy Thanksgiving!*** 🍽️
 
-            *Stand-by!* ... A green dinosaur 🦖 will be along shortly to assist.`
+            *Stand-by!* A green dinosaur 🦖 will be along shortly to assist.`
             })
             await github.rest.issues.addLabels({
               issue_number: context.issue.number,
diff --git a/aspnetcore/blazor/security/blazor-web-app-with-entra.md b/aspnetcore/blazor/security/blazor-web-app-with-entra.md
@@ -385,6 +385,12 @@ builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
     .AddDistributedTokenCaches();
 ```
 
+Provide the same downstream API scope to the request transformer:
+
+```csharp
+List<string> scopes = [ "{APP ID URI}/Weather.Get" ];
+```
+
 Placeholders in the preceding configuration:
 
 * `{CLIENT ID (BLAZOR APP)}`: The application (client) ID.
@@ -412,11 +418,18 @@ builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
     .AddDownstreamApi("DownstreamApi", configOptions =>
     {
         configOptions.BaseUrl = "https://localhost:7277";
-        configOptions.Scopes = [ "api://11112222-bbbb-3333-cccc-4444dddd5555/Weather.Get" ];
+        configOptions.Scopes = 
+            [ "api://11112222-bbbb-3333-cccc-4444dddd5555/Weather.Get" ];
     })
     .AddDistributedTokenCaches();
 ```
 
+Example:
+
+```csharp
+List<string> scopes = [ "api://11112222-bbbb-3333-cccc-4444dddd5555/Weather.Get" ];
+```
+
 :::zone-end
 
 > [!WARNING]
@@ -642,6 +655,15 @@ builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
     .AddDistributedTokenCaches();
 ```
 
+```diff
+- List<string> scopes = ["{APP ID URI}/Weather.Get"];
+- var accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);
++ var configuration = transformContext.HttpContext.RequestServices.GetRequiredService<IConfiguration>();
++ var scopes = configuration.GetSection("DownstreamApi:Scopes").Get<IEnumerable<string>>();
++ var accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes ??
++     throw new InvalidOperationException("No downstream API scopes!"));
+```
+
 > [!NOTE]
 > Production apps should use a production distributed token cache provider. Otherwise, the app may have poor performance in some scenarios. For more information, see the [Use a production distributed token cache provider](#use-a-production-distributed-token-cache-provider) section.
 
