From b9a39cde330994ea937bd015897f388e0aeae806 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 5 May 2026 14:27:47 +0000
Subject: [PATCH 1/5] Upgrade AdHocReporting.BlazorWasm (Server/Client/Shared)
 to .NET 8

- Bump TargetFramework to net8.0 on all three projects
- Replace Microsoft.AspNetCore.ApiAuthorization.IdentityServer (removed in
  .NET 8) with ASP.NET Core Identity cookie auth (AddDefaultIdentity +
  Identity UI Razor Pages)
- Drop ApiAuthorizationDbContext for IdentityDbContext<ApplicationUser>
- Remove OidcConfigurationController (depended on removed package)
- Remove RemoteAuthenticatorView/SignOutSessionStateManager usage on the
  client (obsolete in .NET 8); redirect /authentication/{action} to the
  Identity Razor Pages
- Bump Microsoft.EntityFrameworkCore.* to 8.0.11
- Bump Microsoft.AspNetCore.Components.WebAssembly.* to 8.0.11
- Bump Microsoft.AspNetCore.Identity.* to 8.0.11
- Bump Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore to 8.0.11
- Add Microsoft.AspNetCore.Authentication.JwtBearer 8.0.11
- Bump Microsoft.Data.SqlClient to 5.2.2
- Bump Microsoft.IdentityModel.JsonWebTokens / System.IdentityModel.Tokens.Jwt to 7.6.0
- Remove Microsoft.VisualStudio.Web.CodeGeneration.Design,
  System.Data.SqlClient, System.Net.Http, System.Text.RegularExpressions,
  System.Drawing.Common (no longer needed; provided by .NET 8 BCL)

Co-Authored-By: Toby Drinkall <toby.drinkall@cognition.ai>
---
 ...mo.BlazorWasm.AdhocReporting.Client.csproj | 14 ++++-----
 .../Client/Pages/Authentication.razor         | 22 +++++++++++--
 .../Client/Program.cs                         |  7 ++---
 .../Client/Shared/LoginDisplay.razor          | 20 ++++--------
 .../Client/Shared/RedirectToLogin.razor       |  2 +-
 .../OidcConfigurationController.cs            | 25 ---------------
 .../Server/Data/AppDbContext.cs               | 11 ++-----
 ...mo.BlazorWasm.AdhocReporting.Server.csproj | 31 ++++++++-----------
 .../Server/Program.cs                         | 16 ----------
 .../Server/appsettings.json                   |  7 -----
 ...mo.BlazorWasm.AdhocReporting.Shared.csproj |  2 +-
 11 files changed, 53 insertions(+), 104 deletions(-)
 delete mode 100644 AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Controllers/OidcConfigurationController.cs

diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/EqDemo.BlazorWasm.AdhocReporting.Client.csproj b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/EqDemo.BlazorWasm.AdhocReporting.Client.csproj
index 757d9614..8ef8b788 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/EqDemo.BlazorWasm.AdhocReporting.Client.csproj
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/EqDemo.BlazorWasm.AdhocReporting.Client.csproj
@@ -1,18 +1,18 @@
-<Project Sdk="Microsoft.NET.Sdk.BlazorWebAssembly">
+<Project Sdk="Microsoft.NET.Sdk.BlazorWebAssembly">
 
   <PropertyGroup>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <RootNamespace>EqDemo.Client</RootNamespace>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Components" Version="6.0.25" />
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="6.0.1" />
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="6.0.1" PrivateAssets="all" />
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="6.0.1" />
-    <PackageReference Include="Microsoft.Extensions.Http" Version="6.0.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Components" Version="8.0.11" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="8.0.11" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="8.0.11" PrivateAssets="all" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="8.0.11" />
+    <PackageReference Include="Microsoft.Extensions.Http" Version="8.0.1" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Pages/Authentication.razor b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Pages/Authentication.razor
index 6c743567..eb3d9ffd 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Pages/Authentication.razor
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Pages/Authentication.razor
@@ -1,7 +1,23 @@
 @page "/authentication/{action}"
-@using Microsoft.AspNetCore.Components.WebAssembly.Authentication
-<RemoteAuthenticatorView Action="@Action" />
+@inject NavigationManager Navigation
 
-@code{
+@code {
     [Parameter] public string? Action { get; set; }
+
+    protected override void OnInitialized()
+    {
+        // The legacy OIDC client-side authentication flow has been replaced with
+        // server-side cookie auth via ASP.NET Core Identity Razor Pages. Redirect
+        // legacy /authentication/{action} URLs to the new endpoints.
+        var target = Action switch
+        {
+            "login" => "Identity/Account/Login",
+            "register" => "Identity/Account/Register",
+            "logout" => "Identity/Account/Logout",
+            "profile" => "Identity/Account/Manage",
+            _ => "/"
+        };
+
+        Navigation.NavigateTo(target, forceLoad: true);
+    }
 }
diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Program.cs b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Program.cs
index ba141b48..14f7ec16 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Program.cs
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Program.cs
@@ -1,5 +1,4 @@
 using Microsoft.AspNetCore.Components.Web;
-using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
 using Microsoft.AspNetCore.Components.WebAssembly.Hosting;
 
 using EqDemo.Client;
@@ -8,12 +7,12 @@
 builder.RootComponents.Add<App>("#app");
 builder.RootComponents.Add<HeadOutlet>("head::after");
 
-builder.Services.AddHttpClient("EqDemo.BlazorWasm.AdhocReporting.ServerAPI", client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress))
-    .AddHttpMessageHandler<BaseAddressAuthorizationMessageHandler>();
+builder.Services.AddHttpClient("EqDemo.BlazorWasm.AdhocReporting.ServerAPI",
+    client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress));
 
 // Supply HttpClient instances that include access tokens when making requests to the server project
 builder.Services.AddScoped(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("EqDemo.BlazorWasm.AdhocReporting.ServerAPI"));
 
-builder.Services.AddApiAuthorization();
+builder.Services.AddAuthorizationCore();
 
 await builder.Build().RunAsync();
diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/LoginDisplay.razor b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/LoginDisplay.razor
index 5e52e86f..1143db73 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/LoginDisplay.razor
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/LoginDisplay.razor
@@ -1,24 +1,16 @@
 @using Microsoft.AspNetCore.Components.Authorization
-@using Microsoft.AspNetCore.Components.WebAssembly.Authentication
 
 @inject NavigationManager Navigation
-@inject SignOutSessionStateManager SignOutManager
 
 <AuthorizeView>
     <Authorized>
-        <a href="authentication/profile">Hello, @context.User.Identity?.Name!</a>
-        <button class="nav-link btn btn-link" @onclick="BeginSignOut">Log out</button>
+        <a href="Identity/Account/Manage">Hello, @context.User.Identity?.Name!</a>
+        <form action="Identity/Account/Logout" method="post" class="d-inline">
+            <button type="submit" class="nav-link btn btn-link">Log out</button>
+        </form>
     </Authorized>
     <NotAuthorized>
-        <a href="authentication/register">Register</a>
-        <a href="authentication/login">Log in</a>
+        <a href="Identity/Account/Register">Register</a>
+        <a href="Identity/Account/Login">Log in</a>
     </NotAuthorized>
 </AuthorizeView>
-
-@code{
-    private async Task BeginSignOut(MouseEventArgs args)
-    {
-        await SignOutManager.SetSignOutState();
-        Navigation.NavigateTo("authentication/logout");
-    }
-}
diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/RedirectToLogin.razor b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/RedirectToLogin.razor
index 2db61cf6..f2aba03e 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/RedirectToLogin.razor
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/RedirectToLogin.razor
@@ -3,6 +3,6 @@
 @code {
     protected override void OnInitialized()
     {
-        Navigation.NavigateTo($"authentication/login?returnUrl={Uri.EscapeDataString(Navigation.Uri)}");
+        Navigation.NavigateTo($"Identity/Account/Login?ReturnUrl={Uri.EscapeDataString(Navigation.Uri)}", forceLoad: true);
     }
 }
diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Controllers/OidcConfigurationController.cs b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Controllers/OidcConfigurationController.cs
deleted file mode 100644
index 07da33dc..00000000
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Controllers/OidcConfigurationController.cs
+++ /dev/null
@@ -1,25 +0,0 @@
-using Microsoft.AspNetCore.ApiAuthorization.IdentityServer;
-using Microsoft.AspNetCore.Mvc;
-
-namespace EqDemo.Controllers
-{
-    public class OidcConfigurationController : Controller
-    {
-        private readonly ILogger<OidcConfigurationController> _logger;
-
-        public OidcConfigurationController(IClientRequestParametersProvider clientRequestParametersProvider, ILogger<OidcConfigurationController> logger)
-        {
-            ClientRequestParametersProvider = clientRequestParametersProvider;
-            _logger = logger;
-        }
-
-        public IClientRequestParametersProvider ClientRequestParametersProvider { get; }
-
-        [HttpGet("_configuration/{clientId}")]
-        public IActionResult GetClientRequestParameters([FromRoute] string clientId)
-        {
-            var parameters = ClientRequestParametersProvider.GetClientParameters(HttpContext, clientId);
-            return Ok(parameters);
-        }
-    }
-}
\ No newline at end of file
diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Data/AppDbContext.cs b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Data/AppDbContext.cs
index 6f103610..39df4c23 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Data/AppDbContext.cs
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Data/AppDbContext.cs
@@ -1,18 +1,13 @@
-using Microsoft.AspNetCore.ApiAuthorization.IdentityServer;
+using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore;
-using Microsoft.Extensions.Options;
-
-using Duende.IdentityServer.EntityFramework.Options;
 
 using EqDemo.Models;
 
 namespace EqDemo.Data
 {
-    public class AppDbContext : ApiAuthorizationDbContext<ApplicationUser>
+    public class AppDbContext : IdentityDbContext<ApplicationUser>
     {
-        public AppDbContext(
-            DbContextOptions options,
-            IOptions<OperationalStoreOptions> operationalStoreOptions) : base(options, operationalStoreOptions)
+        public AppDbContext(DbContextOptions<AppDbContext> options) : base(options)
         {
         }
 
diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/EqDemo.BlazorWasm.AdhocReporting.Server.csproj b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/EqDemo.BlazorWasm.AdhocReporting.Server.csproj
index 79054182..0e904fcb 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/EqDemo.BlazorWasm.AdhocReporting.Server.csproj
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/EqDemo.BlazorWasm.AdhocReporting.Server.csproj
@@ -1,36 +1,31 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
   <PropertyGroup>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <Nullable>disable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
     <UserSecretsId>EqDemo.BlazorWasm.AdhocReporting.Server</UserSecretsId>
     <RootNamespace>EqDemo.Server</RootNamespace>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="6.0.1" />
-    <PackageReference Include="Microsoft.Data.SqlClient" Version="2.1.7" />
-    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="6.34.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="8.0.11" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.11" />
+    <PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.2" />
+    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="7.6.0" />
     <PackageReference Include="NuGet.Common" Version="5.11.5" />
     <PackageReference Include="NuGet.Protocol" Version="5.11.5" />
-    <PackageReference Include="System.Data.SqlClient" Version="4.8.6" />
-    <PackageReference Include="System.Drawing.Common" Version="4.7.2" />
-    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.34.0" />
-    <PackageReference Include="System.Net.Http" Version="4.3.4" />
-    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.6.0" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\Client\EqDemo.BlazorWasm.AdhocReporting.Client.csproj" />
     <ProjectReference Include="..\Shared\EqDemo.BlazorWasm.AdhocReporting.Shared.csproj" />
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="6.0.1" />
-    <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="6.0.1" />
-    <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="6.0.1" />
-    <PackageReference Include="Microsoft.AspNetCore.Identity.UI" Version="6.0.1" />
-    <PackageReference Include="Microsoft.AspNetCore.ApiAuthorization.IdentityServer" Version="6.0.1" />
-    <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="6.0.1" />
-    <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="6.0.1" />
-    <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="6.0.1" />
+    <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="8.0.11" />
+    <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="8.0.11" />
+    <PackageReference Include="Microsoft.AspNetCore.Identity.UI" Version="8.0.11" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="8.0.11" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.11" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="8.0.11" />
   </ItemGroup>
   <ItemGroup>
     <!-- DB initialization packages. They are not necessary for EasyQuery working and can be removed in production -->
@@ -48,4 +43,4 @@
     <PackageReference Include="Korzh.EasyQuery.EntityFrameworkCore.Relational" Version="7.4.0" />
     <PackageReference Include="Korzh.EasyQuery.EntityFrameworkCore.Identity" Version="7.4.0" />
   </ItemGroup>
-</Project>
\ No newline at end of file
+</Project>
diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Program.cs b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Program.cs
index 4a2636a4..340a1f2d 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Program.cs
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Program.cs
@@ -1,5 +1,3 @@
-using System.IdentityModel.Tokens.Jwt;
-using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.EntityFrameworkCore;
 
@@ -29,19 +27,6 @@
 .AddRoles<IdentityRole>()
 .AddEntityFrameworkStores<AppDbContext>();
 
-builder.Services.AddIdentityServer()
-    .AddApiAuthorization<ApplicationUser, AppDbContext>(options => {
-        //the following 2 lines are necessary to support roles on the WebAssembly side
-        options.IdentityResources["openid"].UserClaims.Add("role");
-        options.ApiResources.Single().UserClaims.Add("role");
-    });
-
-// We need to do this as it maps "role" to ClaimTypes.Role and causes issues
-JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("role");
-
-builder.Services.AddAuthentication()
-    .AddIdentityServerJwt();
-
 //EasyQuery services
 builder.Services.AddEasyQuery()
         .UseSqlManager()
@@ -79,7 +64,6 @@
 
 app.UseRouting();
 
-app.UseIdentityServer();
 app.UseAuthentication();
 app.UseAuthorization();
 
diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/appsettings.json b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/appsettings.json
index 4826929d..a1986a8b 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/appsettings.json
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/appsettings.json
@@ -5,13 +5,6 @@
       "Microsoft.AspNetCore": "Warning"
     }
   },
-  "IdentityServer": {
-    "Clients": {
-      "EqDemo.BlazorWasm.AdhocReporting.Client": {
-        "Profile": "IdentityServerSPA"
-      }
-    }
-  },
   "AllowedHosts": "*",
   "ConnectionStrings": {
     "EqDemoSqLite": "Data Source=eqdemo-sqlite.db",
diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Shared/EqDemo.BlazorWasm.AdhocReporting.Shared.csproj b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Shared/EqDemo.BlazorWasm.AdhocReporting.Shared.csproj
index a5b78ac4..9a938be4 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Shared/EqDemo.BlazorWasm.AdhocReporting.Shared.csproj
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Shared/EqDemo.BlazorWasm.AdhocReporting.Shared.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>

From f47ef14b3281dfcc87a1ab1dd7c13659f62ab5f9 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 5 May 2026 14:34:33 +0000
Subject: [PATCH 2/5] Address Devin Review: register custom
 AuthenticationStateProvider and decouple Reports.razor from
 IAccessTokenProviderAccessor

- Add EqDemo.Client.HostAuthenticationStateProvider that resolves auth
  state by calling a small /_auth/me endpoint on the server (which is
  authenticated via the ASP.NET Core Identity cookie). This restores the
  AuthenticationStateProvider DI registration that was previously provided
  by AddApiAuthorization() so <CascadingAuthenticationState> resolves at
  runtime.
- Register HostAuthenticationStateProvider in Client/Program.cs alongside
  AddAuthorizationCore().
- Add /_auth/me minimal API endpoint in Server/Program.cs that returns
  the current cookie-authenticated user's claims.
- Update Client/Pages/Reports.razor to drop the OIDC-only
  IAccessTokenProviderAccessor dependency. With cookie auth the auth
  cookie is sent automatically with same-origin requests, so no bearer
  token is needed for the EasyQuery JS bootstrap.

Co-Authored-By: Toby Drinkall <toby.drinkall@cognition.ai>
---
 .../Client/HostAuthenticationStateProvider.cs | 61 +++++++++++++++++++
 .../Client/Pages/Reports.razor                | 14 ++---
 .../Client/Program.cs                         |  5 +-
 .../Server/Program.cs                         | 13 ++++
 4 files changed, 82 insertions(+), 11 deletions(-)
 create mode 100644 AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/HostAuthenticationStateProvider.cs

diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/HostAuthenticationStateProvider.cs b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/HostAuthenticationStateProvider.cs
new file mode 100644
index 00000000..a79a412f
--- /dev/null
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/HostAuthenticationStateProvider.cs
@@ -0,0 +1,61 @@
+using System.Net;
+using System.Net.Http.Json;
+using System.Security.Claims;
+
+using Microsoft.AspNetCore.Components.Authorization;
+
+namespace EqDemo.Client;
+
+/// <summary>
+/// Resolves the current user's authentication state by calling a small endpoint
+/// on the server (which authenticates the request via the ASP.NET Core Identity
+/// auth cookie). Replaces the OIDC-based remote authentication state provider
+/// that came with Microsoft.AspNetCore.ApiAuthorization.IdentityServer.
+/// </summary>
+public sealed class HostAuthenticationStateProvider : AuthenticationStateProvider
+{
+    private const string AuthenticationType = "Cookies";
+
+    private static readonly AuthenticationState Anonymous =
+        new(new ClaimsPrincipal(new ClaimsIdentity()));
+
+    private readonly HttpClient _http;
+
+    public HostAuthenticationStateProvider(HttpClient http)
+    {
+        _http = http;
+    }
+
+    public override async Task<AuthenticationState> GetAuthenticationStateAsync()
+    {
+        try
+        {
+            var response = await _http.GetAsync("_auth/me");
+            if (response.StatusCode == HttpStatusCode.Unauthorized || response.StatusCode == HttpStatusCode.Forbidden)
+            {
+                return Anonymous;
+            }
+
+            response.EnsureSuccessStatusCode();
+
+            var info = await response.Content.ReadFromJsonAsync<AuthInfo>();
+            if (info is null || !info.IsAuthenticated)
+            {
+                return Anonymous;
+            }
+
+            var claims = (info.Claims ?? Array.Empty<AuthClaim>())
+                .Select(c => new Claim(c.Type, c.Value));
+            var identity = new ClaimsIdentity(claims, AuthenticationType, ClaimTypes.Name, ClaimTypes.Role);
+            return new AuthenticationState(new ClaimsPrincipal(identity));
+        }
+        catch (HttpRequestException)
+        {
+            return Anonymous;
+        }
+    }
+
+    private sealed record AuthInfo(bool IsAuthenticated, AuthClaim[]? Claims);
+
+    private sealed record AuthClaim(string Type, string Value);
+}
diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Pages/Reports.razor b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Pages/Reports.razor
index ac5ce0a1..b594c3d6 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Pages/Reports.razor
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Pages/Reports.razor
@@ -1,14 +1,11 @@
 @page "/reports"
 @using Microsoft.AspNetCore.Authorization
-@using Microsoft.AspNetCore.Components.WebAssembly.Authentication
-@using Microsoft.AspNetCore.Components.WebAssembly.Authentication.Internal
 @attribute [Authorize]
 @implements IAsyncDisposable
 
 @inject IJSRuntime JSRuntime
 @inject NavigationManager NavigationManager
 @inject AuthenticationStateProvider AuthenticationStateProvider
-@inject IAccessTokenProviderAccessor AccessTokenProviderAccessor
 
 <style>
     .eqv-chart-panel {
@@ -122,13 +119,10 @@
     protected override async Task OnAfterRenderAsync(bool firstRender)
     {
         if (firstRender) {
-            var result = await AccessTokenProviderAccessor.TokenProvider.RequestAccessToken();
-            if (result.Status == AccessTokenResultStatus.Success && result.TryGetToken(out var token)) {
-                await JSRuntime.InvokeVoidAsync("easyquery.blazor.startAdhocReporting", token.Value);
-            }
-            else {
-                await JSRuntime.InvokeVoidAsync("consloe.error", "Unable to get access token");
-            }
+            // With cookie auth the browser sends the auth cookie automatically with
+            // every same-origin request, so no bearer token has to be passed to the
+            // EasyQuery JS bootstrap.
+            await JSRuntime.InvokeVoidAsync("easyquery.blazor.startAdhocReporting", string.Empty);
         }
 
         await base.OnAfterRenderAsync(firstRender);
diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Program.cs b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Program.cs
index 14f7ec16..c5e6cc27 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Program.cs
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Program.cs
@@ -1,3 +1,4 @@
+using Microsoft.AspNetCore.Components.Authorization;
 using Microsoft.AspNetCore.Components.Web;
 using Microsoft.AspNetCore.Components.WebAssembly.Hosting;
 
@@ -10,9 +11,11 @@
 builder.Services.AddHttpClient("EqDemo.BlazorWasm.AdhocReporting.ServerAPI",
     client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress));
 
-// Supply HttpClient instances that include access tokens when making requests to the server project
+// Supply HttpClient instances that use the same origin as the server (so the
+// ASP.NET Core Identity auth cookie is sent automatically with every request).
 builder.Services.AddScoped(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("EqDemo.BlazorWasm.AdhocReporting.ServerAPI"));
 
 builder.Services.AddAuthorizationCore();
+builder.Services.AddScoped<AuthenticationStateProvider, HostAuthenticationStateProvider>();
 
 await builder.Build().RunAsync();
diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Program.cs b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Program.cs
index 340a1f2d..1ef08e7c 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Program.cs
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Program.cs
@@ -102,6 +102,19 @@
 
 app.MapRazorPages();
 app.MapControllers();
+
+// Lightweight endpoint used by the Blazor WASM client's HostAuthenticationStateProvider
+// to project the cookie-authenticated user's claims back to the WebAssembly process.
+app.MapGet("/_auth/me", (HttpContext ctx) =>
+{
+    var user = ctx.User;
+    var isAuthenticated = user?.Identity?.IsAuthenticated == true;
+    var claims = isAuthenticated
+        ? user!.Claims.Select(c => new { Type = c.Type, Value = c.Value }).ToArray()
+        : Array.Empty<object>();
+    return Results.Ok(new { IsAuthenticated = isAuthenticated, Claims = claims });
+});
+
 app.MapFallbackToFile("index.html");
 
 //Init demo database (if necessary)

From 692e6d001889ef38be653fe3987ff46b78612bcd Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 5 May 2026 14:39:56 +0000
Subject: [PATCH 3/5] Address Devin Review: replace logout POST form in
 LoginDisplay with link to avoid anti-forgery 400
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Blazor WASM client cannot inject Razor Pages anti-forgery tokens, so a
direct POST to Identity/Account/Logout fails with 400 Bad Request. Use a
plain <a> link to the server-rendered logout page instead — the page's own
form has the anti-forgery token and signs the user out on click.

Co-Authored-By: Toby Drinkall <toby.drinkall@cognition.ai>
---
 .../Client/Shared/LoginDisplay.razor                        | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/LoginDisplay.razor b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/LoginDisplay.razor
index 1143db73..bbe5737b 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/LoginDisplay.razor
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/LoginDisplay.razor
@@ -1,13 +1,9 @@
 @using Microsoft.AspNetCore.Components.Authorization
 
-@inject NavigationManager Navigation
-
 <AuthorizeView>
     <Authorized>
         <a href="Identity/Account/Manage">Hello, @context.User.Identity?.Name!</a>
-        <form action="Identity/Account/Logout" method="post" class="d-inline">
-            <button type="submit" class="nav-link btn btn-link">Log out</button>
-        </form>
+        <a href="Identity/Account/Logout" class="nav-link btn btn-link">Log out</a>
     </Authorized>
     <NotAuthorized>
         <a href="Identity/Account/Register">Register</a>

From 85ef9a439f18b3c6bb81bcedc4e4a26a5f8ce7b7 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 5 May 2026 14:47:46 +0000
Subject: [PATCH 4/5] Address Devin Review: route auth links through
 authentication/{action} and pass relative ReturnUrl

- LoginDisplay.razor: revert href values to authentication/{login|logout|
  register|profile}. Plain absolute Identity/Account/* hrefs are
  intercepted by Blazor's client-side Router and rendered as <NotFound>;
  routing through Authentication.razor (which forceLoad-redirects to the
  Identity Razor Pages) gives a real full-page navigation.
- RedirectToLogin.razor: pass PathAndQuery (relative) as ReturnUrl
  instead of the full absolute URI, otherwise Login.cshtml's
  LocalRedirect/IsLocalUrl rejects the value and throws after a
  successful login.

Co-Authored-By: Toby Drinkall <toby.drinkall@cognition.ai>
---
 .../Client/Shared/LoginDisplay.razor                      | 8 ++++----
 .../Client/Shared/RedirectToLogin.razor                   | 3 ++-
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/LoginDisplay.razor b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/LoginDisplay.razor
index bbe5737b..5dd5157e 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/LoginDisplay.razor
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/LoginDisplay.razor
@@ -2,11 +2,11 @@
 
 <AuthorizeView>
     <Authorized>
-        <a href="Identity/Account/Manage">Hello, @context.User.Identity?.Name!</a>
-        <a href="Identity/Account/Logout" class="nav-link btn btn-link">Log out</a>
+        <a href="authentication/profile">Hello, @context.User.Identity?.Name!</a>
+        <a href="authentication/logout" class="nav-link btn btn-link">Log out</a>
     </Authorized>
     <NotAuthorized>
-        <a href="Identity/Account/Register">Register</a>
-        <a href="Identity/Account/Login">Log in</a>
+        <a href="authentication/register">Register</a>
+        <a href="authentication/login">Log in</a>
     </NotAuthorized>
 </AuthorizeView>
diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/RedirectToLogin.razor b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/RedirectToLogin.razor
index f2aba03e..89cb38e8 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/RedirectToLogin.razor
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Client/Shared/RedirectToLogin.razor
@@ -3,6 +3,7 @@
 @code {
     protected override void OnInitialized()
     {
-        Navigation.NavigateTo($"Identity/Account/Login?ReturnUrl={Uri.EscapeDataString(Navigation.Uri)}", forceLoad: true);
+        var returnUrl = new Uri(Navigation.Uri).PathAndQuery;
+        Navigation.NavigateTo($"Identity/Account/Login?ReturnUrl={Uri.EscapeDataString(returnUrl)}", forceLoad: true);
     }
 }

From 9602509ba9bcd1c0c87e62014418a75971281735 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 5 May 2026 14:55:51 +0000
Subject: [PATCH 5/5] Address Devin Review: ensure role claims land in the auth
 cookie

AddDefaultIdentity<TUser>() registers UserClaimsPrincipalFactory<TUser>
via TryAddScoped, so the role-aware factory that AddRoles<IdentityRole>()
tries to register is silently dropped. Explicitly register
UserClaimsPrincipalFactory<ApplicationUser, IdentityRole> after
AddEntityFrameworkStores so User.IsInRole("eq-manager") is honoured both
in /_auth/me and in EasyQuery's auth provider.

Co-Authored-By: Toby Drinkall <toby.drinkall@cognition.ai>
---
 .../Blazor/AdHocReporting.BlazorWasm/Server/Program.cs     | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Program.cs b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Program.cs
index 1ef08e7c..b46d7875 100644
--- a/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Program.cs
+++ b/AspNetCore/Blazor/AdHocReporting.BlazorWasm/Server/Program.cs
@@ -27,6 +27,13 @@
 .AddRoles<IdentityRole>()
 .AddEntityFrameworkStores<AppDbContext>();
 
+// Override the role-blind UserClaimsPrincipalFactory<TUser> that AddDefaultIdentity
+// pre-registers so the chained AddRoles<IdentityRole>() actually projects role
+// claims into the auth cookie's ClaimsPrincipal. Without this the IUserClaimsPrincipalFactory<>
+// registration from AddIdentityCore wins (TryAddScoped) and User.IsInRole(...) is always false.
+builder.Services.AddScoped<IUserClaimsPrincipalFactory<ApplicationUser>,
+    UserClaimsPrincipalFactory<ApplicationUser, IdentityRole>>();
+
 //EasyQuery services
 builder.Services.AddEasyQuery()
         .UseSqlManager()