ROPC for Blazor (#33524)

aspnetcore/blazor/blazor-ef-core.md

@@ -31,6 +31,17 @@ This guidance applies to the **`Server`** project of a hosted Blazor WebAssembly
 
 :::moniker-end
 
+## Secure authentication flow required for production apps
+
+This article uses a local database that doesn't require user authentication. Production apps should use the most secure authentication flow available. For more information on authentication for deployed test and production Blazor apps, see the articles in the [Blazor *Security and Identity* node](xref:blazor/security/index).
+
+For Microsoft Azure services, we recommend using *managed identities*. Managed identities securely authenticate to Azure services without storing credentials in app code. For more information, see the following resources:
+
+* [What are managed identities for Azure resources? (Microsoft Entra documentation)](/entra/identity/managed-identities-azure-resources/overview)
+* Azure services documentation
+  * [Managed identities in Microsoft Entra for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity)
+  * [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity)
+
 ## Sample app
 
 The sample app was built as a reference for server-side Blazor apps that use EF Core. The sample app includes a grid with sorting and filtering, delete, add, and update operations. The sample demonstrates use of EF Core to handle optimistic concurrency.
@@ -347,3 +358,4 @@ We recommend only enabling <xref:Microsoft.EntityFrameworkCore.DbContextOptionsB
 
 * [EF Core documentation](/ef/)
 * [Blazor samples GitHub repository (`dotnet/blazor-samples`)](https://github.com/dotnet/blazor-samples)
+* [Blazor *Security and Identity* node articles](xref:blazor/security/index)

aspnetcore/blazor/security/index.md

@@ -43,6 +43,15 @@ ASP.NET Core abstractions, such as <xref:Microsoft.AspNetCore.Identity.SignInMan
 > [!NOTE]
 > The code examples in this article adopt [nullable reference types (NRTs) and .NET compiler null-state static analysis](xref:migration/50-to-60#nullable-reference-types-nrts-and-net-compiler-null-state-static-analysis), which are supported in ASP.NET Core in .NET 6 or later. When targeting ASP.NET Core 5.0 or earlier, remove the null type designation (`?`) from examples in this article.
 
+## Managed identities for Microsoft Azure services
+
+For Microsoft Azure services, we recommend using *managed identities*. Managed identities securely authenticate to Azure services without storing credentials in app code. For more information, see the following resources:
+
+* [What are managed identities for Azure resources? (Microsoft Entra documentation)](/entra/identity/managed-identities-azure-resources/overview)
+* Azure services documentation
+  * [Managed identities in Microsoft Entra for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity)
+  * [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity)
+
 :::moniker range=">= aspnetcore-8.0"
 
 ## Antiforgery support

aspnetcore/blazor/tutorials/movie-database-app/index.md

@@ -31,6 +31,24 @@ Parts of this series include:
 
 At the end of the tutorial, you'll have a Blazor Web App that can display and manage movies in a movie database.
 
+## Secure authentication flow required for production apps
+
+<!-- UPDATE 9.0 If we get a BWA + MS Identity Web app+article,
+                add it to the list. -->
+
+This tutorial uses a local database that doesn't require user authentication. Production apps should use the most secure authentication flow available. For more information on authentication for deployed test and production Blazor Web Apps, see the following resources:
+
+* <xref:blazor/security/index>
+* <xref:blazor/security/server/index> and the following articles in the *Server* security node
+* <xref:blazor/security/blazor-web-app-oidc>
+
+For Microsoft Azure services, we recommend using *managed identities*. Managed identities securely authenticate to Azure services without storing credentials in app code. For more information, see the following resources:
+
+* [What are managed identities for Azure resources? (Microsoft Entra documentation)](/entra/identity/managed-identities-azure-resources/overview)
+* Azure services documentation
+  * [Managed identities in Microsoft Entra for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity)
+  * [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity)
+
 ## Sample app
 
 If you don't intend to create the demonstration app while reading the article, you can refer to the completed sample app in the [Blazor samples GitHub repository (`dotnet/blazor-samples`)](https://github.com/dotnet/blazor-samples). Select the latest version folder in the repository. The sample folder for this tutorial's project is named `BlazorWebAppMovies`.

aspnetcore/blazor/tutorials/movie-database-app/part-4.md

@@ -21,6 +21,24 @@ This article is the fourth part of the Blazor movie database app tutorial that t
 
 This part of the tutorial series focuses on the database context and directly working with the database's schema and data. Seeding the database with data is also covered.
 
+## Secure authentication flow required for production apps
+
+<!-- UPDATE 9.0 If we get a BWA + MS Identity Web app+article,
+                add it to the list. -->
+
+This tutorial uses a local database that doesn't require user authentication. Production apps should use the most secure authentication flow available. For more information on authentication for deployed test and production Blazor Web Apps, see the following resources:
+
+* <xref:blazor/security/index>
+* <xref:blazor/security/server/index> and the following articles in the *Server* security node
+* <xref:blazor/security/blazor-web-app-oidc>
+
+For Microsoft Azure services, we recommend using *managed identities*. Managed identities securely authenticate to Azure services without storing credentials in app code. For more information, see the following resources:
+
+* [What are managed identities for Azure resources? (Microsoft Entra documentation)](/entra/identity/managed-identities-azure-resources/overview)
+* Azure services documentation
+  * [Managed identities in Microsoft Entra for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity)
+  * [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity)
+
 ## Database context
 
 The database context, `BlazorWebAppMoviesContext`, connects to the database and maps model objects to database records. The database context was created in the second part of this series. The scaffolded database context code appears in the `Program` file:
@@ -335,6 +353,9 @@ If the app is running, shut the app down by closing the browser's window and pre
 
 ## Additional resources
 
+<!-- UPDATE 9.0 If we get a BWA + MS Identity Web app+article,
+                add it to the list. -->
+
 * Configuration articles:
   * <xref:fundamentals/configuration/index> (ASP.NET Core Configuration system)
   * <xref:blazor/fundamentals/configuration> (Blazor documentation)
@@ -345,6 +366,10 @@ If the app is running, shut the app down by closing the browser's window and pre
     * [SQLite EF Core Database Provider Limitations](/ef/core/providers/sqlite/limitations)
     * [Customize migration code](/ef/core/managing-schemas/migrations/#customize-migration-code)
   * [SQLite ALTER TABLE statement (SQLite documentation)](https://sqlite.org/lang_altertable.html)
+* Blazor Web App security
+  * <xref:blazor/security/index>
+  * <xref:blazor/security/server/index> and the following articles in the *Server* security node
+  * <xref:blazor/security/blazor-web-app-oidc>
 
 ## Legal