[Feature Request] IDownstream API should do CAE on its own

[bgavrilMS]

Enable CAE in IDownstream API, even if the underlying downstream API does not support it.

This means:

• add "client capabilities" cp1 value by default. If other client capabilities are added by the user, merge cp1 into them.
• if downstream api replies with 401 and with WWWAuthenticate header, parse it and extract headers (exact value of WWWAuthenticate TBD, but expect it to have claims)
• acquire another token with claims from WWWAuthenticate
• if another 401 comes in, bail.
• update CAE docs to mention ID.Web improvements https://learn.microsoft.com/en-us/entra/identity-platform/claims-challenge?tabs=dotnet

This work should be done for both user scenarios and for S2S scenarios (client credetials and MSI). Priority order is:

• client_credentials
• client_credentials + certificatless - FIC scenario (Leg1, getting token from MSI, is covered by Azure.Identity, Leg2 should be covered by client credentials) (no work needed, but needs testing)
• MSI (after Id Web is implemented to use MSAL)
• web site (challenge the user)
• web api (return 401 + WWW-Authenticate with claims to the client)

Docs: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation

[jennyf19]

@pmaytak let us know when you start so we can move this to the right milestone. Thanks.

[bgavrilMS]

@pmaytak - I added a new task to also update the CAE docs with the improvement https://learn.microsoft.com/en-us/entra/identity-platform/claims-challenge?tabs=dotnet