.NET: AuthN & AuthZ sample with asp.net service and web client

[westey-m]

Motivation and Context

#1488

Users are regularly asking about how to access user information in tools and how to authorize tools. This sample shows an example of how authorization and user access could be done from tools in an agent.

Using Keycloak as the auth provider, so that the sample can be run without any external dependencies, but it can easily be swapped out for another auth provider.

Description

• Add a sample with three components that are run via docker compose: Web, Service, Auth Provider
• The service exposes a chat interface that is only available to users with the right scopes
• The service uses an agent that uses tools that need to store a TODO list under the active user's user id.

Contribution Checklist

• The code builds clean without any errors or warnings
• The PR follows the Contribution Guidelines
• All unit tests pass, and I have added new tests where possible
• Is this a breaking change? If yes, add "[BREAKING]" prefix to the title of the PR.

[Copilot]

Pull request overview

This PR adds a comprehensive authentication and authorization sample demonstrating how to secure an AI agent REST API using OAuth 2.0 / OpenID Connect standards. The sample addresses issue #1488 by showcasing dependency injection, user context access in tools, JWT Bearer authentication, and policy-based authorization.

Changes:

• Added a three-component sample (WebClient, AgentService, Keycloak) orchestrated with Docker Compose
• Demonstrates accessing user identity in agent tools via scoped IUserContext service
• Includes GitHub Codespaces support with auto-detection and configuration
• Shows JWT Bearer token validation and scope-based authorization policies

Reviewed changes

Copilot reviewed 24 out of 24 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
docker-compose.yml	Orchestrates Keycloak, AgentService, and WebClient with health checks and Codespaces support
keycloak/dev-realm.json	Pre-configured Keycloak realm with test users, scopes, and client definitions
keycloak/setup-redirect-uris.sh	Auto-configures Codespaces redirect URIs for OIDC flows
README.md	Comprehensive documentation for setup, usage, and key concepts
AuthClientServer.AgentService/*	Minimal API with JWT authentication, authorization policies, and DI-based agent
AuthClientServer.WebClient/*	Razor Pages app with OIDC login, token forwarding, and chat UI
UserContext.cs	Scoped service for accessing current user identity from JWT claims
TodoService.cs	Per-user TODO list demonstrating user-aware tool implementation
Dockerfiles	Multi-stage builds with proper CPM support via Directory.Packages.props
Directory.Packages.props	Added JWT Bearer and OpenIdConnect package versions
agent-framework-dotnet.slnx	Solution file updated to include new projects