Aspnetcore.docs: master issue: Authentication and authorization for SPAs

About the deployment to Linux App Services. Right now the following workaround seems to be working for me:

• Add your _.pfx_ in your Web project on Visual Studio.
• Change the configuration in your _appsettings.json_:

 "IdentityServer": {
    "Key": {
      "Type": "File",
      "FilePath": "example_certificate.pfx",
      "Password": "examplepassword"
    },
  }

Please note that this is just a workaround but it is not a recommended solution. Your certificate shouldn't be hanging out with your files like this for security reasons, don't forget to exclude your certificate from source control.

For the point " Alternatives for non-SPA login/signup pages"

In identity server documentation talking about those template,and I quote:
"You are expected to know how ASP.NET Identity works sufficiently well to add those features to your project"

So,

"you can create a new project based on the Visual Studio ASP.NET Identity template and add the IdentityServer features you have learned about in these quickstarts to that project"

http://docs.identityserver.io/en/latest/quickstarts/6_aspnet_identity.html#what-s-missing

I think this documentation should show the 2 ways, SPA with ASP.NET Identity and SPA security without ASP.NET Identity.

@Rick-Anderson how can I use the code generated here in the react-redux project template

I started with the Asp.net Core 3.1 with Angular and Individual User Accounts Template in VS 2019.. [Authorize] currently works but not [Authorize(Roles="Admin")] even though I gave my user that role.. When I inspect the User.Identity on a webapi controller method with just [Authorize] I do not see the email address, username or any roles.. I can only see that they are authenticated.. Please help! I just want to be able to specify Roles and have them respected in the Authorize attribute of controllers and their methods..

I have created an app with IdentityServer4 before, and although it is a bit more burdensome than AddApiAuthorization it is much better documented and I feel that it creates an abstraction that is very hard to figure out.

Configuring clients with appsettings.json uses a totally different syntax than the official IdentityServer docs - and the existing syntax isn't well documented. I understand that there are different profiles (why?), but I have no idea what client secret to use, I am not sure how to configure one and I have to dig deep into the code to figure it out. I might as well just give up and configure IdentityServer the regular way - which isn't necessarily better or easier, just a lot more predictable since it is better documented.

I would suggest either documenting this entire library (Microsoft.AspNetCore.ApiAuthorization.IdentityServer) better or making it's configuration more similar to the IdentityServer4 official configuration.

Need more specific documents about Identity Server config:

• Refresh token (set AllowOfflineAccess property on Client)
• Change authentication flow. The current flow is implicit but authorization code is recommended for SPA now