Migrate to Microsoft Entra External ID

Updated authentication across the Codebreaker platform to use Microsoft Entra External ID, replacing Azure AD B2C. Key changes include:

- Updated configuration keys (`AzureAdB2C` → `EntraExternalId`) and endpoints (`*.b2clogin.com` → `*.ciamlogin.com`).
- Added a migration guide (`azure-ad-b2c.md`) with steps, comparisons, and testing strategies.
- Updated platform-specific configurations for Blazor, WPF, MAUI, Uno, and WinUI.
- Enhanced security practices and troubleshooting for Entra External ID.
- Deprecated Azure AD B2C references with a migration checklist.
- Updated architecture diagrams and code snippets to reflect the new setup.
- Adjusted CI/CD workflows and documentation links for the new authentication system.

These changes ensure compatibility with modern authentication standards and streamline the developer experience.

Author: christiannagel

docs/authentication/README.md

@@ -2,24 +2,38 @@
 
 This directory contains comprehensive documentation for authentication and authorization in the Codebreaker platform.
 
+## Current Implementation Status
+
+**The Codebreaker project is migrating to Microsoft Entra External ID** for authentication. The documentation reflects the target implementation using Entra External ID.
+
 ## Documentation Files
 
-### [Microsoft External ID Configuration Guide](./microsoft-external-id.md)
+### [Microsoft Entra External ID Configuration Guide](./microsoft-external-id.md) ✅ **Target Implementation**
 
-Comprehensive guide covering:
-- Gateway configuration with Microsoft External ID
+Comprehensive guide for the target authentication setup:
+- Gateway configuration with Microsoft Entra External ID
 - Token flow architecture between Gateway and APIs
 - Blazor Server and Blazor WebAssembly client configuration
 - Desktop client configuration (WPF, .NET MAUI, Uno Platform, WinUI)
 - Security best practices
 - Troubleshooting common issues
 
-**When to use**: Reference this guide for detailed implementation instructions and comprehensive coverage of all authentication scenarios.
+**When to use**: Reference this guide for implementing and maintaining Microsoft Entra External ID authentication.
+
+### [Azure AD B2C Configuration Guide](./azure-ad-b2c.md) ⚠️ **Legacy Reference**
+
+Guide for the previous authentication implementation:
+- Legacy Azure AD B2C configuration
+- Migration considerations
+- Comparison with Entra External ID
+- Deprecation timeline
+
+**When to use**: Reference this guide only for migration from Azure AD B2C or understanding legacy implementations.
 
 ### [Quick Start Guide](./quick-start.md)
 
 Fast-track guide with:
-- 5-minute setup instructions
+- 5-minute setup instructions for Entra External ID
 - Common configuration patterns
 - Code snippets for each platform
 - Quick troubleshooting tips
@@ -39,7 +53,7 @@ Visual documentation with:
 
 ## Overview
 
-The Codebreaker platform uses **Microsoft External ID** (formerly Azure AD B2C) for identity and access management across all client applications and backend services.
+The Codebreaker platform uses **Microsoft Entra External ID** for identity and access management across all client applications and backend services.
 
 ### Architecture
 
@@ -59,7 +73,7 @@ The Codebreaker platform uses **Microsoft External ID** (formerly Azure AD B2C)
 
 1. **Gateway (YARP Reverse Proxy)**
    - Entry point for all API requests
-   - JWT token validation
+   - JWT token validation using Microsoft Entra External ID
    - Authorization policy enforcement
    - Token forwarding to backend services
 
@@ -78,58 +92,58 @@ The Codebreaker platform uses **Microsoft External ID** (formerly Azure AD B2C)
 
 ### For New Developers
 
-1. Read the [Quick Start Guide](./quick-start.md) first
-2. Set up your development environment
+1. Read the [Microsoft Entra External ID Guide](./microsoft-external-id.md) for current implementation
+2. Use the [Quick Start Guide](./quick-start.md) for fast setup
 3. Configure authentication for your specific platform
 4. Test with the provided code snippets
 
-### For Detailed Implementation
+### For Migration from Azure AD B2C
 
-1. Review the [comprehensive guide](./microsoft-external-id.md)
-2. Understand the token flow architecture
-3. Follow platform-specific configuration sections
-4. Implement security best practices
+1. Review the [Azure AD B2C Migration Guide](./azure-ad-b2c.md)
+2. Understand the differences between B2C and External ID
+3. Update configuration endpoints and settings
+4. Test thoroughly before production deployment
 
 ## Platform Support Matrix
 
-| Platform | Authentication Library | Status | Documentation |
-|----------|----------------------|--------|---------------|
-| Gateway (YARP) | Microsoft.Identity.Web | ✅ Configured | [Section](./microsoft-external-id.md#gateway-configuration) |
-| Game APIs | Microsoft.Identity.Web | ⚠️ Optional | [Section](./microsoft-external-id.md#game-apis-service-configuration) |
-| Blazor Server | Microsoft.Identity.Web | ✅ Supported | [Section](./microsoft-external-id.md#blazor-server-configuration) |
-| Blazor WASM | MSAL.js | ✅ Supported | [Section](./microsoft-external-id.md#blazor-webassembly-wasm-configuration) |
-| WPF | MSAL.NET | ✅ Supported | [Section](./microsoft-external-id.md#wpf-configuration) |
-| .NET MAUI | MSAL.NET | ✅ Supported | [Section](./microsoft-external-id.md#net-maui-configuration) |
-| Uno Platform | MSAL.NET | ✅ Supported | [Section](./microsoft-external-id.md#uno-platform-configuration) |
-| WinUI 3 | MSAL.NET | ✅ Supported | [Section](./microsoft-external-id.md#winui-3-configuration) |
+| Platform | Authentication Library | Current Status | Documentation |
+|----------|----------------------|----------------|---------------|
+| Gateway (YARP) | Microsoft.Identity.Web | ✅ Entra External ID | [Entra External ID](./microsoft-external-id.md#gateway-configuration) |
+| Game APIs | Microsoft.Identity.Web | ⚠️ Optional | [Entra External ID](./microsoft-external-id.md#game-apis-service-configuration) |
+| Blazor Server | Microsoft.Identity.Web | ✅ Supported | [Entra External ID](./microsoft-external-id.md#blazor-server-configuration) |
+| Blazor WASM | MSAL.js | ✅ Supported | [Entra External ID](./microsoft-external-id.md#blazor-webassembly-wasm-configuration) |
+| WPF | MSAL.NET | ✅ Supported | [Entra External ID](./microsoft-external-id.md#wpf-configuration) |
+| .NET MAUI | MSAL.NET | ✅ Supported | [Entra External ID](./microsoft-external-id.md#net-maui-configuration) |
+| Uno Platform | MSAL.NET | ✅ Supported | [Entra External ID](./microsoft-external-id.md#uno-platform-configuration) |
+| WinUI 3 | MSAL.NET | ✅ Supported | [Entra External ID](./microsoft-external-id.md#winui-3-configuration) |
 
 ## Configuration Overview
 
-### Minimum Required Configuration
+### Target Implementation (Microsoft Entra External ID)
 
 All platforms require:
 
-1. **Azure AD B2C Tenant**: Microsoft Entra ID with External ID configured
+1. **Microsoft Entra External ID Tenant**: Configured with user flows
 2. **App Registration**: One per platform/client type
 3. **Redirect URIs**: Platform-specific callback URLs
 4. **Client ID**: Application (client) ID from app registration
-5. **Authority URL**: B2C tenant and policy endpoint
+5. **Authority URL**: External ID tenant endpoint (*.ciamlogin.com)
 
-### Environment Variables
+### Environment Variables (Target)
 
 Development:
 ```bash
-AzureAdB2C__Instance=https://your-tenant.b2clogin.com
-AzureAdB2C__Domain=your-tenant.onmicrosoft.com
-AzureAdB2C__ClientId=<client-id>
-AzureAdB2C__SignUpSignInPolicyId=B2C_1_SUSI
+EntraExternalId__Instance=https://your-tenant.ciamlogin.com
+EntraExternalId__Domain=your-tenant.onmicrosoft.com
+EntraExternalId__TenantId=<tenant-id>
+EntraExternalId__ClientId=<client-id>
 ```
 
 Production (use Azure Key Vault):
 ```bash
 az keyvault secret set --vault-name gateway-keyvault \
-  --name "AzureAdB2C--ClientSecret" \
-  --value "<client-secret>"
+  --name "EntraExternalId--ClientSecret" \
+  --value "<secure-password>"
 ```
 
 ## Common Scenarios
@@ -140,46 +154,35 @@ az keyvault secret set --vault-name gateway-keyvault \
 
 **Setup**:
 - Blazor Server or Blazor WASM
-- Microsoft External ID for authentication
+- Microsoft Entra External ID for authentication
 - Gateway forwards authenticated requests to APIs
 
-**Documentation**: [Blazor Client Configuration](./microsoft-external-id.md#blazor-client-configuration)
+**Documentation**: [Entra External ID Blazor Configuration](./microsoft-external-id.md#blazor-client-configuration)
 
 ### Scenario 2: Desktop Application (WPF/MAUI)
 
 **Use Case**: Native desktop/mobile application
 
 **Setup**:
 - MSAL.NET for authentication
-- Native platform authentication UI
+- Microsoft Entra External ID authority
 - Direct API calls through Gateway
 
-**Documentation**: [Desktop Client Configuration](./microsoft-external-id.md#desktop-client-configuration)
+**Documentation**: [Entra External ID Desktop Configuration](./microsoft-external-id.md#desktop-client-configuration)
 
 ### Scenario 3: Anonymous + Authenticated Users
 
 **Use Case**: Game supporting both guest and registered players
 
 **Setup**:
 - Anonymous user service for guest accounts
-- Optional authentication upgrade
+- Optional authentication upgrade to Entra External ID
 - Mixed authorization policies
 
 **Documentation**: 
-- [Identity Service README](../../src/services/identity/README.md)
+- [User Service README](../../src/services/user/README.md)
 - [Gateway Configuration](./microsoft-external-id.md#gateway-configuration)
 
-### Scenario 4: API-to-API Communication
-
-**Use Case**: Backend service calling another backend service
-
-**Setup**:
-- Client credentials flow
-- Service principal authentication
-- Managed identity
-
-**Documentation**: [Token Flow Architecture](./microsoft-external-id.md#token-flow-architecture)
-
 ## Security Considerations
 
 ### Critical Security Practices
@@ -191,51 +194,76 @@ az keyvault secret set --vault-name gateway-keyvault \
 5. **Rotate secrets regularly**: Set up automated secret rotation
 6. **Monitor authentication**: Log and alert on suspicious activity
 
-See [Security Best Practices](./microsoft-external-id.md#security-best-practices) for detailed guidance.
+See [Entra External ID Security Guide](./microsoft-external-id.md#security-best-practices) for detailed guidance.
 
 ## Troubleshooting
 
-### Quick Diagnostics
+### Quick Diagnostics (Target Implementation)
 
 ```bash
-# Check if token is valid
+# Check if Entra External ID token is valid
 curl -H "Authorization: Bearer <token>" https://your-gateway-url.com/games
 
 # Decode JWT token
 # Visit https://jwt.ms and paste your token
 
-# Test authentication endpoint
-curl https://your-tenant.b2clogin.com/your-tenant.onmicrosoft.com/B2C_1_SUSI/v2.0/.well-known/openid-configuration
+# Test Entra External ID authentication endpoint
+curl https://your-tenant.ciamlogin.com/<tenant-id>/v2.0/.well-known/openid-configuration
 ```
 
 ### Common Issues
 
-1. **CORS errors**: See [Troubleshooting](./microsoft-external-id.md#2-cors-errors-in-browser)
-2. **Token validation failures**: See [Troubleshooting](./microsoft-external-id.md#1-the-access-token-provided-is-not-valid-error)
-3. **Redirect URI mismatch**: See [Troubleshooting](./microsoft-external-id.md#6-redirect-uri-mismatch)
-4. **Authentication state not persisting**: See [Troubleshooting](./microsoft-external-id.md#8-blazor-wasm-authentication-state-not-persisting)
+1. **CORS errors**: See [Entra External ID Troubleshooting](./microsoft-external-id.md#2-cors-errors-in-browser)
+2. **Token validation failures**: Check Entra External ID configuration
+3. **Redirect URI mismatch**: Verify Entra External ID app registration
+4. **Authority not found**: Check tenant ID and ciamlogin.com endpoint
+
+Full troubleshooting guide: [Entra External ID Troubleshooting](./microsoft-external-id.md#troubleshooting)
+
+## Migration from Azure AD B2C
+
+### Migration Checklist
+
+If migrating from Azure AD B2C to Microsoft Entra External ID:
+
+1. **Setup External ID tenant**:
+   - Create new Entra External ID tenant
+   - Configure user flows
+   - Create app registrations
+
+2. **Update configuration**:
+   - Change endpoints from *.b2clogin.com to *.ciamlogin.com  
+   - Update configuration sections from AzureAdB2C to EntraExternalId
+   - Update authority URLs to include tenant ID
+
+3. **Test migration**:
+   - Test with non-production workloads first
+   - Validate token compatibility
+   - Verify all client platforms
 
-Full troubleshooting guide: [Troubleshooting Section](./microsoft-external-id.md#troubleshooting)
+4. **Resources**:
+   - [Microsoft Entra External ID Guide](./microsoft-external-id.md)
+   - [Migration Reference](./azure-ad-b2c.md)
 
 ## Additional Resources
 
 ### Official Microsoft Documentation
 
-- [Microsoft Identity Platform](https://learn.microsoft.com/en-us/azure/active-directory/develop/)
-- [Microsoft External ID](https://learn.microsoft.com/en-us/azure/active-directory-b2c/)
+- [Microsoft Entra External ID](https://learn.microsoft.com/en-us/entra/external-id/) ✅ **Current**
+- [Azure AD B2C Documentation](https://learn.microsoft.com/en-us/azure/active-directory-b2c/) ⚠️ **Legacy**
 - [MSAL.NET](https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-overview)
 - [Microsoft.Identity.Web](https://learn.microsoft.com/en-us/azure/active-directory/develop/microsoft-identity-web)
 
 ### Codebreaker Resources
 
-- [Identity Service](../../src/services/identity/)
-- [Gateway Service](../../src/services/gateway/)
+- [Gateway Service](../../src/services/gateway/) ✅ **Uses Entra External ID**
+- [User Service](../../src/services/user/)
 - [Game APIs](../../src/services/gameapis/)
 - [Main README](../../README.md)
 
 ### Sample Code
 
-- [Microsoft Identity Samples](https://github.com/Azure-Samples?q=active-directory)
+- [Microsoft Entra External ID Samples](https://github.com/Azure-Samples?q=external-id) ✅ **Current**
 - [Codebreaker Backend Repository](https://github.com/CodebreakerApp/Codebreaker.Backend)
 
 ## Contributing
@@ -250,9 +278,9 @@ Found an issue or have a suggestion?
 
 For questions or issues:
 
-- **Documentation issues**: Open a GitHub issue
-- **Implementation questions**: Check [Troubleshooting](./microsoft-external-id.md#troubleshooting)
-- **Microsoft Identity issues**: See [Official Documentation](https://learn.microsoft.com/en-us/azure/active-directory/)
+- **Current implementation**: Use [Microsoft Entra External ID Guide](./microsoft-external-id.md)
+- **Migration questions**: See [Azure AD B2C Migration Guide](./azure-ad-b2c.md)
+- **Microsoft Identity issues**: See [Official Documentation](https://learn.microsoft.com/en-us/entra/external-id/)
 
 ## License