Swap admin auth to standard Blazor OIDC code + PKCE flow

Phase D-1 step 2c. Replaces the HTTP Basic admin auth scheme with
the standard Blazor OIDC workflow: cookie session, OpenIdConnect
challenge, interactive login page served by the same Duende
IdentityServer instance that authenticates worker machines.

Coordinator packages:
- Adds Microsoft.AspNetCore.Authentication.OpenIdConnect 10.0.4
  (version pinned up from 10.0.0 to satisfy Duende 7.4.7's
  transitive floor and avoid NU1605 downgrade).

IdentityServerResources:
- Adds IdentityResources (OpenId, Profile) for the interactive UI
  client's ID token claims.
- Adds BuildAdminUiClient builder that emits a Duende Client with
  authorization_code + PKCE, openid+profile scopes, and redirect
  URIs pointing at {baseUrl}/signin-oidc and /signout-callback-oidc.
- Exposes AdminUiClientId constant so Program.cs can reference it.

CoordinatorOptions:
- New BaseUrl setting (default https://localhost:5001). Doubles as
  the OpenID Connect authority URL so the coordinator's OIDC client
  discovers its own IS's /.well-known/openid-configuration. In
  production this should match the public ngrok reserved domain.

Program.cs (significant rewrite):
- Seeds Duende TestUserStore with a single admin user built from
  CoordinatorOptions.Admin.{Username,Password}. AddTestUsers wires
  the default resource-owner password validator so Duende's login
  endpoint can authenticate the operator.
- Configures IdentityServer UserInteraction.LoginUrl = /Account/Login
  so /connect/authorize redirects unauthenticated users into the
  Blazor login page instead of the built-in Duende quickstart UI.
- Stacks four authentication schemes:
    Cookies  — admin session cookie (default scheme)
    oidc     — OpenIdConnect challenge (default challenge scheme)
    Bearer   — JWT validation for worker endpoints
    idsrv    — Duende's own default cookie (for the IS login flow)
- AdminPolicy now requires the Cookies scheme + admin role claim.
  WorkerPolicy unchanged (Bearer + bitnet-worker scope).
- Adds /Account/Login/submit minimal API endpoint that validates
  posted credentials against TestUserStore, signs in on
  IdentityServerConstants.DefaultCookieAuthenticationScheme
  ("idsrv"), and redirects to the caller's returnUrl (the IS
  /connect/authorize continuation URL). DisableAntiforgery() for
  now; CSRF hardening lands when the login page gets a Blazor
  @editform.

Components/Pages/LoginPage.razor (new):
- Static-SSR Blazor page at /Account/Login with a plain HTML form
  POSTing to /Account/Login/submit.
- SupplyParameterFromQuery populates returnUrl (from Duende's
  /connect/authorize redirect) and error (from the submit
  endpoint's bounce-back on bad credentials).
- Uses MainLayout so the page picks up the shared dark-theme
  header / styles.

Components/Pages/ApiKeysPage.razor:
- Drops the AuthenticationSchemes = "AdminBasic" override on
  @Attribute [Authorize]; the page now defers to AdminPolicy which
  in turn uses the default cookie scheme that OIDC populates.

AdminBasicAuthenticationHandler.cs removed. Programmatic admin
access still possible via the JSON endpoints after obtaining an
admin cookie through the OIDC flow, or by adding a client-credentials
grant for scripted callers in a follow-up step.

Fast-lane regression: 223/223 tests pass in 1m24s on net10 slice.
No existing tests exercise the new OIDC handshake end-to-end —
that integration suite lands after /work and /heartbeat are
implemented so one run covers the full worker lifecycle.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sharpninja

src/BitNetSharp.Distributed.Coordinator/Auth/AdminBasicAuthenticationHandler.cs

@@ -27,6 +27,7 @@
     <PackageReference Include="Microsoft.Data.Sqlite" Version="10.0.0" />
     <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.0" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="10.0.4" />
     <PackageReference Include="Duende.IdentityServer" Version="7.4.7" />
   </ItemGroup>
 

src/BitNetSharp.Distributed.Coordinator/BitNetSharp.Distributed.Coordinator.csproj

@@ -1,5 +1,5 @@
 @page "/admin/api-keys"
-@attribute [Authorize(Policy = "AdminPolicy", AuthenticationSchemes = "AdminBasic")]
+@attribute [Authorize(Policy = "AdminPolicy")]
 @inject WorkerClientRegistry Registry
 @inject SqliteClientRevocationStore Revocations
 

src/BitNetSharp.Distributed.Coordinator/Components/Pages/ApiKeysPage.razor

@@ -0,0 +1,59 @@
+@page "/Account/Login"
+@layout MainLayout
+
+@* Static-SSR login page rendered inside Duende IdentityServer's
+   interactive login flow. Duende redirects unauthenticated users here
+   with a ?returnUrl=... query parameter pointing at the IS
+   /connect/authorize continuation URL. The form posts to the minimal
+   API endpoint /Account/Login/submit in Program.cs, which validates
+   the credentials against the TestUserStore and calls SignInAsync on
+   the "idsrv" cookie scheme before redirecting back. *@
+
+<h2>Sign in</h2>
+
+<p>
+    This coordinator is protected. Sign in with the admin credentials
+    configured at startup via
+    <code>Coordinator__Admin__Username</code> and
+    <code>Coordinator__Admin__Password</code>.
+</p>
+
+@if (!string.IsNullOrWhiteSpace(Error))
+{
+    <p class="warn">@Error</p>
+}
+
+<form method="post" action="/Account/Login/submit">
+    <input type="hidden" name="returnUrl" value="@ReturnUrl" />
+    <div style="max-width:340px; display:flex; flex-direction:column; gap:12px; margin-top:16px;">
+        <label>
+            <div style="font-size:12px; color:#bbb; margin-bottom:2px;">Username</div>
+            <input name="username" autocomplete="username" required
+                   style="width:100%; padding:8px; background:#1c1c1c; color:#eee; border:1px solid #333; border-radius:4px;" />
+        </label>
+        <label>
+            <div style="font-size:12px; color:#bbb; margin-bottom:2px;">Password</div>
+            <input type="password" name="password" autocomplete="current-password" required
+                   style="width:100%; padding:8px; background:#1c1c1c; color:#eee; border:1px solid #333; border-radius:4px;" />
+        </label>
+        <button type="submit" class="btn" style="align-self:flex-start; margin-top:8px;">Sign in</button>
+    </div>
+</form>
+
+@code {
+    /// <summary>
+    /// Populated from the <c>?returnUrl</c> query parameter when
+    /// Duende redirects here from <c>/connect/authorize</c>. After a
+    /// successful login the submit endpoint redirects the browser
+    /// back to this URL so the OIDC handshake can continue.
+    /// </summary>
+    [SupplyParameterFromQuery(Name = "returnUrl")]
+    public string? ReturnUrl { get; set; }
+
+    /// <summary>
+    /// One-shot error banner set by the submit endpoint via
+    /// <c>?error=...</c> on a failed sign-in attempt.
+    /// </summary>
+    [SupplyParameterFromQuery(Name = "error")]
+    public string? Error { get; set; }
+}

src/BitNetSharp.Distributed.Coordinator/Components/Pages/LoginPage.razor

@@ -67,6 +67,16 @@ public sealed class CoordinatorOptions
     /// </summary>
     public int AccessTokenLifetimeSeconds { get; set; } = 3600;
 
+    /// <summary>
+    /// Public base URL at which this coordinator is reachable. The
+    /// identity server and the admin OIDC client both use this value
+    /// as the OpenID Connect issuer / authority so self-referential
+    /// discovery works. In production this is the ngrok reserved
+    /// domain; in local development it is whatever HTTPS URL Kestrel
+    /// binds to.
+    /// </summary>
+    public string BaseUrl { get; set; } = "https://localhost:5001";
+
     /// <summary>
     /// List of OAuth 2.0 client-credentials clients that are allowed
     /// to authenticate as workers. Populated from environment at

src/BitNetSharp.Distributed.Coordinator/Configuration/CoordinatorOptions.cs

@@ -1,4 +1,5 @@
 using System.Collections.Generic;
+using Duende.IdentityServer;
 using Duende.IdentityServer.Models;
 
 namespace BitNetSharp.Distributed.Coordinator.Identity;
@@ -46,4 +47,51 @@ public static class IdentityServerResources
             Scopes = { WorkerScopeName }
         }
     };
+
+    /// <summary>
+    /// Interactive identity resources exposed to the admin Blazor UI
+    /// OIDC client. Only the minimum — openid + profile — so the
+    /// admin cookie just needs the sub and name claims.
+    /// </summary>
+    public static IEnumerable<IdentityResource> IdentityResources => new IdentityResource[]
+    {
+        new IdentityResources.OpenId(),
+        new IdentityResources.Profile()
+    };
+
+    /// <summary>
+    /// OAuth client id for the coordinator's own Blazor admin UI.
+    /// The admin panel authenticates against the local IS using this
+    /// client via OIDC authorization-code + PKCE.
+    /// </summary>
+    public const string AdminUiClientId = "bitnet-coordinator-admin-ui";
+
+    /// <summary>
+    /// Builds the Duende <see cref="Client"/> the OpenIdConnect
+    /// middleware on the admin Blazor UI authenticates against. The
+    /// redirect URI must match the SignInScheme's callback path the
+    /// OIDC middleware advertises (the standard <c>/signin-oidc</c>).
+    /// </summary>
+    public static Client BuildAdminUiClient(string coordinatorBaseUrl)
+    {
+        var baseUrl = coordinatorBaseUrl.TrimEnd('/');
+        return new Client
+        {
+            ClientId = AdminUiClientId,
+            ClientName = "BitNet Coordinator Admin UI",
+            AllowedGrantTypes = GrantTypes.Code,
+            RequireClientSecret = false,
+            RequirePkce = true,
+            AllowedScopes =
+            {
+                IdentityServerConstants.StandardScopes.OpenId,
+                IdentityServerConstants.StandardScopes.Profile
+            },
+            RedirectUris = { $"{baseUrl}/signin-oidc" },
+            PostLogoutRedirectUris = { $"{baseUrl}/signout-callback-oidc" },
+            FrontChannelLogoutUri = $"{baseUrl}/signout-oidc",
+            AllowOfflineAccess = false,
+            AllowAccessTokensViaBrowser = false
+        };
+    }
 }