Add scope-gated custom claims support for UserInfo endpoint

- Add CoreIdentUserInfoOptions for configuring custom claims scope and allowlist
- Update UserInfo endpoint to include custom claims only when configured scope is granted
- Add XML documentation comments for CoreIdentUserInfoOptions and CoreIdentClient methods
- Update client GetUserAsync to use validated ID token as base and enrich with UserInfo claims
- Add GetValidatedIdTokenUserAsync helper for debugging ID token claims separately
- Update client samples to show claim sources distinctly (ID token vs UserInfo vs access token)
- Add server and client sample projects with custom_claims scope configuration
- Fix duplicate DumpClaims function in client samples
- Add comprehensive documentation for custom claims testing

Author: stimpy77

CoreIdent.sln

@@ -43,6 +43,12 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CoreIdent.Templates.Tests",
 EndProject
 Project("{F2A71F9B-5D33-465A-A702-920D77279786}") = "CoreIdent.FSharp.Sample", "samples\CoreIdent.FSharp.Sample\CoreIdent.FSharp.Sample.fsproj", "{A90B9D37-39B3-4AE4-8AE1-52E5A02CB200}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "samples", "samples", "{5D20AA90-6969-D8BD-9DCD-8634F4692FDA}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CoreIdent.Client.Samples", "samples\CoreIdent.Client.Samples\CoreIdent.Client.Samples.csproj", "{08E5F2CA-FB60-4E61-B0B3-ADBD6743C19F}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CoreIdent.Server.Samples", "samples\CoreIdent.Server.Samples\CoreIdent.Server.Samples.csproj", "{3358BBBC-5B99-415D-8113-FF763CC9DDA5}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -269,28 +275,54 @@ Global
 		{A90B9D37-39B3-4AE4-8AE1-52E5A02CB200}.Release|x64.Build.0 = Release|Any CPU
 		{A90B9D37-39B3-4AE4-8AE1-52E5A02CB200}.Release|x86.ActiveCfg = Release|Any CPU
 		{A90B9D37-39B3-4AE4-8AE1-52E5A02CB200}.Release|x86.Build.0 = Release|Any CPU
+		{08E5F2CA-FB60-4E61-B0B3-ADBD6743C19F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{08E5F2CA-FB60-4E61-B0B3-ADBD6743C19F}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{08E5F2CA-FB60-4E61-B0B3-ADBD6743C19F}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{08E5F2CA-FB60-4E61-B0B3-ADBD6743C19F}.Debug|x64.Build.0 = Debug|Any CPU
+		{08E5F2CA-FB60-4E61-B0B3-ADBD6743C19F}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{08E5F2CA-FB60-4E61-B0B3-ADBD6743C19F}.Debug|x86.Build.0 = Debug|Any CPU
+		{08E5F2CA-FB60-4E61-B0B3-ADBD6743C19F}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{08E5F2CA-FB60-4E61-B0B3-ADBD6743C19F}.Release|Any CPU.Build.0 = Release|Any CPU
+		{08E5F2CA-FB60-4E61-B0B3-ADBD6743C19F}.Release|x64.ActiveCfg = Release|Any CPU
+		{08E5F2CA-FB60-4E61-B0B3-ADBD6743C19F}.Release|x64.Build.0 = Release|Any CPU
+		{08E5F2CA-FB60-4E61-B0B3-ADBD6743C19F}.Release|x86.ActiveCfg = Release|Any CPU
+		{08E5F2CA-FB60-4E61-B0B3-ADBD6743C19F}.Release|x86.Build.0 = Release|Any CPU
+		{3358BBBC-5B99-415D-8113-FF763CC9DDA5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{3358BBBC-5B99-415D-8113-FF763CC9DDA5}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{3358BBBC-5B99-415D-8113-FF763CC9DDA5}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{3358BBBC-5B99-415D-8113-FF763CC9DDA5}.Debug|x64.Build.0 = Debug|Any CPU
+		{3358BBBC-5B99-415D-8113-FF763CC9DDA5}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{3358BBBC-5B99-415D-8113-FF763CC9DDA5}.Debug|x86.Build.0 = Debug|Any CPU
+		{3358BBBC-5B99-415D-8113-FF763CC9DDA5}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{3358BBBC-5B99-415D-8113-FF763CC9DDA5}.Release|Any CPU.Build.0 = Release|Any CPU
+		{3358BBBC-5B99-415D-8113-FF763CC9DDA5}.Release|x64.ActiveCfg = Release|Any CPU
+		{3358BBBC-5B99-415D-8113-FF763CC9DDA5}.Release|x64.Build.0 = Release|Any CPU
+		{3358BBBC-5B99-415D-8113-FF763CC9DDA5}.Release|x86.ActiveCfg = Release|Any CPU
+		{3358BBBC-5B99-415D-8113-FF763CC9DDA5}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
 	EndGlobalSection
 	GlobalSection(NestedProjects) = preSolution
 		{13763257-46A9-43D3-B447-01E9B886AB99} = {827E0CD3-B72D-47B6-A68D-7590B98EB39B}
+		{7C1E8B5E-37B3-4E71-9A5F-8E2B8D9AD8B2} = {827E0CD3-B72D-47B6-A68D-7590B98EB39B}
 		{7DAD0A0D-9B1B-4C2B-A758-9E5D5C1C4B8A} = {827E0CD3-B72D-47B6-A68D-7590B98EB39B}
 		{A8E0F5F1-86B0-4E6E-9B8D-0C2C15FA1C9D} = {827E0CD3-B72D-47B6-A68D-7590B98EB39B}
 		{C1A4B06F-5F7C-4D18-9A0B-2E8A0DAB01D6} = {827E0CD3-B72D-47B6-A68D-7590B98EB39B}
 		{629C0C37-9B6B-4E43-B8F5-C38F6CC223A5} = {827E0CD3-B72D-47B6-A68D-7590B98EB39B}
 		{2C6E6D31-7DA0-4B50-8A71-55AB7E847E0D} = {827E0CD3-B72D-47B6-A68D-7590B98EB39B}
 		{EF48235B-6889-4C3C-8E58-C8A1FF2005ED} = {827E0CD3-B72D-47B6-A68D-7590B98EB39B}
 		{8FAD8D9A-6D73-4C41-9F12-321A6E2E8C6D} = {827E0CD3-B72D-47B6-A68D-7590B98EB39B}
+		{B9D9E1D1-0A77-4A4C-9E4E-2F22CE5B1D40} = {827E0CD3-B72D-47B6-A68D-7590B98EB39B}
+		{1E2D7B4F-45D8-4E18-9D1E-8DAE0A41E5F0} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
 		{FDB14E50-0569-4EEA-B1DC-931025401D99} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
 		{A2F2D5AE-0C83-4B62-8D25-6D4B1BC8E2E5} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
 		{4D7B54B2-3E59-4BC4-9A87-8DDC6D68E6E0} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
 		{B11D0B6B-6E2E-4A49-8F1A-5D05C82B4E67} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
 		{CE3F11D3-060F-4F4C-8A40-5A67AFDAD1D0} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
 		{D5A2C0E8-2B2F-4A54-9EA1-6E5D3C59D6E7} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
 		{A90B9D37-39B3-4AE4-8AE1-52E5A02CB200} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
-		{7C1E8B5E-37B3-4E71-9A5F-8E2B8D9AD8B2} = {827E0CD3-B72D-47B6-A68D-7590B98EB39B}
-		{B9D9E1D1-0A77-4A4C-9E4E-2F22CE5B1D40} = {827E0CD3-B72D-47B6-A68D-7590B98EB39B}
-		{1E2D7B4F-45D8-4E18-9D1E-8DAE0A41E5F0} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
+		{08E5F2CA-FB60-4E61-B0B3-ADBD6743C19F} = {5D20AA90-6969-D8BD-9DCD-8634F4692FDA}
+		{3358BBBC-5B99-415D-8113-FF763CC9DDA5} = {5D20AA90-6969-D8BD-9DCD-8634F4692FDA}
 	EndGlobalSection
 EndGlobal

samples/CoreIdent.Client.Samples/BrowserLaunchers/TestHeaderBrowserLauncher.cs

@@ -0,0 +1,90 @@
+using System.Net;
+using CoreIdent.Client;
+
+namespace CoreIdent.Client.Samples.BrowserLaunchers;
+
+/// <summary>
+/// A test-only browser launcher that simulates an interactive login by calling the authorize URL
+/// with a test-header authenticated request and returning the redirect Location.
+/// </summary>
+public sealed class TestHeaderBrowserLauncher : IBrowserLauncher, IDisposable
+{
+    private readonly HttpClient _http;
+    private readonly bool _ownsHttp;
+    private readonly string _userId;
+    private readonly string? _email;
+
+    public TestHeaderBrowserLauncher(HttpClient http, string userId, string? email)
+    {
+        ArgumentNullException.ThrowIfNull(http);
+        ArgumentException.ThrowIfNullOrWhiteSpace(userId);
+
+        _ownsHttp = false;
+        _http = http;
+        _userId = userId;
+        _email = string.IsNullOrWhiteSpace(email) ? null : email;
+    }
+
+    public TestHeaderBrowserLauncher(HttpMessageHandler handler, Uri baseAddress, string userId, string? email)
+    {
+        ArgumentNullException.ThrowIfNull(handler);
+        ArgumentNullException.ThrowIfNull(baseAddress);
+        ArgumentException.ThrowIfNullOrWhiteSpace(userId);
+
+        _ownsHttp = true;
+        _http = new HttpClient(handler) { BaseAddress = baseAddress };
+        _userId = userId;
+        _email = string.IsNullOrWhiteSpace(email) ? null : email;
+    }
+
+    public async Task<BrowserResult> LaunchAsync(string url, string redirectUri, CancellationToken ct = default)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(url);
+        ArgumentException.ThrowIfNullOrWhiteSpace(redirectUri);
+
+        using var req = new HttpRequestMessage(HttpMethod.Get, url);
+
+        // CoreIdent sample host uses this auth scheme for /auth/authorize.
+        req.Headers.TryAddWithoutValidation("X-Test-User-Id", _userId);
+        if (_email is not null)
+        {
+            req.Headers.TryAddWithoutValidation("X-Test-User-Email", _email);
+        }
+
+        using var resp = await _http.SendAsync(req, HttpCompletionOption.ResponseHeadersRead, ct);
+
+        if (resp.StatusCode is HttpStatusCode.Found or HttpStatusCode.SeeOther)
+        {
+            var location = resp.Headers.Location?.ToString();
+            if (string.IsNullOrWhiteSpace(location))
+            {
+                return BrowserResult.Fail("invalid_response", "Authorize response did not include a Location header.");
+            }
+
+            // Return the URL (which should be the redirect_uri with code + state).
+            return BrowserResult.Success(location);
+        }
+
+        var body = string.Empty;
+        try
+        {
+            body = await resp.Content.ReadAsStringAsync(ct);
+        }
+        catch
+        {
+            // ignore
+        }
+
+        return BrowserResult.Fail(
+            "authorize_failed",
+            $"Authorize request failed. Status={(int)resp.StatusCode} {resp.ReasonPhrase}. Body={body}");
+    }
+
+    public void Dispose()
+    {
+        if (_ownsHttp)
+        {
+            _http.Dispose();
+        }
+    }
+}

samples/CoreIdent.Client.Samples/CoreIdent.Client.Samples.csproj

@@ -0,0 +1,18 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <OutputType>Exe</OutputType>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <LangVersion>14</LangVersion>
+    <IsPackable>false</IsPackable>
+    <GenerateDocumentationFile>false</GenerateDocumentationFile>
+    <NoWarn>$(NoWarn);1591</NoWarn>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\CoreIdent.Client\CoreIdent.Client.csproj" />
+  </ItemGroup>
+
+</Project>