Opaque (reference) access token guidance

[guardrex]

Fixes #36422

Stephen ... Can we get the dev going with some starting point code for the custom auth handler approach? I hacked some nasty 🦖 code 🙈😆 (on this PR) to give you an idea of what I have in mind, but it could be either a bad idea in the first place or incorrectly/poorly coded. I'll strike it if you say either is the case. I have a feeling that we'll strike it. If you have something I can link to for it, I'll add a link in its place. As far as our docs and samples go, I don't think we have any code that we can link around here for a general AuthenticationHandler demo. We just have the bit here on it, and that's very general info.

---

Internal previews

📄 File	🔗 Preview link
aspnetcore/blazor/security/blazor-web-app-with-oidc.md	aspnetcore/blazor/security/blazor-web-app-with-oidc

[Copilot]

Pull request overview

This PR adds comprehensive guidance for handling opaque (reference) access tokens in ASP.NET Core Blazor Web Apps with OIDC authentication, addressing issue #36422. The documentation explains when opaque tokens are supported by default and provides a starting-point implementation for scenarios requiring custom token validation.

Key Changes

• Explains that AddOpenIdConnect inherently supports opaque tokens for basic authentication scenarios without additional configuration
• Documents the limitation when opaque tokens need to be validated by services using AddJwtBearer
• Provides a custom AuthenticationHandler implementation as a starting point for developers who need to validate opaque tokens via introspection endpoints

[guardrex]

@halter73 ... Just checking in on your idea to flesh out the code bits here more completely. If that would take a while to do, can we get started by merging this now with a follow-up later? I'd like to clear some of my PRs that have been sitting for a while.