Document ClaimActions configuration for dashboard OpenID Connect authentication (#5192)

* Initial plan

* Document ClaimActions configuration for dashboard OIDC authentication

Co-authored-by: JamesNK <303201+JamesNK@users.noreply.github.com>

* Apply suggestion from @JamesNK

* Apply suggestion from @JamesNK

* Apply suggestion from @JamesNK

* Update configuration.md

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: JamesNK <303201+JamesNK@users.noreply.github.com>
Co-authored-by: James Newton-King <james@newtonking.com>

Author: Copilot

docs/fundamentals/dashboard/configuration.md

@@ -1,7 +1,7 @@
 ---
 title: Aspire dashboard configuration
 description: Aspire dashboard configuration options
-ms.date: 04/15/2025
+ms.date: 10/10/2025
 ms.topic: reference
 ---
 
@@ -91,6 +91,7 @@ Browser token authentication works by the frontend asking for a token. The token
 | `Dashboard:Frontend:OpenIdConnect:UsernameClaimType` | `preferred_username` | Specifies one or more claim types that should be used to display the authenticated user's username. Can be a single claim type or a comma-delimited list of claim types. |
 | `Dashboard:Frontend:OpenIdConnect:RequiredClaimType` | `null` | Specifies the claim that must be present for authorized users. Authorization fails without this claim. This value is optional. |
 | `Dashboard:Frontend:OpenIdConnect:RequiredClaimValue` | `null` | Specifies the value of the required claim. Only used if `Dashboard:Frontend:OpenIdConnect:RequireClaimType` is also specified. This value is optional. |
+| `Dashboard:Frontend:OpenIdConnect:ClaimActions` | `null` | A collection of claim actions to configure how claims are mapped from the OpenID Connect user info endpoint. Each claim action can map JSON properties to claims. This value is optional. |
 | `Authentication:Schemes:OpenIdConnect:Authority` | `null` | URL to the identity provider (IdP). |
 | `Authentication:Schemes:OpenIdConnect:ClientId` | `null` | Identity of the relying party (RP). |
 | `Authentication:Schemes:OpenIdConnect:ClientSecret` | `null` | A secret that only the real RP would know. |
@@ -101,6 +102,44 @@ Browser token authentication works by the frontend asking for a token. The token
 >
 > For more information, see [Configure ASP.NET Core to work with proxy servers and load balancers](/aspnet/core/host-and-deploy/proxy-load-balancer).
 
+### Claim actions
+
+Claim actions configure how claims are mapped from the JSON returned by the OpenID Connect user info endpoint to the user's claims identity. Each claim action in the `Dashboard:Frontend:OpenIdConnect:ClaimActions` collection supports the following properties:
+
+| Property | Description |
+|--|--|
+| `ClaimType` (required) | The claim type to create. |
+| `JsonKey` (required) | The JSON key to map from. |
+| `SubKey` (optional) | The sub-key within the JSON key to map from. Used when the value is nested within another JSON object. |
+| `IsUnique` (optional) | When `true`, ensures only one claim of this type exists. If a claim already exists, it won't be added again. Defaults to `false`. |
+| `ValueType` (optional) | The claim value type. Defaults to `string`. |
+
+The following example shows how to configure claim actions using JSON configuration:
+
+```json
+{
+  "Dashboard": {
+    "Frontend": {
+      "OpenIdConnect": {
+        "ClaimActions": [
+          {
+            "ClaimType": "role",
+            "JsonKey": "role"
+          }
+        ]
+      }
+    }
+  }
+}
+```
+
+Or using environment variables for configuration:
+
+```bash
+export Dashboard__Frontend__OpenIdConnect__ClaimActions__0__ClaimType="role"
+export Dashboard__Frontend__OpenIdConnect__ClaimActions__0__JsonKey="role"
+```
+
 ## OTLP authentication
 
 The OTLP endpoint authentication is configured with `Dashboard:Otlp:AuthMode`. The OTLP endpoint can be secured with an API key or [client certificate](/aspnet/core/security/authentication/certauth) authentication.