build [dependabot]: Bump Duende.BFF from 2.3.0 to 3.0.0

[dependabot]

Updated Duende.BFF from 2.3.0 to 3.0.0.

Release notes

Sourced from Duende.BFF's releases.

3.0

What's new?

Duende BFF Security Framework v3.0 is a significant release that includes:

• .NET 9 support
• Blazor support
• Several fixes and improvements

Blazor support

Microsoft's Blazor framework enables developers to build interactive web applications using C# and .NET, offering both server-side and client-side hosting models. However, implementing authentication in Blazor presents certain challenges. For example, in split-mode scenarios, where rendering is divided between server and client, managing authentication states consistently can be complex.

To address these issues, the new Backend for Frontend (BFF) framework provides comprehensive support for authentication in Blazor applications. The BFF pattern centralizes authentication logic on the server side, creating a secure environment for managing user identities and sessions. As with other browser based applications, the actual authentication logic is handled on the server by the Duende BFF Security Framework. On the client, the BFF makes sure that the authentication state is in sync with the session on the server.

Breaking changes

• Bff yarp proxy improvements #​1734 (With many thanks to @​ArturDorochowicz for bringing this issue to our attention and providing a solution direction)
• AddAddEntityFrameworkServerSideSessionsServices in Duende.Bff.EntityFramework/Configuration/BffBuilderExtensions.cs #​1695
• Async GetUserClaims, GetManagementClaims #​1702
• Consolidating ClaimRecord and ClaimLite #​1697

Other fixes and improvements

• Prevent log warning when expected duplicate key constraint is violated. #​1763
• Signout on refresh token expire #​1803
• Bumped version of Duende.AccessTokenManagement to 3.2.0 #​1804

Upgrading

If you rely on the default extension methods for wiring up the BFF, then V3 should be a drop-in replacement.

Upgrade guide

From v2.x => v3.x

If you rely on the default extension methods for wiring up the BFF, then V3 should be a drop-in replacement.

Migrating from custom implementations of IHttpMessageInvokerFactory

In Duende.BFF V2, there was an interface called IHttpMessageInvokerFactory. This class was responsible for creating
and wiring up yarp's HttpMessageInvoker. This interface has been removed in favor yarp's IForwarderHttpClientFactory.

One common scenario for creating a custom implementation of this class was for mocking the http client
during unit testing.

If you wish to inject a http handler for unit testing, you should now inject a custom IForwarderHttpClientFactory. For example:

   // A Forwarder factory that forwards the messages to a message handler (which can be easily retrieved from a testhost)
    public class BackChannelHttpMessageInvokerFactory(HttpMessageHandler backChannel) 
        : IForwarderHttpClientFactory
 ... (truncated)

## 3.0.0-rc1

This is the first Release Candidate for the next version of the Duende BFF Security Framework V3. 

# What's new?

Duende BFF Security Framework v3.0 is a significant release that includes:

* .NET 9 support
* Blazor support 
* Several fixes and improvements

## Blazor support
Microsoft's Blazor framework enables developers to build interactive web applications using C# and .NET, offering both server-side and client-side hosting models. However, implementing authentication in Blazor presents certain challenges. For example, in split-mode scenarios, where rendering is divided between server and client, managing authentication states consistently can be complex. 

To address these issues, the new Backend for Frontend (BFF) framework provides comprehensive support for authentication in Blazor applications. The BFF pattern centralizes authentication logic on the server side, creating a secure environment for managing user identities and sessions. As with other browser based applications, the actual authentication logic is handled on the server by the Duende BFF Security Framework. On the client, the BFF makes sure that the authentication state is in sync with the session on the server. 

## Breaking changes

* Bff yarp proxy improvements #​1734 (With many thanks to @​ArturDorochowicz for bringing this issue to our attention and providing a solution direction)
* AddAddEntityFrameworkServerSideSessionsServices in Duende.Bff.EntityFramework/Configuration/BffBuilderExtensions.cs #​1695
* Async GetUserClaims, GetManagementClaims #​1702
* Consolidating ClaimRecord and ClaimLite #​1697

## Other fixes and improvements

* Prevent log warning when expected duplicate key constraint is violated. #​1763
* Signout on refresh token expire #​1803
* Bumped version of Duende.AccessTokenManagement to 3.2.0 #​1804

# Upgrading

If you rely on the default extension methods for wiring up the BFF, then V3 should be a drop-in replacement. 

# Upgrade guide

## From v2.x => v3.x

If you rely on the default extension methods for wiring up the BFF, then V3 should be a drop-in replacement. 

### Migrating from custom implementations of IHttpMessageInvokerFactory 

In Duende.BFF V2, there was an interface called IHttpMessageInvokerFactory. This class was responsible for creating 
and wiring up yarp's HttpMessageInvoker. This interface has been removed in favor yarp's IForwarderHttpClientFactory.

One common scenario for creating a custom implementation of this class was for mocking the http client
during unit testing. 

If you wish to inject a http handler for unit testing, you should now inject a custom IForwarderHttpClientFactory. For example:

``` c#
   // A Forwarder factory that forwards the messages to a message handler (which can be easily retrieved from a testhost)
 ... (truncated)

Commits viewable in [compare view](https://github.com/DuendeSoftware/products/commits/bff-3.0.0).
</details>

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Duende.BFF&package-manager=nuget&previous-version=2.3.0&new-version=3.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>