Add docs for new v8.7 features

Author: mythz

MyApp/_includes/admin-ui-claims-validation.md

@@ -0,0 +1,48 @@
+Claims are attestations or attributes about a User which we can use to restrict access to APIs to only Users who
+have been assigned that claim. We could use this to implement a permission system that restricts usage with a 
+`todos:write` permission with something like:
+
+```csharp
+[ValidateHasClaim("perm", "todos:write")]
+class CreateTodo {}
+```
+
+Normally this would result in the generic missing claims error message:
+
+:::{.not-prose}
+<error-summary :status="{message:`perm Claim with 'todos:write' is Required`}"></error-summary>
+:::
+
+But as the `perm` claim has a customized error message:
+
+```csharp
+HasClaimValidator.ClaimErrorMessages["perm"]= "`${Value} Permission Required`";
+```
+
+It will generate that Error Response instead:
+
+:::{.not-prose}
+<error-summary :status="{message:`'todos:write' Permission Required`}"></error-summary>
+:::
+
+Which is a good example showing how `HasClaimValidator.ClaimErrorMessages` can be used to add custom error messages
+for your own custom claim validation. 
+
+### Inspecting Claims inside Services
+
+You can also inspect and validate a Users Claim by inspecting the Authenticated ClaimsPrincipal, e.g: 
+
+```csharp
+public class TodoServices : Service
+{
+    public object Any(CreateTodo request)
+    {
+        var user = Request.GetClaimsPrincipal();
+        if (!user.HasClaim("perm", "todos:write"))
+            throw HttpError.Forbidden("todos:write Permission Required");
+        
+        var allUserClaims = user.Claims.ToList();
+        //...
+    }
+}
+```

MyApp/_pages/admin-ui-identity-roles.md

@@ -0,0 +1,43 @@
+---
+title: Identity Roles & Claims UI
+---
+
+The Roles Admin UI is enabled when registering the [Admin Users UI](/admin-ui-identity-users#registration)
+which enables management APIs and Admin UIs for managing Identity Auth Roles and Claims for both Users and Roles. 
+
+Once registered it will be available from the **Roles** menu item in the Admin UI sidebar which can be used Add and Remove Application Roles:  
+
+![](/img/pages/admin-ui/identityauth-roles.webp)
+
+### Custom Application Roles
+
+If your App uses an extended `IdentityRole` data model, it can be configured with:
+
+```csharp
+services.AddPlugin(
+    new AuthFeature(IdentityAuth.For<ApplicationUser,ApplicationRole>(...)));
+```
+
+If it's also configured to use a different `PrimaryKey` type, it can be configured with: 
+
+```csharp
+services.AddPlugin(
+    new AuthFeature(IdentityAuth.For<AppUser,AppRole,int>(...)));
+```
+
+### IdentityAuth Role Claims
+
+The Edit Role Admin UI can also be configured to Add/Remove Claims to a Role, e.g:
+
+![](/img/pages/admin-ui/identityauth-role-claims.webp)
+
+Any Added or Removed Claims are only applied after clicking **Update Role**, likewise you can exit the UI without applying any changes by clicking **Cancel**.
+
+### Behavior of Role Claims
+
+Claims added to Roles have similar behavior to having Claims individually applied to all Users with that Role such that
+when a User is Authenticated they're populated with all claims assigned to their Roles and their individual User Claims. 
+
+## Validating Claims
+
+::include admin-ui-claims-validation.md::

MyApp/_pages/admin-ui-identity-users.md

@@ -162,3 +162,12 @@ feature.OnBeforeDeleteUser = (request, userId) => { ... };
 feature.OnAfterDeleteUser  = (request, userId) => { ... };
 ```
 
+### IdentityAuth User Claims
+
+The User Claim Management UI can be used to assign Claims to individual Users: 
+
+![](/img/pages/admin-ui/identityauth-user-claims.webp)
+
+## Validating Claims
+
+::include admin-ui-claims-validation.md::