Add benchmarks for auth infrastructure and hot paths

[Tratcher]

One area we haven't tried to benchmark yet is AuthN and AuthZ.

High priority as these happen on most requests:

• AuthenticationMiddleware, handler resolution, etc..
• Authorization policies
• Cookie Auth, decrypting, deserializing, and verifying
• Jwt bearer auth, deserializing, and verifying

Low priority, these only happen on a small percentage of requests:

• Cookie creation and refresh, seralizing, encrypting
• OAuth and OIDC challenges and logins

[muratg]

Putting this in 3.0.0 timeline. We'll try to see our perf characteristics here as the first step.

[davidfowl]

Putting this in a specific preview so it doesn't happen at the end when we can't react.

[Eilon]

Moving to a later preview. We should at least check Cookie Auth because it runs on every request. The other middlesware don't run as often so we're less concerned about their per-request perf.

[davidfowl]

We should still know the performance of the code we wrote. Some of it was just lazy and could easily be better even if its doesn’t happen as often.

What about JWT?

[Eilon]

We're trying to prioritize the work, so we're open to adjusting priorities based on feedback.

[davidfowl]

We should do both JWT and Cookie then. Both Microbenchmarks and Full end to end benchmarks.

[rynowak]

I hope you're ready to be sad about the perf of the JWT code 😆

[Pilchie]

@sebastienros and @HaoK haven't you been looking at this already?

[HaoK]

Yep dupe of #27220