Fix TokenCredential.CreateTokenOptions to only accept ReadOnlyMemory<string> and throw exception for invalid types (#52021)

Author: Copilot

sdk/core/Azure.Core/src/TokenCredential.cs

@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System;
 using System.ClientModel;
 using System.ClientModel.Primitives;
 using System.Collections.Generic;
@@ -54,6 +55,23 @@ public override AuthenticationToken GetToken(GetTokenOptions properties, Cancell
             GetToken(TokenRequestContext.FromGetTokenOptions(properties), cancellationToken).ToAuthenticationToken();
 
         /// <inheritdoc />
-        public override GetTokenOptions? CreateTokenOptions(IReadOnlyDictionary<string, object> properties) => null;
+        public override GetTokenOptions? CreateTokenOptions(IReadOnlyDictionary<string, object> properties)
+        {
+            // Check if scopes are present and in a valid format
+            if (properties.TryGetValue(GetTokenOptions.ScopesPropertyName, out var scopesValue))
+            {
+                if (scopesValue is ReadOnlyMemory<string> scopes)
+                {
+                    return new GetTokenOptions(properties);
+                }
+                else
+                {
+                    throw new ArgumentException($"If a \"{GetTokenOptions.ScopesPropertyName}\" property is included in the properties, it should be typed as ReadOnlyMemory<string>.", nameof(properties));
+                }
+            }
+
+            // No scopes provided - insufficient information to create TokenRequestContext
+            return null;
+        }
     }
 }

sdk/core/Azure.Core/tests/DelegatedTokenCredentialTests.cs

@@ -3,6 +3,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.ClientModel.Primitives;
 using System.Threading;
 using System.Threading.Tasks;
 using NUnit.Framework;
@@ -56,5 +57,97 @@ public void CreateGetTokenCallsDelegate(TokenCredential credential)
             Assert.AreEqual(expectedToken, actualToken.Token);
             Assert.AreEqual(expires, actualToken.ExpiresOn);
         }
+
+        [Test]
+        public void CreateTokenOptionsWithValidScopes()
+        {
+            // Test with ReadOnlyMemory<string> scopes
+            var scopesMemory = new ReadOnlyMemory<string>(new string[] { "scope1", "scope2" });
+            var properties = new Dictionary<string, object>
+            {
+                [GetTokenOptions.ScopesPropertyName] = scopesMemory,
+                ["additionalProperty"] = "value"
+            };
+
+            var credential = DelegatedTokenCredential.Create(getToken);
+            var result = credential.CreateTokenOptions(properties);
+
+            Assert.IsNotNull(result);
+            Assert.AreEqual(scopesMemory, result.Properties[GetTokenOptions.ScopesPropertyName]);
+            Assert.AreEqual("value", result.Properties["additionalProperty"]);
+        }
+
+        [Test]
+        public void CreateTokenOptionsWithStringArrayScopesThrowsException()
+        {
+            // Test with string[] scopes - should now throw an exception
+            var scopesArray = new string[] { "scope1", "scope2" };
+            var properties = new Dictionary<string, object>
+            {
+                [GetTokenOptions.ScopesPropertyName] = scopesArray,
+                ["additionalProperty"] = "value"
+            };
+
+            var credential = DelegatedTokenCredential.Create(getToken);
+
+            var exception = Assert.Throws<ArgumentException>(() => credential.CreateTokenOptions(properties));
+            Assert.That(exception.Message, Does.Contain("scopes"));
+            Assert.That(exception.Message, Does.Contain("ReadOnlyMemory<string>"));
+        }
+
+        [Test]
+        public void CreateTokenOptionsWithoutScopes()
+        {
+            // Test without scopes property
+            var properties = new Dictionary<string, object>
+            {
+                ["additionalProperty"] = "value"
+            };
+
+            var credential = DelegatedTokenCredential.Create(getToken);
+            var result = credential.CreateTokenOptions(properties);
+
+            Assert.IsNull(result);
+        }
+
+        [Test]
+        public void CreateTokenOptionsWithInvalidScopesThrowsException()
+        {
+            // Test with invalid scopes type - should throw an exception
+            var properties = new Dictionary<string, object>
+            {
+                [GetTokenOptions.ScopesPropertyName] = "invalid_scopes_type",
+                ["additionalProperty"] = "value"
+            };
+
+            var credential = DelegatedTokenCredential.Create(getToken);
+
+            var exception = Assert.Throws<ArgumentException>(() => credential.CreateTokenOptions(properties));
+            Assert.That(exception.Message, Does.Contain("scopes"));
+            Assert.That(exception.Message, Does.Contain("ReadOnlyMemory<string>"));
+        }
+
+        [Test]
+        public void CreateTokenOptionsCanCreateValidTokenRequestContext()
+        {
+            // Test that the created GetTokenOptions can be used to create TokenRequestContext
+            var scopesMemory = new ReadOnlyMemory<string>(new string[] { "scope1", "scope2" });
+            var properties = new Dictionary<string, object>
+            {
+                [GetTokenOptions.ScopesPropertyName] = scopesMemory
+            };
+
+            var credential = DelegatedTokenCredential.Create(getToken);
+            var tokenOptions = credential.CreateTokenOptions(properties);
+
+            Assert.IsNotNull(tokenOptions);
+
+            // This should not throw since we have valid scopes
+            Assert.DoesNotThrow(() =>
+            {
+                var context = TokenRequestContext.FromGetTokenOptions(tokenOptions);
+                Assert.AreEqual(scopesMemory.ToArray(), context.Scopes);
+            });
+        }
     }
 }