[Core] Enable CAE in auth policy by default (#42941)

pvaneck · web-flow · commit e432a89b2fc9 · 2025-09-18T13:28:43.000-07:00
CAE claims challenges have long been supported in our auth policies.
This enables it by default.

Signed-off-by: Paul Van Eck &lt;paulvaneck@microsoft.com&gt;
diff --git a/sdk/core/azure-core/CHANGELOG.md b/sdk/core/azure-core/CHANGELOG.md
@@ -10,6 +10,8 @@
 
 ### Other Changes
 
+- Updated `BearerTokenCredentialPolicy` and `AsyncBearerTokenCredentialPolicy` to set the `enable_cae` parameter to `True` by default. This change enables Continuous Access Evaluation (CAE) for all token requests made through these policies.  #42941
+
 ## 1.35.1 (2025-09-11)
 
 ### Bugs Fixed
diff --git a/sdk/core/azure-core/azure/core/pipeline/policies/_authentication.py b/sdk/core/azure-core/azure/core/pipeline/policies/_authentication.py
@@ -45,15 +45,15 @@ class _BearerTokenCredentialPolicyBase:
     :type credential: ~azure.core.credentials.TokenProvider
     :param str scopes: Lets you specify the type of access needed.
     :keyword bool enable_cae: Indicates whether to enable Continuous Access Evaluation (CAE) on all requested
-        tokens. Defaults to False.
+        tokens. Defaults to True.
     """
 
     def __init__(self, credential: TokenProvider, *scopes: str, **kwargs: Any) -> None:
         super(_BearerTokenCredentialPolicyBase, self).__init__()
         self._scopes = scopes
         self._credential = credential
         self._token: Optional[Union["AccessToken", "AccessTokenInfo"]] = None
-        self._enable_cae: bool = kwargs.get("enable_cae", False)
+        self._enable_cae: bool = kwargs.get("enable_cae", True)
 
     @staticmethod
     def _enforce_https(request: PipelineRequest[HTTPRequestType]) -> None:
diff --git a/sdk/core/azure-core/azure/core/pipeline/policies/_authentication_async.py b/sdk/core/azure-core/azure/core/pipeline/policies/_authentication_async.py
@@ -40,7 +40,7 @@ class AsyncBearerTokenCredentialPolicy(AsyncHTTPPolicy[HTTPRequestType, AsyncHTT
     :type credential: ~azure.core.credentials_async.AsyncTokenProvider
     :param str scopes: Lets you specify the type of access needed.
     :keyword bool enable_cae: Indicates whether to enable Continuous Access Evaluation (CAE) on all requested
-        tokens. Defaults to False.
+        tokens. Defaults to True.
     """
 
     def __init__(self, credential: AsyncTokenProvider, *scopes: str, **kwargs: Any) -> None:
@@ -49,7 +49,7 @@ def __init__(self, credential: AsyncTokenProvider, *scopes: str, **kwargs: Any)
         self._scopes = scopes
         self._lock_instance = None
         self._token: Optional[Union["AccessToken", "AccessTokenInfo"]] = None
-        self._enable_cae: bool = kwargs.get("enable_cae", False)
+        self._enable_cae: bool = kwargs.get("enable_cae", True)
 
     @property
     def _lock(self):
diff --git a/sdk/core/azure-core/tests/async_tests/test_authentication_async.py b/sdk/core/azure-core/tests/async_tests/test_authentication_async.py
@@ -74,7 +74,7 @@ async def test_bearer_policy_authorize_request(http_request):
     assert http_req.headers["Authorization"] == f"Bearer {expected_token.token}"
     assert fake_credential.get_token.call_count == 1
     assert fake_credential.get_token.call_args[0] == ("scope",)
-    assert fake_credential.get_token.call_args[1] == {"claims": "foo"}
+    assert fake_credential.get_token.call_args[1] == {"claims": "foo", "enable_cae": True}
 
 
 @pytest.mark.asyncio
@@ -132,7 +132,7 @@ async def test_bearer_policy_authorize_request_access_token_info(http_request):
     assert policy._token is expected_token
     assert http_req.headers["Authorization"] == f"Bearer {expected_token.token}"
     assert fake_credential.get_token_info.call_args[0] == ("scope",)
-    assert fake_credential.get_token_info.call_args[1] == {"options": {"claims": "foo"}}
+    assert fake_credential.get_token_info.call_args[1] == {"options": {"claims": "foo", "enable_cae": True}}
 
 
 @pytest.mark.asyncio
diff --git a/sdk/core/azure-core/tests/test_authentication.py b/sdk/core/azure-core/tests/test_authentication.py
@@ -74,7 +74,7 @@ def test_bearer_policy_authorize_request(http_request):
     assert http_req.headers["Authorization"] == f"Bearer {expected_token.token}"
     assert fake_credential.get_token.call_count == 1
     assert fake_credential.get_token.call_args[0] == ("scope",)
-    assert fake_credential.get_token.call_args[1] == {"claims": "foo"}
+    assert fake_credential.get_token.call_args[1] == {"claims": "foo", "enable_cae": True}
 
 
 @pytest.mark.parametrize("http_request", HTTP_REQUESTS)
@@ -119,7 +119,7 @@ def test_bearer_policy_authorize_request_access_token_info(http_request):
     assert policy._token is expected_token
     assert http_req.headers["Authorization"] == f"Bearer {expected_token.token}"
     assert fake_credential.get_token_info.call_args[0] == ("scope",)
-    assert fake_credential.get_token_info.call_args[1] == {"options": {"claims": "foo"}}
+    assert fake_credential.get_token_info.call_args[1] == {"options": {"claims": "foo", "enable_cae": True}}
 
 
 @pytest.mark.parametrize("http_request", HTTP_REQUESTS)
@@ -263,7 +263,7 @@ def test_bearer_policy_default_context(http_request):
 
     pipeline.run(http_request("GET", "https://localhost"))
 
-    credential.get_token.assert_called_once_with(expected_scope)
+    credential.get_token.assert_called_once_with(expected_scope, enable_cae=True)
 
 
 @pytest.mark.parametrize("http_request", HTTP_REQUESTS)
@@ -333,7 +333,7 @@ def test_bearer_policy_cannot_complete_challenge(http_request):
 
     assert response.http_response is expected_response
     assert transport.send.call_count == 1
-    credential.get_token.assert_called_once_with(expected_scope)
+    credential.get_token.assert_called_once_with(expected_scope, enable_cae=True)
 
 
 @pytest.mark.parametrize("http_request", HTTP_REQUESTS)
