Remove Scopes property from GetTokenOptions (Azure#50380)

Author: christothes

sdk/core/Azure.Core/src/TokenRequestContext.cs

@@ -155,7 +155,9 @@ public TokenRequestContext(string[] scopes, string? parentRequestId = default, s
         /// </summary>
         internal static TokenRequestContext FromGetTokenOptions(GetTokenOptions getTokenOptions)
         {
-            var scopes = getTokenOptions.Scopes.Span.ToArray();
+            var scopes = getTokenOptions.Properties.TryGetValue(GetTokenOptions.ScopesPropertyName, out var scopesValue) && scopesValue is ReadOnlyMemory<string> memoryScopes
+                ? memoryScopes.ToArray()
+                : throw new InvalidOperationException($"The '{GetTokenOptions.ScopesPropertyName}' property must be set in the {nameof(GetTokenOptions)}.");
             string? parentRequestId = getTokenOptions.Properties.TryGetValue("parentRequestId", out var parentRequestIdValue) && parentRequestIdValue is string ? (string)parentRequestIdValue : default;
             string? claims = getTokenOptions.Properties.TryGetValue("claims", out var claimsValue) && claimsValue is string ? (string)claimsValue : default;
             string? tenantId = getTokenOptions.Properties.TryGetValue("tenantId", out var tenantIdValue) && tenantIdValue is string ? (string)tenantIdValue : default;

sdk/core/System.ClientModel/api/System.ClientModel.net8.0.cs

@@ -218,10 +218,8 @@ public partial class GetTokenOptions
         public const string RefreshUrlPropertyName = "refreshUrl";
         public const string ScopesPropertyName = "scopes";
         public const string TokenUrlPropertyName = "tokenUrl";
-        public GetTokenOptions(System.ReadOnlyMemory<string> scopes, System.Collections.Generic.IReadOnlyDictionary<string, object> properties) { }
+        public GetTokenOptions(System.Collections.Generic.IReadOnlyDictionary<string, object> properties) { }
         public System.Collections.Generic.IReadOnlyDictionary<string, object> Properties { get { throw null; } }
-        public System.ReadOnlyMemory<string> Scopes { get { throw null; } }
-        public System.ClientModel.Primitives.GetTokenOptions WithAdditionalScopes(System.ReadOnlyMemory<string> additionalScopes) { throw null; }
     }
     public partial class HttpClientPipelineTransport : System.ClientModel.Primitives.PipelineTransport, System.IDisposable
     {

sdk/core/System.ClientModel/api/System.ClientModel.netstandard2.0.cs

@@ -218,10 +218,8 @@ public partial class GetTokenOptions
         public const string RefreshUrlPropertyName = "refreshUrl";
         public const string ScopesPropertyName = "scopes";
         public const string TokenUrlPropertyName = "tokenUrl";
-        public GetTokenOptions(System.ReadOnlyMemory<string> scopes, System.Collections.Generic.IReadOnlyDictionary<string, object> properties) { }
+        public GetTokenOptions(System.Collections.Generic.IReadOnlyDictionary<string, object> properties) { }
         public System.Collections.Generic.IReadOnlyDictionary<string, object> Properties { get { throw null; } }
-        public System.ReadOnlyMemory<string> Scopes { get { throw null; } }
-        public System.ClientModel.Primitives.GetTokenOptions WithAdditionalScopes(System.ReadOnlyMemory<string> additionalScopes) { throw null; }
     }
     public partial class HttpClientPipelineTransport : System.ClientModel.Primitives.PipelineTransport, System.IDisposable
     {

sdk/core/System.ClientModel/src/Auth/GetTokenOptions.cs

@@ -1,9 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-using System.Collections.Generic;
 using System.Collections.ObjectModel;
-using System.Linq;
 
 namespace System.ClientModel.Primitives;
 
@@ -32,11 +30,6 @@ public class GetTokenOptions
     /// </summary>
     public const string RefreshUrlPropertyName = "refreshUrl";
 
-    /// <summary>
-    /// Gets the scopes required to authenticate.
-    /// </summary>
-    public ReadOnlyMemory<string> Scopes { get; }
-
     /// <summary>
     /// Gets the properties to be used for token requests.
     /// </summary>
@@ -45,34 +38,14 @@ public class GetTokenOptions
     /// <summary>
     /// Creates a new instance of <see cref="GetTokenOptions"/> with the specified scopes.
     /// </summary>
-    /// <param name="scopes">The scopes to be used in a call to <see cref="AuthenticationTokenProvider.GetToken(GetTokenOptions, CancellationToken)"/> or <see cref="AuthenticationTokenProvider.GetTokenAsync(GetTokenOptions, CancellationToken)"/></param>
     /// <param name="properties">The additional properties to be used for token requests.</param>
-    public GetTokenOptions(ReadOnlyMemory<string> scopes, IReadOnlyDictionary<string, object> properties)
+    public GetTokenOptions(IReadOnlyDictionary<string, object> properties)
     {
-        Scopes = scopes;
         Properties = properties switch
         {
             Dictionary<string, object> dict => new ReadOnlyDictionary<string, object>(dict),
             ReadOnlyDictionary<string, object> readOnlyDict => readOnlyDict,
             _ => new ReadOnlyDictionary<string, object>(properties.ToDictionary(kvp => kvp.Key, kvp => kvp.Value))
         };
     }
-
-    /// <summary>
-    /// Creates a new instance of <see cref="GetTokenOptions"/> by combining the current scopes with additional scopes.
-    /// </summary>
-    /// <param name="additionalScopes">Additional authentication scopes to be combined with existing ones.</param>
-    /// <returns>A new <see cref="GetTokenOptions"/> instance containing both original and additional scopes.</returns>
-    /// <remarks>
-    /// This method creates a new options instance rather than modifying the existing one, maintaining immutability.
-    /// The order of scopes is preserved, with original scopes followed by additional scopes.
-    /// </remarks>
-    public GetTokenOptions WithAdditionalScopes(ReadOnlyMemory<string> additionalScopes)
-    {
-        var originalScopes = Scopes;
-        var combined = new string[originalScopes.Length + additionalScopes.Length];
-        originalScopes.Span.CopyTo(combined.AsSpan(0, originalScopes.Length));
-        additionalScopes.Span.CopyTo(combined.AsSpan(originalScopes.Length));
-        return new GetTokenOptions(combined, Properties);
-    }
 }

sdk/core/System.ClientModel/src/Pipeline/BearerTokenPolicy.cs

@@ -11,7 +11,7 @@ namespace System.ClientModel.Primitives;
 public class BearerTokenPolicy : AuthenticationPolicy
 {
     private readonly AuthenticationTokenProvider _tokenProvider;
-    private readonly GetTokenOptions _flowContext;
+    private readonly GetTokenOptions? _flowContext;
 
     /// <summary>
     /// Creates a new instance of <see cref="BearerTokenPolicy"/>.
@@ -32,7 +32,10 @@ public BearerTokenPolicy(AuthenticationTokenProvider tokenProvider, IEnumerable<
     public BearerTokenPolicy(AuthenticationTokenProvider tokenProvider, string scope)
     {
         _tokenProvider = tokenProvider;
-        _flowContext = new GetTokenOptions(new[] { scope }, new Dictionary<string, object>());
+        _flowContext = new GetTokenOptions(new Dictionary<string, object>()
+        {
+            [GetTokenOptions.ScopesPropertyName] = new ReadOnlyMemory<string>([scope])
+        });
     }
 
     /// <inheritdoc />
@@ -53,30 +56,47 @@ private async ValueTask ProcessAsync(PipelineMessage message, IReadOnlyList<Pipe
         {
             throw new InvalidOperationException("Bearer token authentication is not permitted for non TLS protected (https) endpoints.");
         }
-        AuthenticationToken token;
-        if (message.TryGetProperty(typeof(GetTokenOptions), out var rawContext) && rawContext is GetTokenOptions scopesContext)
+        AuthenticationToken? token = null;
+
+        // The following scenarios are supported:
+        // 1. If the message does not have a GetTokenOptions property.
+        //    - When _flowContext is null, this shall be treated as a NoAuth scenario. The message will be processed without authentication.
+        //    - When _flowContext is not null, the message will be processed with the service level flow context as-is.
+        // 2. If the message has a GetTokenOptions property, it shall contain a IEnumerable<IReadOnlyDictionary<string, object>>
+        //    - When _flowContext is null, the property value shall contain the flows supported by the operation.
+        //      If the operation defines additional scopes, they will be embedded in the 'scopes' property of any IEnumerable<IReadOnlyDictionary<string, object>>.
+        //    - When _flowContext is not null it shall be ignored and the property value shall define the flows supported by the operation.
+
+        if (message.TryGetProperty(typeof(GetTokenOptions), out var rawContext) && rawContext is IEnumerable<IReadOnlyDictionary<string, object>> flowsContexts)
         {
-            var context = _flowContext.WithAdditionalScopes(scopesContext.Scopes);
-            token = async ? await _tokenProvider.GetTokenAsync(context, message.CancellationToken).ConfigureAwait(false) :
-            _tokenProvider.GetToken(context, message.CancellationToken);
+            var context = GetOptionsFromContexts(flowsContexts, _tokenProvider);
+            if (context is not null)
+            {
+                token = async ? await _tokenProvider.GetTokenAsync(context, message.CancellationToken).ConfigureAwait(false) :
+                _tokenProvider.GetToken(context, message.CancellationToken);
+            }
         }
-        else
+        else if (_flowContext is not null && _flowContext.Properties.Count > 0)
         {
             token = _tokenProvider.GetToken(_flowContext, message.CancellationToken);
         }
-        message.Request.Headers.Set("Authorization", $"Bearer {token.TokenValue}");
 
-        if (async)
-        {
-            await ProcessNextAsync(message, pipeline, currentIndex).ConfigureAwait(false);
-        }
-        else
+        if (token is not null)
         {
-            ProcessNext(message, pipeline, currentIndex);
+            message.Request.Headers.Set("Authorization", $"Bearer {token.TokenValue}");
         }
+
+        if (async)
+            {
+                await ProcessNextAsync(message, pipeline, currentIndex).ConfigureAwait(false);
+            }
+            else
+            {
+                ProcessNext(message, pipeline, currentIndex);
+            }
     }
 
-    internal static GetTokenOptions GetOptionsFromContexts(IEnumerable<IReadOnlyDictionary<string, object>> contexts, AuthenticationTokenProvider tokenProvider)
+    internal static GetTokenOptions? GetOptionsFromContexts(IEnumerable<IReadOnlyDictionary<string, object>> contexts, AuthenticationTokenProvider tokenProvider)
     {
         foreach (var context in contexts)
         {
@@ -86,6 +106,6 @@ internal static GetTokenOptions GetOptionsFromContexts(IEnumerable<IReadOnlyDict
                 return options;
             }
         }
-        throw new InvalidOperationException($"The service does not support any of the auth flows implemented by the supplied token provider {tokenProvider.GetType().FullName}.");
+        return null;
     }
 }

sdk/core/System.ClientModel/tests/Auth/AuthenticationTokenProviderTests.cs

@@ -3,6 +3,7 @@
 
 using System.ClientModel.Primitives;
 using System.Collections.Generic;
+using System.Linq;
 using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Text;
@@ -25,21 +26,39 @@ public void SampleUsage()
         client.Get();
     }
 
+    [Test]
+    public void SupportsNoServiceLevelAuth()
+    {
+        // usage for TokenProvider2 abstract type
+        AuthenticationTokenProvider provider = new ClientCredentialTokenProvider("myClientId", "myClientSecret");
+        var client = new NoAuthClient(new Uri("http://localhost"), provider);
+        client.Get();
+    }
+
     public class FooClient
     {
         // Generated from the TypeSpec spec.
-        private readonly Dictionary<string, object>[] flows = [
+
+        private static readonly string readScope = "read";
+        private readonly Dictionary<string, object>[] serviceFlows = [
             new Dictionary<string, object> {
                 { GetTokenOptions.ScopesPropertyName, new string[] { "baselineScope" } },
                 { GetTokenOptions.TokenUrlPropertyName , "https://myauthserver.com/token"},
                 { GetTokenOptions.RefreshUrlPropertyName, "https://myauthserver.com/refresh"}
             }
         ];
 
+        private readonly Dictionary<string, object>[] getOperationsFlows = [
+            new Dictionary<string, object> {
+                { GetTokenOptions.ScopesPropertyName, new string[] { "baselineScope", readScope } },
+                { GetTokenOptions.TokenUrlPropertyName , "https://myauthserver.com/token"},
+                { GetTokenOptions.RefreshUrlPropertyName, "https://myauthserver.com/refresh"}
+            }
+        ];
+
         private readonly IReadOnlyDictionary<string, object> _emptyProperties = new Dictionary<string, object>();
 
         private ClientPipeline _pipeline;
-        private static readonly string[] readScope = ["read"];
 
         public FooClient(Uri uri, ApiKeyCredential credential)
         {
@@ -62,7 +81,7 @@ public FooClient(Uri uri, AuthenticationTokenProvider credential)
             });
             ClientPipeline pipeline = ClientPipeline.Create(options,
             perCallPolicies: ReadOnlySpan<PipelinePolicy>.Empty,
-            perTryPolicies: [new BearerTokenPolicy(credential, flows)],
+            perTryPolicies: [new BearerTokenPolicy(credential, serviceFlows)],
             beforeTransportPolicies: ReadOnlySpan<PipelinePolicy>.Empty);
             _pipeline = pipeline;
         }
@@ -71,7 +90,7 @@ public ClientResult Get()
         {
             var message = _pipeline.CreateMessage();
             message.ResponseClassifier = PipelineMessageClassifier.Create([200]);
-            message.SetProperty(typeof(GetTokenOptions), new GetTokenOptions(readScope, _emptyProperties));
+            message.SetProperty(typeof(GetTokenOptions), getOperationsFlows);
 
             PipelineRequest request = message.Request;
             request.Method = "GET";
@@ -81,6 +100,53 @@ public ClientResult Get()
         }
     }
 
+    public class NoAuthClient
+    {
+        private readonly IReadOnlyDictionary<string, object> _emptyProperties = new Dictionary<string, object>();
+
+        private ClientPipeline _pipeline;
+
+        public NoAuthClient(Uri uri, ApiKeyCredential credential)
+        {
+            var options = new ClientPipelineOptions();
+            options.Transport = new MockPipelineTransport("foo", m => new MockPipelineResponse(200));
+            ClientPipeline pipeline = ClientPipeline.Create(options,
+            perCallPolicies: ReadOnlySpan<PipelinePolicy>.Empty,
+            perTryPolicies: [ApiKeyAuthenticationPolicy.CreateBasicAuthorizationPolicy(credential)],
+            beforeTransportPolicies: ReadOnlySpan<PipelinePolicy>.Empty);
+            _pipeline = pipeline;
+        }
+
+        public NoAuthClient(Uri uri, AuthenticationTokenProvider credential)
+        {
+            var options = new ClientPipelineOptions();
+            options.Transport = new MockPipelineTransport("foo",
+            m =>
+            {
+                // Assert that the request has no authentication headers
+                Assert.IsFalse(m.Request.Headers.TryGetValue("Authorization", out _), "Request should not have an Authorization header.");
+                return new MockPipelineResponse(200);
+            });
+            ClientPipeline pipeline = ClientPipeline.Create(options,
+            perCallPolicies: ReadOnlySpan<PipelinePolicy>.Empty,
+            perTryPolicies: [new BearerTokenPolicy(credential, [_emptyProperties])],
+            beforeTransportPolicies: ReadOnlySpan<PipelinePolicy>.Empty);
+            _pipeline = pipeline;
+        }
+
+        public ClientResult Get()
+        {
+            var message = _pipeline.CreateMessage();
+            message.ResponseClassifier = PipelineMessageClassifier.Create([200]);
+
+            PipelineRequest request = message.Request;
+            request.Method = "GET";
+            request.Uri = new Uri("https://localhost/noAuth");
+            _pipeline.Send(message);
+            return ClientResult.FromResponse(message.Response!);
+        }
+    }
+
     public class ClientCredentialTokenProvider : AuthenticationTokenProvider
     {
         private string _clientId;
@@ -148,8 +214,9 @@ public override async ValueTask<AuthenticationToken> GetTokenAsync(GetTokenOptio
                 properties.TryGetValue(GetTokenOptions.TokenUrlPropertyName, out var tokenUri) && tokenUri is string tokenUriValue &&
                 properties.TryGetValue(GetTokenOptions.RefreshUrlPropertyName, out var refreshUri) && refreshUri is string refreshUriValue)
             {
-                return new GetTokenOptions(scopeArray, new Dictionary<string, object>
+                return new GetTokenOptions(new Dictionary<string, object>
                 {
+                    { GetTokenOptions.ScopesPropertyName, new ReadOnlyMemory<string>(scopeArray) },
                     { GetTokenOptions.TokenUrlPropertyName, tokenUriValue },
                     { GetTokenOptions.RefreshUrlPropertyName, refreshUriValue }
                 });
@@ -169,12 +236,13 @@ internal async ValueTask<AuthenticationToken> GetAccessTokenInternal(bool async,
             var authBytes = System.Text.Encoding.ASCII.GetBytes($"{_clientId}:{_clientSecret}");
             var authHeader = Convert.ToBase64String(authBytes);
             request.Headers.Authorization = new AuthenticationHeaderValue("Basic", authHeader);
+            var scopes = ExtractScopes(properties.Properties);
 
             // Create form content
             var formContent = new FormUrlEncodedContent(
             [
                 new KeyValuePair<string, string>("grant_type", "client_credentials"),
-                new KeyValuePair<string, string>("scope", string.Join(" ", properties.Scopes.Span.ToArray()))
+                new KeyValuePair<string, string>("scope", string.Join(" ", scopes.ToArray()))
             ]);
 
             request.Content = formContent;
@@ -201,6 +269,24 @@ await _client.SendAsync(request) :
 
             return new AuthenticationToken(accessToken!, tokenType!, expiresOn, refreshOn);
         }
+
+        private static ReadOnlyMemory<string> ExtractScopes(IReadOnlyDictionary<string, object> properties)
+        {
+            if (!properties.TryGetValue(GetTokenOptions.ScopesPropertyName, out var scopesValue) || scopesValue is null)
+            {
+                return ReadOnlyMemory<string>.Empty;
+            }
+
+            return scopesValue switch
+            {
+                ReadOnlyMemory<string> memory => memory,
+                Memory<string> memory => memory,
+                string[] array => new ReadOnlyMemory<string>(array),
+                ICollection<string> collection => new ReadOnlyMemory<string>([.. collection]),
+                IEnumerable<string> enumerable => new ReadOnlyMemory<string>([.. enumerable]),
+                _ => ReadOnlyMemory<string>.Empty
+            };
+        }
     }
 
     public class ClientCredentialToken : AuthenticationToken