Update token exchange API routes to be called, prevent update of scop… (Azure#49099)

* Update token exchange API routes to be called, prevent update of scopes through options

Update route and api version in  token exchange API called by credential routes to be consistent by REST API review.
Make sure that update of scopes in EntraCommunicationTokenCredential won't affect already constructed EntraTokenCredential.

* Fixed typos

Author: paveldostalms

sdk/communication/Azure.Communication.Common/src/EntraTokenCredential.cs

@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Collections.Generic;
 using System.Linq;
 using System.Text.Json;
 using System.Threading;
@@ -17,15 +18,15 @@ namespace Azure.Communication
     internal sealed class EntraTokenCredential : ICommunicationTokenCredential
     {
         private const string TeamsExtensionScopePrefix = "https://auth.msft.communication.azure.com/";
-        private const string ComunicationClientsScopePrefix = "https://communication.azure.com/clients/";
-        private const string TeamsExtensionEndpoint = "/access/teamsPhone/:exchangeAccessToken";
+        private const string CommunicationClientsScopePrefix = "https://communication.azure.com/clients/";
+        private const string TeamsExtensionEndpoint = "/access/teamsExtension/:exchangeAccessToken";
         private const string TeamsExtensionApiVersion = "2025-03-02-preview";
-        private const string ComunicationClientsEndpoint = "/access/entra/:exchangeAccessToken";
-        private const string ComunicationClientsApiVersion = "2024-04-01-preview";
+        private const string CommunicationClientsEndpoint = "/access/entra/:exchangeAccessToken";
+        private const string CommunicationClientsApiVersion = "2025-03-02-preview";
 
         private HttpPipeline _pipeline;
         private string _resourceEndpoint;
-        private string[] _scopes { get; set; }
+        private ICollection<string> _scopes { get; }
         private readonly ThreadSafeRefreshableAccessTokenCache _accessTokenCache;
 
         /// <summary>
@@ -36,7 +37,7 @@ internal sealed class EntraTokenCredential : ICommunicationTokenCredential
         public EntraTokenCredential(EntraCommunicationTokenCredentialOptions options, HttpPipelineTransport pipelineTransport = null)
         {
             this._resourceEndpoint = options.ResourceEndpoint;
-            this._scopes = options.Scopes;
+            this._scopes = (ICollection<string>)options.Scopes.Clone();
             _pipeline = CreatePipelineFromOptions(options, pipelineTransport);
             _accessTokenCache = new ThreadSafeRefreshableAccessTokenCache(
                     ExchangeEntraToken,
@@ -47,7 +48,7 @@ public EntraTokenCredential(EntraCommunicationTokenCredentialOptions options, Ht
 
         private HttpPipeline CreatePipelineFromOptions(EntraCommunicationTokenCredentialOptions options, HttpPipelineTransport pipelineTransport)
         {
-            var authenticationPolicy = new BearerTokenAuthenticationPolicy(options.TokenCredential, options.Scopes);
+            var authenticationPolicy = new BearerTokenAuthenticationPolicy(options.TokenCredential, _scopes);
             var entraTokenGuardPolicy = new EntraTokenGuardPolicy();
             var clientOptions = ClientOptions.Default;
             if (pipelineTransport != null)
@@ -135,19 +136,19 @@ private RequestUriBuilder CreateRequestUri()
         {
             if (_scopes == null || !_scopes.Any())
             {
-                throw new ArgumentException($"Scopes validation failed. Ensure all scopes start with either {TeamsExtensionScopePrefix} or {ComunicationClientsScopePrefix}.", nameof(_scopes));
+                throw new ArgumentException($"Scopes validation failed. Ensure all scopes start with either {TeamsExtensionScopePrefix} or {CommunicationClientsScopePrefix}.", nameof(_scopes));
             }
             else if (_scopes.All(item => item.StartsWith(TeamsExtensionScopePrefix)))
             {
                 return (TeamsExtensionEndpoint, TeamsExtensionApiVersion);
             }
-            else if (_scopes.All(item => item.StartsWith(ComunicationClientsScopePrefix)))
+            else if (_scopes.All(item => item.StartsWith(CommunicationClientsScopePrefix)))
             {
-                return (ComunicationClientsEndpoint, ComunicationClientsApiVersion);
+                return (CommunicationClientsEndpoint, CommunicationClientsApiVersion);
             }
             else
             {
-                throw new ArgumentException($"Scopes validation failed. Ensure all scopes start with either {TeamsExtensionScopePrefix} or {ComunicationClientsScopePrefix}.", nameof(_scopes));
+                throw new ArgumentException($"Scopes validation failed. Ensure all scopes start with either {TeamsExtensionScopePrefix} or {CommunicationClientsScopePrefix}.", nameof(_scopes));
             }
         }
 

sdk/communication/Azure.Communication.Common/tests/Identity/EntraTokenCredentialTest.cs

@@ -25,9 +25,10 @@ public class EntraTokenCredentialTest
         protected string TokenResponse = string.Format(TokenResponseTemplate, SampleToken, SampleTokenExpiry);
 
         private Mock<TokenCredential> _mockTokenCredential = null!;
-        private const string comunicationClientsEndpoint = "/access/entra/:exchangeAccessToken";
-        private const string communicationClientsScope = "https://communication.azure.com/clients/VoIP";
-        private const string teamsExtensionEndpoint = "/access/teamsPhone/:exchangeAccessToken";
+        private const string communicationClientsEndpoint = "/access/entra/:exchangeAccessToken";
+        private const string communicationClientsPrefix = "https://communication.azure.com/clients/";
+        private const string communicationClientsScope = communicationClientsPrefix + "VoIP";
+        private const string teamsExtensionEndpoint = "/access/teamsExtension/:exchangeAccessToken";
         private const string teamsExtensionScope = "https://auth.msft.communication.azure.com/TeamsExtension.ManageCalls";
         private string _resourceEndpoint = "https://myResource.communication.azure.com";
 
@@ -123,13 +124,13 @@ public async Task EntraTokenCredential_GetToken_ReturnsToken(string[] scopes)
             }
             else
             {
-                Assert.AreEqual(comunicationClientsEndpoint, mockTransport.SingleRequest.Uri.Path);
+                Assert.AreEqual(communicationClientsEndpoint, mockTransport.SingleRequest.Uri.Path);
             }
             _mockTokenCredential.Verify(tc => tc.GetTokenAsync(It.IsAny<TokenRequestContext>(), It.IsAny<CancellationToken>()), Times.Once);
         }
 
         [Test]
-        public async Task EntraTokenCredential_InitWithoutScopes_ReturnsComunicationClientsToken()
+        public async Task EntraTokenCredential_InitWithoutScopes_ReturnsCommunicationClientsToken()
         {
             // Arrange
             var expiryTime = DateTimeOffset.Parse(SampleTokenExpiry, null, System.Globalization.DateTimeStyles.RoundtripKind);
@@ -143,7 +144,7 @@ public async Task EntraTokenCredential_InitWithoutScopes_ReturnsComunicationClie
             // Assert
             Assert.AreEqual(SampleToken, token.Token);
             Assert.AreEqual(token.ExpiresOn, expiryTime);
-            Assert.AreEqual(comunicationClientsEndpoint, mockTransport.SingleRequest.Uri.Path);
+            Assert.AreEqual(communicationClientsEndpoint, mockTransport.SingleRequest.Uri.Path);
             _mockTokenCredential.Verify(tc => tc.GetTokenAsync(It.IsAny<TokenRequestContext>(), It.IsAny<CancellationToken>()), Times.Once);
         }
 
@@ -152,18 +153,20 @@ public async Task EntraTokenCredential_GetToken_InternalEntraTokenChangeInvalida
         {
             // Arrange
             var expiryTime = DateTimeOffset.Parse(SampleTokenExpiry, null, System.Globalization.DateTimeStyles.RoundtripKind);
-            var newToken = "newToken";
             var refreshOn = DateTimeOffset.Now;
+            _mockTokenCredential.Reset();
             _mockTokenCredential
                 .SetupSequence(tc => tc.GetTokenAsync(It.IsAny<TokenRequestContext>(), It.IsAny<CancellationToken>()))
                 .ReturnsAsync(new AccessToken("Entra token for call from constructor", refreshOn))
                 .ReturnsAsync(new AccessToken("Entra token for the first getToken call token", expiryTime));
 
-            var options = CreateEntraTokenCredentialOptions(scopes);
+            var newToken = "newToken";
             var latestTokenResponse = string.Format(TokenResponseTemplate, newToken, SampleTokenExpiry);
             var mockTransport = CreateMockTransport(new[] { CreateMockResponse(200, TokenResponse), CreateMockResponse(200, latestTokenResponse) });
-            var entraTokenCredential = new EntraTokenCredential(options, mockTransport);
+            var options = CreateEntraTokenCredentialOptions(scopes);
+
             // Act
+            var entraTokenCredential = new EntraTokenCredential(options, mockTransport);
             var token = await entraTokenCredential.GetTokenAsync(CancellationToken.None);
 
             // Assert for cached tokens are updated
@@ -272,6 +275,38 @@ public void EntraTokenCredential_GetToken_ThrowsForInvalidScopes(string[] scopes
             StringAssert.Contains("Scopes validation failed. Ensure all scopes start with either", ex?.Message);
         }
 
+        [Test]
+        public async Task EntraTokenCredential_GetToken_NoIssueIfScopesChanged()
+        {
+            var scopes = new string[] { communicationClientsScope, communicationClientsPrefix + "Chat" };
+
+            // Arrange
+            _mockTokenCredential.Reset();
+            var expiryTime = DateTimeOffset.Parse(SampleTokenExpiry, null, System.Globalization.DateTimeStyles.RoundtripKind);
+            var refreshOn = DateTimeOffset.Now;
+            _mockTokenCredential
+                .SetupSequence(tc => tc.GetTokenAsync(It.Is<TokenRequestContext>(c => c.Scopes.SequenceEqual(scopes)), It.IsAny<CancellationToken>()))
+                .ReturnsAsync(new AccessToken("Entra token for call from constructor", refreshOn))
+                .ReturnsAsync(new AccessToken("Entra token for the first getToken call token", expiryTime));
+
+            var newToken = "newToken";
+            var latestTokenResponse = string.Format(TokenResponseTemplate, newToken, SampleTokenExpiry);
+            var mockTransport = CreateMockTransport(new[] { CreateMockResponse(200, TokenResponse), CreateMockResponse(200, latestTokenResponse) });
+
+            var options = CreateEntraTokenCredentialOptions((string[])scopes.Clone());
+
+            // Act
+            var entraTokenCredential = new EntraTokenCredential(options, mockTransport);
+
+            // Change scopes
+            options.Scopes[1] = teamsExtensionScope;
+            var token = await entraTokenCredential.GetTokenAsync(CancellationToken.None);
+
+            // Assert for cached tokens are updated
+            Assert.AreEqual(newToken, token.Token);
+            _mockTokenCredential.Verify(tc => tc.GetTokenAsync(It.IsAny<TokenRequestContext>(), It.IsAny<CancellationToken>()), Times.Exactly(2));
+        }
+
         private EntraCommunicationTokenCredentialOptions CreateEntraTokenCredentialOptions(string[] scopes)
         {
             return new EntraCommunicationTokenCredentialOptions(_resourceEndpoint, _mockTokenCredential.Object)