Azure · timovv · Sep 19, 2022 · Sep 19, 2022
diff --git a/sdk/keyvault/keyvault-admin/CHANGELOG.md b/sdk/keyvault/keyvault-admin/CHANGELOG.md
@@ -6,6 +6,7 @@
 
 - Verify the challenge resource matches the vault domain.
   This should affect few customers who can set `disableChallengeResourceVerification` in the options bag to `true` to disable.
+  See https://aka.ms/azsdk/blog/vault-uri for more information.
 
 ## 4.2.2 (2022-08-09)
 

diff --git a/sdk/keyvault/keyvault-admin/test/internal/challengeAuthenticationCallbacks.spec.ts b/sdk/keyvault/keyvault-admin/test/internal/challengeAuthenticationCallbacks.spec.ts
@@ -161,7 +161,7 @@ describe("Challenge based authentication tests", function () {
           },
           scopes: [],
         }),
-        "Challenge resource host 'vault.azure.net' does not match request domain"
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
       );
     });
 
@@ -179,7 +179,7 @@ describe("Challenge based authentication tests", function () {
           },
           scopes: [],
         }),
-        "Challenge resource host 'vault.azure.net' does not match request domain"
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
       );
     });
 
@@ -199,9 +199,7 @@ describe("Challenge based authentication tests", function () {
     });
 
     it("does not throw if the resource URI host does not match the request but verifyChallengeResource is false", async () => {
-      challengeCallbacks = createChallengeCallbacks({
-        disableChallengeResourceVerification: true,
-      });
+      challengeCallbacks = createChallengeCallbacks({ disableChallengeResourceVerification: true });
       await challengeCallbacks.authorizeRequestOnChallenge!({
         getAccessToken: () => Promise.resolve(null),
         request: createPipelineRequest({ url: "https://foo.bar" }),

diff --git a/sdk/keyvault/keyvault-certificates/CHANGELOG.md b/sdk/keyvault/keyvault-certificates/CHANGELOG.md
@@ -6,6 +6,7 @@
 
 - Verify the challenge resource matches the vault domain.
   This should affect few customers who can set `disableChallengeResourceVerification` in the options bag to `true` to disable.
+  See https://aka.ms/azsdk/blog/vault-uri for more information.
 
 ## 4.5.0 (2022-08-09)
 

diff --git a/sdk/keyvault/keyvault-certificates/test/internal/challengeAuthenticationCallbacks.spec.ts b/sdk/keyvault/keyvault-certificates/test/internal/challengeAuthenticationCallbacks.spec.ts
@@ -161,7 +161,7 @@ describe("Challenge based authentication tests", function () {
           },
           scopes: [],
         }),
-        "Challenge resource host 'vault.azure.net' does not match request domain"
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
       );
     });
 
@@ -179,7 +179,7 @@ describe("Challenge based authentication tests", function () {
           },
           scopes: [],
         }),
-        "Challenge resource host 'vault.azure.net' does not match request domain"
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
       );
     });
 
@@ -199,9 +199,7 @@ describe("Challenge based authentication tests", function () {
     });
 
     it("does not throw if the resource URI host does not match the request but verifyChallengeResource is false", async () => {
-      challengeCallbacks = createChallengeCallbacks({
-        disableChallengeResourceVerification: true,
-      });
+      challengeCallbacks = createChallengeCallbacks({ disableChallengeResourceVerification: true });
       await challengeCallbacks.authorizeRequestOnChallenge!({
         getAccessToken: () => Promise.resolve(null),
         request: createPipelineRequest({ url: "https://foo.bar" }),

diff --git a/sdk/keyvault/keyvault-common/src/challengeBasedAuthenticationPolicy.ts b/sdk/keyvault/keyvault-common/src/challengeBasedAuthenticationPolicy.ts
@@ -58,7 +58,7 @@ function verifyChallengeResource(scope: string, request: PipelineRequest): void
 
   if (!requestUrl.hostname.endsWith(`.${scopeAsUrl.hostname}`)) {
     throw new Error(
-      `Challenge resource host '${scopeAsUrl.hostname}' does not match request domain`
+      `The challenge resource '${scopeAsUrl.hostname}' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information.`
     );
   }
 }

diff --git a/sdk/keyvault/keyvault-keys/CHANGELOG.md b/sdk/keyvault/keyvault-keys/CHANGELOG.md
@@ -6,6 +6,7 @@
 
 - Verify the challenge resource matches the vault domain.
   This should affect few customers who can set `disableChallengeResourceVerification` in the options bag to `true` to disable.
+  See https://aka.ms/azsdk/blog/vault-uri for more information.
 
 ## 4.5.0 (2022-08-09)
 

diff --git a/sdk/keyvault/keyvault-keys/test/internal/challengeAuthenticationCallbacks.spec.ts b/sdk/keyvault/keyvault-keys/test/internal/challengeAuthenticationCallbacks.spec.ts
@@ -161,7 +161,7 @@ describe("Challenge based authentication tests", function () {
           },
           scopes: [],
         }),
-        "Challenge resource host 'vault.azure.net' does not match request domain"
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
       );
     });
 
@@ -179,7 +179,7 @@ describe("Challenge based authentication tests", function () {
           },
           scopes: [],
         }),
-        "Challenge resource host 'vault.azure.net' does not match request domain"
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
       );
     });
 

diff --git a/sdk/keyvault/keyvault-secrets/CHANGELOG.md b/sdk/keyvault/keyvault-secrets/CHANGELOG.md
@@ -6,6 +6,7 @@
 
 - Verify the challenge resource matches the vault domain.
   This should affect few customers who can set `disableChallengeResourceVerification` in the options bag to `true` to disable.
+  See https://aka.ms/azsdk/blog/vault-uri for more information.
 
 ## 4.5.1 (2022-08-15)
 

diff --git a/sdk/keyvault/keyvault-secrets/test/internal/challengeAuthenticationCallbacks.spec.ts b/sdk/keyvault/keyvault-secrets/test/internal/challengeAuthenticationCallbacks.spec.ts
@@ -161,7 +161,7 @@ describe("Challenge based authentication tests", function () {
           },
           scopes: [],
         }),
-        "Challenge resource host 'vault.azure.net' does not match request domain"
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
       );
     });
 
@@ -179,7 +179,7 @@ describe("Challenge based authentication tests", function () {
           },
           scopes: [],
         }),
-        "Challenge resource host 'vault.azure.net' does not match request domain"
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
       );
     });