Skip to content

Add request and challenge callbacks to BearerTokenAuthorizationPolicy #3368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
chlowell wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Add request and challenge callbacks to BearerTokenAuthorizationPolicy #3368

chlowell wants to merge 9 commits into from

Conversation

@chlowell
Copy link
Member

@chlowell chlowell commented Nov 20, 2025
edited
Loading

These enable SDK clients to implement custom request authorization and challenge handling (closes #1756).

New API:

  • OnRequest trait: defines a callback invoked on each request, responsible for authorizing it before sending
    • Key Vault clients will use this to skip authorization so they can discover auth parameters from a challenge
  • OnChallenge trait: defines a callback invoked upon receiving an auth challenge. Implementations are responsible for parsing challenges and authorizing requests and telling the policy whether to retry them
  • BearerTokenAuthorizationPolicy builder methods: with_on_request() and with_on_challenge() set callbacks for a policy instance
    • when these aren't set, the policy behaves as it does today: it authorizes each request with its credential and scopes, and returns 401 responses to the pipeline instead of trying to handle their challenges
  • Authorizer trait (sealed): allows callbacks to authorize requests and cache tokens without using the policy's credential directly
    • I moved the authNZ logic from send() into a private implementation of this
  • Request::body_mut(): lets the policy reset a body stream before retrying after a challenge

I put all this in a new module azure_core::http::policies::auth and moved BearerTokenAuthorizationPolicy there as well.

@chlowell chlowell self-assigned this Nov 20, 2025
@github-actions github-actions bot added the Azure.Core The azure_core crate label Nov 20, 2025
@github-actions
Copy link

github-actions bot commented Nov 20, 2025
edited
Loading

API Change Check

APIView identified API level changes in this PR and created the following API reviews

azure_core
typespec_client_core

@chlowell chlowell force-pushed the btap-extension branch 3 times, most recently from 1d5a6cd to 4785d13 Compare November 21, 2025 17:05
@chlowell chlowell marked this pull request as ready for review November 21, 2025 17:16
Copilot AI review requested due to automatic review settings November 21, 2025 17:16
Copilot finished reviewing on behalf of chlowell November 21, 2025 17:20
Copilot AI reviewed Nov 21, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds extensible request authorization and authentication challenge handling to BearerTokenAuthorizationPolicy, enabling SDK clients to implement custom authorization and challenge handling logic.

  • Introduces three new public traits: OnRequest, OnChallenge, and Authorizer (sealed) to define callbacks for request authorization and challenge handling
  • Adds builder methods with_on_request() and with_on_challenge() to configure policy behavior
  • Adds Request::body_mut() method to support resetting body streams when retrying after challenges
  • Adds WWW_AUTHENTICATE header constant for accessing authentication challenge headers

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
sdk/core/typespec_client_core/src/http/request/mod.rs Adds body_mut() method to enable mutable access to request body for stream reset operations
sdk/core/typespec_client_core/src/http/headers/common.rs Adds WWW_AUTHENTICATE header constant following existing header constant patterns
sdk/core/typespec_client_core/CHANGELOG.md Documents the Request::body_mut() API addition
sdk/core/azure_core/src/http/policies/mod.rs Exports new public traits (Authorizer, OnChallenge, OnRequest) from bearer_token_policy module
sdk/core/azure_core/src/http/policies/bearer_token_policy.rs Refactors authorization logic into BearerTokenAuthorizer implementing Authorizer trait; adds OnRequest and OnChallenge trait definitions; implements challenge handling with body stream reset; adds comprehensive test coverage for new functionality
sdk/core/azure_core/CHANGELOG.md Documents new extensible authorization and challenge handling features

heaths
heaths requested changes Nov 21, 2025
View reviewed changes
Copy link
Member

@heaths heaths left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, clean design overall but I have a few questions and concerns.

LarryOsterman
LarryOsterman reviewed Nov 21, 2025
View reviewed changes
heaths
heaths approved these changes Dec 4, 2025
View reviewed changes
Copy link
Member

@heaths heaths left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rebase approved.

@chlowell
pass on_request a mutable Context
6e14a12 
...so it can pass request-specific data along to on_challenge
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LarryOsterman LarryOsterman LarryOsterman left review comments

Copilot code review Copilot Copilot left review comments

@heaths heaths heaths approved these changes

@RickWinter RickWinter RickWinter approved these changes

@vincenttran-msft vincenttran-msft Awaiting requested review from vincenttran-msft vincenttran-msft is a code owner

@jalauzon-msft jalauzon-msft Awaiting requested review from jalauzon-msft jalauzon-msft is a code owner

Assignees

@chlowell chlowell

Labels

Azure.Core The azure_core crate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Need to allow customization of when and how auth tokens are fetched

4 participants

@chlowell @heaths @RickWinter @LarryOsterman