[Feature Request] WWWAuthenticate Resource property obsolete with warning instead of error
See original GitHub issueIs your feature request related to a problem? Please describe.
In #3160 the Resource
property in WWWAuthenticateParameters
was marked as obsolete. There was a question on the PR as to whether the ObsoleteAttribute.IsError
property should be set to true
, and the decision was made to do it, with the rationale that callers should know the resource they are requesting.
The issue is that there are scenarios, such as this security advisory from Azure Key Vault, where clients are supposed to inspect the resource
parameter in the response to ensure it matches the set of well known domains.
Because the ObsoleteAttribute
now throws a compiler error, it doesn’t allow consumers to decide on how they want to address this issue - it can’t be suppressed as a warning could be.
Describe the solution you’d like
I’d like the IsError
property to be set to the default of false
.
Describe alternatives you’ve considered I’ve tried various ways of suppressing the error - other than conditional compilation I don’t know of a way, and that certainly seems like overkill.
Additional context
Issue Analytics
- State:
- Created 4 months ago
- Comments:7 (4 by maintainers)
Top GitHub Comments
Clients that perform resource validation (e.g. by comparing the host part of the resource against a list of known good hosts), can still use the indexer to retrieve the raw value of the resource / scope. If a resource is used, add “/.default” to it to transform it into a scope, e.g. “https://graph.microsoft.com/.default” is the OAuth2 scope for “https://graph.microsoft.com” resource.
I added a PR that updates the API docs.
@bgavrilMS would this
GetScopes()
method provide scopes for the intersection of the allowedResourceHosts and the resources in the WWW-Authenticate header?