Azure · heaths · Sep 16, 2022 · Sep 15, 2022
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
@@ -5,7 +5,7 @@
 ### Breaking Changes
 
 - Verify the challenge resource matches the vault domain.
-  This should affect few customers who can set `KeyVaultAdministrationClientOptions.VerifyChallengeResource` to `false` to disable.
+  This should affect few customers who can set `KeyVaultAdministrationClientOptions.DisableChallengeResourceVerification` to `true` to disable.
 
 ## 4.1.0 (2022-03-24)
 

diff --git a/...rity.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs b/...rity.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs
@@ -39,7 +39,7 @@ public KeyVaultAccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredenti
     public partial class KeyVaultAdministrationClientOptions : Azure.Core.ClientOptions
     {
         public KeyVaultAdministrationClientOptions(Azure.Security.KeyVault.Administration.KeyVaultAdministrationClientOptions.ServiceVersion version = Azure.Security.KeyVault.Administration.KeyVaultAdministrationClientOptions.ServiceVersion.V7_3) { }
-        public bool VerifyChallengeResource { get { throw null; } set { } }
+        public bool DisableChallengeResourceVerification { get { throw null; } set { } }
         public Azure.Security.KeyVault.Administration.KeyVaultAdministrationClientOptions.ServiceVersion Version { get { throw null; } }
         public enum ServiceVersion
         {

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs
@@ -62,7 +62,7 @@ public KeyVaultAccessControlClient(Uri vaultUri, TokenCredential credential, Key
             string apiVersion = options.GetVersionString();
 
             HttpPipeline pipeline = HttpPipelineBuilder.Build(options,
-                    new ChallengeBasedAuthenticationPolicy(credential, options.VerifyChallengeResource));
+                    new ChallengeBasedAuthenticationPolicy(credential, options.DisableChallengeResourceVerification));
 
             _diagnostics = new ClientDiagnostics(options);
             _definitionsRestClient = new RoleDefinitionsRestClient(_diagnostics, pipeline, apiVersion);

diff --git a/...eyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAdministrationClientOptions.cs b/...eyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAdministrationClientOptions.cs
@@ -60,10 +60,9 @@ public KeyVaultAdministrationClientOptions(ServiceVersion version = LatestVersio
         }
 
         /// <summary>
-        /// Gets or sets whether to verify the authentication challenge resource matches the Key Vault or Managed HSM domain.
-        /// The default is true.
+        /// Gets or sets whether to disable verification that the authentication challenge resource matches the Key Vault or Managed HSM domain.
         /// </summary>
-        public bool VerifyChallengeResource { get; set; } = true;
+        public bool DisableChallengeResourceVerification { get; set; }
 
         internal string GetVersionString()
         {

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultBackupClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultBackupClient.cs
@@ -58,7 +58,7 @@ public KeyVaultBackupClient(Uri vaultUri, TokenCredential credential, KeyVaultAd
             string apiVersion = options.GetVersionString();
 
             HttpPipeline pipeline = HttpPipelineBuilder.Build(options,
-                    new ChallengeBasedAuthenticationPolicy(credential, options.VerifyChallengeResource));
+                    new ChallengeBasedAuthenticationPolicy(credential, options.DisableChallengeResourceVerification));
 
             _diagnostics = new ClientDiagnostics(options);
             _restClient = new BackupRestoreRestClient(_diagnostics, pipeline, apiVersion);

diff --git a/...t/Azure.Security.KeyVault.Administration/tests/ChallengeBasedAuthenticationPolicyTests.cs b/...t/Azure.Security.KeyVault.Administration/tests/ChallengeBasedAuthenticationPolicyTests.cs
@@ -19,7 +19,7 @@ public class ChallengeBasedAuthenticationPolicyTests : SyncAsyncPolicyTestBase
         private const string KeyVaultChallenge = "Bearer authorization=\"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\", resource=\"https://vault.azure.net\"";
         public ChallengeBasedAuthenticationPolicyTests(bool isAsync) : base(isAsync)
         {
-            _policy = new ChallengeBasedAuthenticationPolicy(new MockCredentialThrowsWithNoScopes(), true);
+            _policy = new ChallengeBasedAuthenticationPolicy(new MockCredentialThrowsWithNoScopes(), false);
         }
 
         [SetUp]
@@ -41,7 +41,7 @@ public async Task ScopesAreInitializedFromCache()
             Assert.That(response.Status, Is.EqualTo(200));
 
             // Construct a new policy so that we can get the Scopes from cache.
-            _policy = new ChallengeBasedAuthenticationPolicy(new MockCredentialThrowsWithNoScopes(), true);
+            _policy = new ChallengeBasedAuthenticationPolicy(new MockCredentialThrowsWithNoScopes(), false);
 
             transport = CreateMockTransport(new MockResponse(200));
             response = await SendGetRequest(transport, _policy, uri: new Uri("https://myvault.vault.azure.net"));
@@ -50,15 +50,15 @@ public async Task ScopesAreInitializedFromCache()
         }
 
         [TestCaseSource(nameof(VerifyChallengeResourceData))]
-        public async Task VerifyChallengeResource(Uri uri, bool verify)
+        public async Task VerifyChallengeResource(Uri uri, bool disableVerification)
         {
             var keyvaultChallengeResponse = new MockResponse(401);
             keyvaultChallengeResponse.AddHeader(new HttpHeader("WWW-Authenticate", KeyVaultChallenge));
             MockTransport transport = CreateMockTransport(keyvaultChallengeResponse, new MockResponse(200));
 
-            ChallengeBasedAuthenticationPolicy policy = new(new MockCredentialThrowsWithNoScopes(), verify);
+            ChallengeBasedAuthenticationPolicy policy = new(new MockCredentialThrowsWithNoScopes(), disableVerification);
 
-            if (verify)
+            if (!disableVerification)
             {
                 InvalidOperationException ex = Assert.ThrowsAsync<InvalidOperationException>(async () => await SendGetRequest(transport, policy, uri: uri));
                 Assert.That(ex.Message, Is.EqualTo("The challenge resource 'vault.azure.net' does not match the requested domain."));
@@ -75,7 +75,7 @@ public async Task VerifyChallengeResource(Uri uri, bool verify)
             "https://example.com",
             "https://examplevault.azure.net",
             "https://example.vault.azure.com",
-        }.Zip(new[] { false, true }, (uri, verify) => new object[] { new Uri(uri), verify });
+        }.Zip(new[] { false, true }, (uri, disableVerification) => new object[] { new Uri(uri), disableVerification });
 
         [Test]
         public void VerifyChallengeResourceInvalidUri()
@@ -84,7 +84,7 @@ public void VerifyChallengeResourceInvalidUri()
             keyvaultChallengeResponse.AddHeader(new HttpHeader("WWW-Authenticate", "Bearer authorization=\"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\", resource=\"invalid-uri\""));
             MockTransport transport = CreateMockTransport(keyvaultChallengeResponse, new MockResponse(200));
 
-            ChallengeBasedAuthenticationPolicy policy = new(new MockCredentialThrowsWithNoScopes(), true);
+            ChallengeBasedAuthenticationPolicy policy = new(new MockCredentialThrowsWithNoScopes(), false);
             Uri uri = new("https://example.com");
 
             InvalidOperationException ex = Assert.ThrowsAsync<InvalidOperationException>(async () => await SendGetRequest(transport, policy, uri: uri));

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Certificates/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Certificates/CHANGELOG.md
@@ -5,7 +5,7 @@
 ### Breaking Changes
 
 - Verify the challenge resource matches the vault domain.
-  This should affect few customers who can set `CertificateClientOptions.VerifyChallengeResource` to `false` to disable.
+  This should affect few customers who can set `CertificateClientOptions.DisableChallengeResourceVerification` to `true` to disable.
 
 ## 4.3.0 (2022-03-24)
 

diff --git a/...Security.KeyVault.Certificates/api/Azure.Security.KeyVault.Certificates.netstandard2.0.cs b/...Security.KeyVault.Certificates/api/Azure.Security.KeyVault.Certificates.netstandard2.0.cs
@@ -74,7 +74,7 @@ public CertificateClient(System.Uri vaultUri, Azure.Core.TokenCredential credent
     public partial class CertificateClientOptions : Azure.Core.ClientOptions
     {
         public CertificateClientOptions(Azure.Security.KeyVault.Certificates.CertificateClientOptions.ServiceVersion version = Azure.Security.KeyVault.Certificates.CertificateClientOptions.ServiceVersion.V7_3) { }
-        public bool VerifyChallengeResource { get { throw null; } set { } }
+        public bool DisableChallengeResourceVerification { get { throw null; } set { } }
         public Azure.Security.KeyVault.Certificates.CertificateClientOptions.ServiceVersion Version { get { throw null; } }
         public enum ServiceVersion
         {

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Certificates/src/CertificateClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Certificates/src/CertificateClient.cs
@@ -69,7 +69,7 @@ public CertificateClient(Uri vaultUri, TokenCredential credential, CertificateCl
 
             options ??= new CertificateClientOptions();
 
-            HttpPipeline pipeline = HttpPipelineBuilder.Build(options, new ChallengeBasedAuthenticationPolicy(credential, options.VerifyChallengeResource));
+            HttpPipeline pipeline = HttpPipelineBuilder.Build(options, new ChallengeBasedAuthenticationPolicy(credential, options.DisableChallengeResourceVerification));
 
             _pipeline = new KeyVaultPipeline(vaultUri, options.GetVersionString(), pipeline, new ClientDiagnostics(options));
         }

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Certificates/src/CertificateClientOptions.cs b/sdk/keyvault/Azure.Security.KeyVault.Certificates/src/CertificateClientOptions.cs
@@ -70,10 +70,9 @@ public CertificateClientOptions(ServiceVersion version = LatestVersion)
         }
 
         /// <summary>
-        /// Gets or sets whether to verify the authentication challenge resource matches the Key Vault or Managed HSM domain.
-        /// The default is true.
+        /// Gets or sets whether to disable verification that the authentication challenge resource matches the Key Vault domain.
         /// </summary>
-        public bool VerifyChallengeResource { get; set; } = true;
+        public bool DisableChallengeResourceVerification { get; set; }
 
         internal string GetVersionString()
         {

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md
@@ -5,7 +5,7 @@
 ### Breaking Changes
 
 - Verify the challenge resource matches the vault domain.
-  This should affect few customers who can set `KeyClientOptions.VerifyChallengeResource` or `CryptographyClientOptions.VerifyChallengeResource` to `false` to disable.
+  This should affect few customers who can set `KeyClientOptions.DisableChallengeResourceVerification` or `CryptographyClientOptions.DisableChallengeResourceVerification` to `true` to disable.
 
 ## 4.3.0 (2022-03-24)
 

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/api/Azure.Security.KeyVault.Keys.netstandard2.0.cs b/sdk/keyvault/Azure.Security.KeyVault.Keys/api/Azure.Security.KeyVault.Keys.netstandard2.0.cs
@@ -160,7 +160,7 @@ public KeyClient(System.Uri vaultUri, Azure.Core.TokenCredential credential, Azu
     public partial class KeyClientOptions : Azure.Core.ClientOptions
     {
         public KeyClientOptions(Azure.Security.KeyVault.Keys.KeyClientOptions.ServiceVersion version = Azure.Security.KeyVault.Keys.KeyClientOptions.ServiceVersion.V7_3) { }
-        public bool VerifyChallengeResource { get { throw null; } set { } }
+        public bool DisableChallengeResourceVerification { get { throw null; } set { } }
         public Azure.Security.KeyVault.Keys.KeyClientOptions.ServiceVersion Version { get { throw null; } }
         public enum ServiceVersion
         {
@@ -425,7 +425,7 @@ public CryptographyClient(System.Uri keyId, Azure.Core.TokenCredential credentia
     public partial class CryptographyClientOptions : Azure.Core.ClientOptions
     {
         public CryptographyClientOptions(Azure.Security.KeyVault.Keys.Cryptography.CryptographyClientOptions.ServiceVersion version = Azure.Security.KeyVault.Keys.Cryptography.CryptographyClientOptions.ServiceVersion.V7_3) { }
-        public bool VerifyChallengeResource { get { throw null; } set { } }
+        public bool DisableChallengeResourceVerification { get { throw null; } set { } }
         public Azure.Security.KeyVault.Keys.Cryptography.CryptographyClientOptions.ServiceVersion Version { get { throw null; } }
         public enum ServiceVersion
         {

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/CryptographyClientOptions.cs b/sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/CryptographyClientOptions.cs
@@ -70,10 +70,9 @@ public CryptographyClientOptions(ServiceVersion version = LatestVersion)
         }
 
         /// <summary>
-        /// Gets or sets whether to verify the authentication challenge resource matches the Key Vault or Managed HSM domain.
-        /// The default is true.
+        /// Gets or sets whether to disable verification that the authentication challenge resource matches the Key Vault or Managed HSM domain.
         /// </summary>
-        public bool VerifyChallengeResource { get; set; } = true;
+        public bool DisableChallengeResourceVerification { get; set; }
 
         internal string GetVersionString()
         {

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/KeyResolver.cs b/sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/KeyResolver.cs
@@ -56,7 +56,7 @@ public KeyResolver(TokenCredential credential, CryptographyClientOptions options
             _apiVersion = options.GetVersionString();
 
             _pipeline = HttpPipelineBuilder.Build(options,
-                    new ChallengeBasedAuthenticationPolicy(credential, options.VerifyChallengeResource));
+                    new ChallengeBasedAuthenticationPolicy(credential, options.DisableChallengeResourceVerification));
 
             _clientDiagnostics = new ClientDiagnostics(options);
         }

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/RemoteCryptographyClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/RemoteCryptographyClient.cs
@@ -27,7 +27,7 @@ internal RemoteCryptographyClient(Uri keyId, TokenCredential credential, Cryptog
             string apiVersion = options.GetVersionString();
 
             HttpPipeline pipeline = HttpPipelineBuilder.Build(options,
-                    new ChallengeBasedAuthenticationPolicy(credential, options.VerifyChallengeResource));
+                    new ChallengeBasedAuthenticationPolicy(credential, options.DisableChallengeResourceVerification));
 
             Pipeline = new KeyVaultPipeline(keyId, apiVersion, pipeline, new ClientDiagnostics(options));
         }

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/src/KeyClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Keys/src/KeyClient.cs
@@ -68,7 +68,7 @@ public KeyClient(Uri vaultUri, TokenCredential credential, KeyClientOptions opti
             string apiVersion = options.GetVersionString();
 
             HttpPipeline pipeline = HttpPipelineBuilder.Build(options,
-                    new ChallengeBasedAuthenticationPolicy(credential, options.VerifyChallengeResource));
+                    new ChallengeBasedAuthenticationPolicy(credential, options.DisableChallengeResourceVerification));
 
             _clientDiagnostics = new ClientDiagnostics(options);
             _pipeline = new KeyVaultPipeline(vaultUri, apiVersion, pipeline, _clientDiagnostics);

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/src/KeyClientOptions.cs b/sdk/keyvault/Azure.Security.KeyVault.Keys/src/KeyClientOptions.cs
@@ -70,10 +70,9 @@ public KeyClientOptions(ServiceVersion version = LatestVersion)
         }
 
         /// <summary>
-        /// Gets or sets whether to verify the authentication challenge resource matches the Key Vault or Managed HSM domain.
-        /// The default is true.
+        /// Gets or sets whether to disable verification that the authentication challenge resource matches the Key Vault or Managed HSM domain.
         /// </summary>
-        public bool VerifyChallengeResource { get; set; } = true;
+        public bool DisableChallengeResourceVerification { get; set; }
 
         internal string GetVersionString()
         {

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Secrets/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Secrets/CHANGELOG.md
@@ -5,7 +5,7 @@
 ### Breaking Changes
 
 - Verify the challenge resource matches the vault domain.
-  This should affect few customers who can set `SecretClientOptions.VerifyChallengeResource` to `false` to disable.
+  This should affect few customers who can set `SecretClientOptions.DisableChallengeResourceVerification` to `true` to disable.
 
 ## 4.3.0 (2022-03-24)
 

diff --git a/...ult/Azure.Security.KeyVault.Secrets/api/Azure.Security.KeyVault.Secrets.netstandard2.0.cs b/...ult/Azure.Security.KeyVault.Secrets/api/Azure.Security.KeyVault.Secrets.netstandard2.0.cs
@@ -96,7 +96,7 @@ public SecretClient(System.Uri vaultUri, Azure.Core.TokenCredential credential,
     public partial class SecretClientOptions : Azure.Core.ClientOptions
     {
         public SecretClientOptions(Azure.Security.KeyVault.Secrets.SecretClientOptions.ServiceVersion version = Azure.Security.KeyVault.Secrets.SecretClientOptions.ServiceVersion.V7_3) { }
-        public bool VerifyChallengeResource { get { throw null; } set { } }
+        public bool DisableChallengeResourceVerification { get { throw null; } set { } }
         public Azure.Security.KeyVault.Secrets.SecretClientOptions.ServiceVersion Version { get { throw null; } }
         public enum ServiceVersion
         {

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Secrets/src/SecretClient.cs b/sdk/keyvault/Azure.Security.KeyVault.Secrets/src/SecretClient.cs
@@ -63,7 +63,7 @@ public SecretClient(Uri vaultUri, TokenCredential credential, SecretClientOption
             string apiVersion = options.GetVersionString();
 
             HttpPipeline pipeline = HttpPipelineBuilder.Build(options,
-                    new ChallengeBasedAuthenticationPolicy(credential, options.VerifyChallengeResource));
+                    new ChallengeBasedAuthenticationPolicy(credential, options.DisableChallengeResourceVerification));
 
             _pipeline = new KeyVaultPipeline(vaultUri, apiVersion, pipeline, new ClientDiagnostics(options));
         }

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Secrets/src/SecretClientOptions.cs b/sdk/keyvault/Azure.Security.KeyVault.Secrets/src/SecretClientOptions.cs
@@ -70,10 +70,9 @@ public SecretClientOptions(ServiceVersion version = LatestVersion)
         }
 
         /// <summary>
-        /// Gets or sets whether to verify the authentication challenge resource matches the Key Vault or Managed HSM domain.
-        /// The default is true.
+        /// Gets or sets whether to disable verification that the authentication challenge resource matches the Key Vault domain.
         /// </summary>
-        public bool VerifyChallengeResource { get; set; } = true;
+        public bool DisableChallengeResourceVerification { get; set; }
 
         internal string GetVersionString()
         {

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Shared/src/ChallengeBasedAuthenticationPolicy.cs b/sdk/keyvault/Azure.Security.KeyVault.Shared/src/ChallengeBasedAuthenticationPolicy.cs
@@ -21,9 +21,9 @@ internal class ChallengeBasedAuthenticationPolicy : BearerTokenAuthenticationPol
         private static readonly ConcurrentDictionary<string, ChallengeParameters> s_challengeCache = new();
         private ChallengeParameters _challenge;
 
-        public ChallengeBasedAuthenticationPolicy(TokenCredential credential, bool verifyChallengeResource) : base(credential, Array.Empty<string>())
+        public ChallengeBasedAuthenticationPolicy(TokenCredential credential, bool disableChallengeResourceVerification) : base(credential, Array.Empty<string>())
         {
-            _verifyChallengeResource = verifyChallengeResource;
+            _verifyChallengeResource = !disableChallengeResourceVerification;
         }
 
         /// <inheritdoc cref="BearerTokenAuthenticationPolicy.AuthorizeRequestAsync(Azure.Core.HttpMessage)" />