Flow outgoing request to header providers via AcquireTokenOptions#3876
Merged
neha-bhargava merged 5 commits intoJun 19, 2026
Merged
Conversation
When the resolved IAuthorizationHeaderProvider implements IAuthorizationHeaderProvider2, pass the materialized HttpRequestMessage so SignedHttpRequest h/b claims can bind to the request body and headers. Falls back to the existing call when the provider is not request-aware, so behavior is unchanged for existing providers. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
neha-bhargava
force-pushed
the
nebharg/outbound-shr-qhb
branch
from
1794fbb to
379f886
Compare
bgavrilMS
approved these changes
Jun 18, 2026
Use the AcquireTokenOptions request helper to make the outgoing HttpRequestMessage available to request-binding protocols (e.g. PoP SHR q/h/b) instead of the IAuthorizationHeaderProvider2 interface. The helper clones ExtraParameters before writing so concurrent calls never share this per-request value. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
neha-bhargava
changed the title
gladjohn
approved these changes
Jun 19, 2026
This was referenced Jun 24, 2026
Merged
Closed
Open
Open
Merged
This was referenced Jun 24, 2026
Merged
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Sets the materialized
HttpRequestMessageonAcquireTokenOptions(via the AbstractionsSetHttpRequestMessageextension) beforeCreateAuthorizationHeaderAsync, so request-aware providers can read it back.Why
SignedHttpRequest (SHR / PoP)
q/h/bbinding claims must bind to the outgoing request. The call site already setshttpRequestMessage.Contentbefore the auth header is created, so the request is available exactly where it's needed. Replaces the earlierIAuthorizationHeaderProvider2interface check — behavior is unchanged for providers that don't read the value.Depends on