Skip to content

Apply reserved-header handling on the request-clone path and cover all X-MS-TOKEN- headers#3915

Open
iNinja wants to merge 2 commits into
masterfrom
iinglese/reserved-header-clone-consistency
Open

Apply reserved-header handling on the request-clone path and cover all X-MS-TOKEN- headers#3915
iNinja wants to merge 2 commits into
masterfrom
iinglese/reserved-header-clone-consistency

Conversation

@iNinja

@iNinja iNinja commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Makes reserved-header handling consistent across the DownstreamApi code paths.

  • MicrosoftIdentityMessageHandler clones the outgoing request for challenge retries and mTLS PoP. The clone now applies the same reserved-header filter already used for ExtraHeaderParameters, so reserved headers are handled the same way on every path.
  • Broadens the reserved X-MS-TOKEN- prefix to cover the whole X-MS-TOKEN-* family rather than only X-MS-TOKEN-AAD-*.

ReservedHeaderNames moves to Microsoft.Identity.Web.TokenAcquisition so both it and the DownstreamApi layer share a single definition. It stays internal; no public API change.

Tests: added coverage for IsReserved classification, the clone path (reserved and Authorization headers are not copied, ordinary headers are), and the additional ExtraHeaderParameters prefix cases. Affected suites pass on net8.0.

Filter reserved headers when cloning a request for challenge retries and mTLS PoP, consistently with ExtraHeaderParameters. Broaden the reserved X-MS-TOKEN- prefix to cover the whole X-MS-TOKEN-* family. Move the internal ReservedHeaderNames helper to the TokenAcquisition assembly so both the clone path and DownstreamApi share it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@iNinja iNinja requested a review from a team as a code owner July 2, 2026 16:46
@iNinja iNinja requested a review from Copilot July 2, 2026 16:48

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR makes reserved-header handling consistent across DownstreamApi request construction and the MicrosoftIdentityMessageHandler request-clone path (used for challenge retries and mTLS PoP). It also broadens the reserved X-MS-TOKEN- prefix so that all X-MS-TOKEN-* headers are treated as reserved (not only X-MS-TOKEN-AAD-*), and adds test coverage for the new behavior.

Changes:

  • Broaden reserved-header prefix matching from X-MS-TOKEN-AAD- to X-MS-TOKEN- in ReservedHeaderNames.
  • Apply reserved-header filtering when cloning outgoing requests in MicrosoftIdentityMessageHandler.CloneHttpRequestMessageAsync.
  • Add/extend unit tests to validate reserved-header classification and clone behavior; document the change in the changelog.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
tests/Microsoft.Identity.Web.Test/ReservedHeaderCloneTests.cs Adds unit tests for reserved-header classification and verifies reserved headers are dropped during request cloning.
tests/Microsoft.Identity.Web.Test/DownstreamWebApiSupport/DownstreamApiTests.cs Extends ExtraHeaderParameters reserved-prefix tests to cover non-AAD X-MS-TOKEN-* headers.
src/Microsoft.Identity.Web.TokenAcquisition/ReservedHeaderNames.cs Broadens reserved prefix matching to cover the full X-MS-TOKEN-* family.
src/Microsoft.Identity.Web.TokenAcquisition/MicrosoftIdentityMessageHandler.cs Ensures cloned requests do not carry over reserved headers (consistent with ExtraHeaderParameters handling).
changelog.md Adds a bug-fix entry describing the reserved-header and clone-path behavior change.

4.12.0 is releasing; place the entry under the next version.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants