Add Support for Multiple Auth Schemes and SigV4a

[AlexDaines]

Description

Implements multi-auth scheme support. This enables clients to configure and prioritize the available authentication schemes (SigV4, SigV4a, Bearer, NoAuth) through multiple configuration sources.

Key changes made:

• Added AuthScheme, AuthSchemePreference, and resolver infrastructure
• Implemented configuration hierarchy: client > env vars > config file > global
• Added SigV4a region set configuration support
• Preserved backwards compatibility via extension methods pattern (no breaking interface changes)
• Added comprehensive test coverage

Motivation and Context

Required for upcoming SigV4a adoption and services that need flexible auth scheme selection. Several teams have been waiting on this capability for cross-region signing and failover scenarios.

Testing

.NET Dryrun Build ID: 845e71d4-3ab2-4488-ad9d-9cf0365df798
PS Dryrun Build ID: d483576d-fb7d-436c-acb8-ef12dbfdbdce

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist

• My code follows the code style of this project
• My change requires a change to the documentation
• I have updated the documentation accordingly
• I have read the README document
• I have added tests to cover my changes
• All new and existing tests passed

License

• I confirm that this pull request can be released under the Apache 2 license

[Copilot]

Pull Request Overview

This PR implements comprehensive multi-authentication scheme support for the AWS .NET SDK, enabling flexible authentication scheme configuration and prioritization with SigV4a region set support. The implementation introduces new configuration options while maintaining backwards compatibility with existing SignatureMethod patterns.

Key changes include:

• Added authentication scheme preference configuration with multiple sources (client, environment, config file, global)
• Implemented SigV4a region set configuration support
• Created comprehensive resolver infrastructure for authentication scheme prioritization

Reviewed Changes

Copilot reviewed 26 out of 26 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
sdk/test/UnitTests/Custom/Runtime/SigV4aRegionSetConfigurationTests.cs	Comprehensive test coverage for SigV4a region set configuration including validation, parsing, and source precedence
sdk/test/UnitTests/Custom/Runtime/AuthSchemeTests.cs	Unit tests for AuthScheme class covering predefined schemes, equality, and validation
sdk/test/UnitTests/Custom/Runtime/AuthSchemeResolverTests.cs	Tests for DefaultAuthSchemeResolver including preference application and configuration hierarchy
sdk/test/UnitTests/Custom/Runtime/AuthSchemePreferenceTests.cs	Test coverage for AuthSchemePreference parsing, validation, and case-sensitive matching
sdk/test/UnitTests/Custom/Runtime/AuthSchemeIntegrationTests.cs	Integration tests for auth scheme preference application in BaseAuthResolverHandler
sdk/test/UnitTests/Custom/Runtime/AuthSchemeIntegrationSimpleTests.cs	Basic integration tests for AuthSchemeOption constants and simple resolver functionality
sdk/test/UnitTests/Custom/Runtime/AuthSchemeConfigurationTests.cs	Tests for configuration resolution from environment variables and global settings
sdk/test/UnitTests/Custom/Runtime/AuthSchemeBackwardsCompatibilityTests.cs	Backwards compatibility tests ensuring legacy SignatureMethod behavior is preserved
sdk/test/NetStandard/UnitTests/ClientConfigTests.cs	Updated client config property list to include new authentication scheme properties
sdk/src/Core/Amazon.Util/Internal/RootConfig.cs	Added AuthSchemePreference and SigV4aRegionSetConfiguration to root configuration
sdk/src/Core/Amazon.Runtime/SigV4aRegionSetConfiguration.cs	Implementation of SigV4a region set configuration with multiple source support
sdk/src/Core/Amazon.Runtime/Pipeline/Handlers/BaseAuthResolverHandler.cs	Enhanced auth resolution with preference application and scheme conversion logic
sdk/src/Core/Amazon.Runtime/Internal/Util/SafeConfigurationResolver.cs	Utility for safe configuration resolution with consistent error handling
sdk/src/Core/Amazon.Runtime/Internal/Util/HashCodeHelper.cs	Helper utility for consistent hash code generation across SDK types
sdk/src/Core/Amazon.Runtime/Internal/Settings/SettingsConstants.cs	Added constants for new authentication scheme configuration keys
sdk/src/Core/Amazon.Runtime/IClientConfig.cs	Interface updates to accommodate new authentication scheme properties
sdk/src/Core/Amazon.Runtime/IAuthSchemeResolver.cs	Interface definition for authentication scheme resolution
sdk/src/Core/Amazon.Runtime/EnvironmentConfigurationProvider.cs	Provider for reading authentication scheme configuration from environment variables
sdk/src/Core/Amazon.Runtime/DefaultAuthSchemeResolver.cs	Default implementation of auth scheme resolution with preference-based prioritization
sdk/src/Core/Amazon.Runtime/ClientConfigExtensions.cs	Extension methods for backwards-compatible access to new authentication properties
sdk/src/Core/Amazon.Runtime/ClientConfig.cs	Updated ClientConfig with new authentication scheme properties and legacy compatibility tracking
sdk/src/Core/Amazon.Runtime/AuthSchemePreference.cs	Implementation of authentication scheme preference list with parsing and validation
sdk/src/Core/Amazon.Runtime/AuthSchemeConfigurationResolver.cs	Central resolver for authentication scheme configuration with precedence hierarchy
sdk/src/Core/Amazon.Runtime/AuthScheme.cs	Core AuthScheme class with predefined schemes and equality implementation
sdk/src/Core/AWSConfigs.cs	Global configuration properties for authentication scheme preferences and SigV4a region sets
generator/.DevConfigs/3aa6313d-9526-40ba-b09c-e046e0d4ef2f.json	Development configuration for minor version release with detailed changelog

[Copilot]

Pull Request Overview

Copilot reviewed 15 out of 15 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

generator/.DevConfigs/3aa6313d-9526-40ba-b09c-e046e0d4ef2f.json:10

• The dev config correctly specifies a minor version bump for this new feature addition, which aligns with the non-breaking nature of the changes.

    "type": "minor",

[Copilot]

Pull Request Overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.

[Copilot]

Pull Request Overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.

[Copilot]

The call to FallbackInternalConfigurationFactory.Reset() is duplicated across multiple test methods. Consider extracting this to a helper method or including it in TestInitialize to reduce code duplication and improve maintainability.

[Copilot]

The exception handling blocks have identical behavior and nearly identical error messages. Consider consolidating into a single catch block for Exception with a generic error message, or use a helper method to reduce code duplication.

Suggested change

	catch (ArgumentException ex)
	{
	Logger.Error(ex, "Failed to apply auth scheme preferences due to invalid argument, falling back to service-defined order");
	return authOptions;
	}
	catch (InvalidOperationException ex)
	{
	Logger.Error(ex, "Failed to apply auth scheme preferences due to invalid operation, falling back to service-defined order");
	return authOptions;
	}
	catch (Exception ex)
	{
	Logger.Error(ex, "Failed to apply auth scheme preferences, falling back to service-defined order");
	return authOptions;
	}

[Copilot]

The Split('#') operation allocates a new array on each call. For better performance, consider using string.IndexOf('#') and string.Substring() to extract the portion after '#' without array allocation, especially since this method may be called frequently during auth scheme resolution.

Suggested change

	var parts = schemeId.Split('#');
	return parts.Length > 1 ? parts[1] : schemeId;
	int hashIndex = schemeId.IndexOf('#');
	return hashIndex >= 0 && hashIndex < schemeId.Length - 1
	? schemeId.Substring(hashIndex + 1)
	: schemeId;

[dscpinheiro]

This seems like a good suggestion to accept.

[dscpinheiro]

Does the SEP say anything about trimming the value? There's already a GetEnvironmentVariable<T> method that could be re-used (T for the new variable would be string).

[dscpinheiro]

For the final changelog, we will want to refactor these (SEP doesn't mean anything to customers - and even internal terms like auth resolver are not relevant).

We should focus on the actual impact - e.g. ability to set SigV4A explicitly.

[dscpinheiro]

This seems like a good suggestion to accept.

[dscpinheiro]

I don't follow why this is needed... The naming is confusing but signature method is not going to be SigV4 / SigV4A, it's this enum instead:

aws-sdk-net/sdk/src/Core/Amazon.Runtime/Enumerations.cs

Lines 24 to 28 in 0980c7c

	public enum SigningAlgorithm
	{
	HmacSHA1,
	HmacSHA256
	};

[dscpinheiro]

Out-of-place comment?

[dscpinheiro]

(I left the other comment first...) I see the SEP mentions S3 (and Control) but I don't think this logic is needed here (the SEP was referring how the service model - which the auth resolvers are generated from - would keep older properties with the same values for backwards compatibility).

[dscpinheiro]

Unless I'm missing something obvious... Where is this used? I don't see it referenced in the auth resolver handler (and also for legacy reasons, we have SigV4A logic in the endpoint resolver too...)

[Copilot]

Pull Request Overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

[Copilot]

Pull Request Overview

Copilot reviewed 16 out of 16 changed files in this pull request and generated 5 comments.

[Copilot]

Pull Request Overview

Copilot reviewed 18 out of 18 changed files in this pull request and generated 6 comments.

[Copilot]

DeterminedSigningRegion is documented elsewhere as a single region, but here it may be set to a multi-region list (e.g., "us-west-2,us-east-1") or "" for SigV4a. This overloads its semantics and could break downstream logic expecting a single region string. Consider (1) keeping DeterminedSigningRegion set to a primary region (first entry when list, or null for "") and/or (2) introducing a dedicated property (already adding SigV4aSigningRegionSet) and leaving DeterminedSigningRegion for single-region semantics only, plus updating any necessary docs if multi-value is intended.

Suggested change

	request.DeterminedSigningRegion = regionSet;
	// Set DeterminedSigningRegion to a single region (first entry if list, null if "*")
	if (regionSet == "*")
	{
	request.DeterminedSigningRegion = null;
	request.SigV4aSigningRegionSet = regionSet;
	}
	else if (regionSet.Contains(","))
	{
	var regions = regionSet.Split(',');
	request.DeterminedSigningRegion = regions[0].Trim();
	request.SigV4aSigningRegionSet = regionSet;
	}
	else
	{
	request.DeterminedSigningRegion = regionSet;
	request.SigV4aSigningRegionSet = null;
	}

[muhammad-othman]

This is an interesting take, I don't think we have to add another property, but we should test some requests with multiple regions and update the documentation of DeterminedSigningRegion to mention that it can be multiple regions.

[Copilot]

[nitpick] Clearing AuthenticationRegion removes potentially useful endpoint metadata that other pipeline components may still rely on for diagnostics or fallback behavior. Prefer retaining the original value and relying on the newly introduced SigV4aSigningRegionSet for multi-region contexts, or only clear it after verifying no other consumers read it. If disambiguation is required, consider updating documentation instead of nulling.

Suggested change

	// Clear AuthenticationRegion to avoid confusion with SigV4 single-region
	requestContext.Request.AuthenticationRegion = null;
	// Retain AuthenticationRegion for diagnostics/fallback; SigV4aSigningRegionSet is used for multi-region contexts.

[Copilot]

There is no integration test exercising the environment-variable or profile fallback path for SigV4aSigningRegionSet feeding into actual signed requests (x-amz-region-set header and signature variation). Current tests set the request property directly; add a test that sets AWS_SIGV4A_SIGNING_REGION_SET (and one via profile) and asserts the signer produces expected header/signature.

[Copilot]

[nitpick] Consider explicitly documenting the corresponding environment variables (AWS_AUTH_SCHEME_PREFERENCE, AWS_SIGV4A_SIGNING_REGION_SET) and profile keys (auth_scheme_preference, sigv4a_signing_region_set) in these summaries to improve discoverability for users configuring these options outside code.

[Copilot]

[nitpick] Preference matching is case-sensitive—user input like "SigV4A" or "SIGV4" will be silently ignored. To reduce configuration friction, consider normalizing to lower-invariant before comparisons (and documenting case sensitivity if intentionally strict).

[muhammad-othman]

nit: multiple ternary operator is is bit hard to read for me, I think simple if conditions is more readable.

[AlexDaines]

I actually just swapped it to be ternary because the branching looked quite messy 😅

[muhammad-othman]

Multiple comments are updated in this file, is this intentional?

[muhammad-othman]

This is an interesting take, I don't think we have to add another property, but we should test some requests with multiple regions and update the documentation of DeterminedSigningRegion to mention that it can be multiple regions.

[muhammad-othman]

Is there a reason to create this method instead of using BuildHeaderRequestToSign?

[AlexDaines]

We need the real DefaultRequest because CRT modifies the headers directly during signing. The mock version returns an immutable dictionary so the CRT can't add headers to it. The tests check that those headers actually got added to the request

[muhammad-othman]

The dictionary looks like a regular dictionary that the CRT can add to it.

[dscpinheiro]

I'm still not sure we actually need to change any tests in the extensions folder.

[muhammad-othman]

I think we should use InlineData for the three test cases that are tested here, similar to SignRequestViaHeadersWithSigv4a

[Copilot]

Pull Request Overview

Copilot reviewed 20 out of 20 changed files in this pull request and generated 6 comments.

[Copilot]

Public interface members were added (IClientConfig, IRequest, IRequestContext) which is a breaking change for any external implementers. Classifying this as a minor version while explicitly ignoring the incompatibilities does not align with the project's API compatibility guideline; either (a) avoid modifying existing public interfaces (e.g., use extension methods, wrapper abstractions, or default interface members with backward-compatible defaults if allowed), or (b) bump the version appropriately (major) instead of suppressing. Recommend reworking to preserve binary/source compatibility or reclassifying the dev config.

[Copilot]

Adding new members to a public interface is a breaking change for consumers implementing IClientConfig. To maintain backward compatibility per project guidelines, consider: (1) implementing these as extension methods over an internal accessor, (2) introducing a new derived interface while keeping the original stable, or (3) using default interface implementations (only if all supported target frameworks allow it) with safe defaults. Current approach requires a recompilation and will break third-party custom clients.

[Copilot]

Adding SigV4aSigningRegionSet to IRequest is a breaking interface change. Recommend introducing this via a wrapper (e.g., an associated metadata container), an opt-in capability interface, or an extension method pattern instead of modifying an existing widely-implemented interface to preserve compatibility.

[Copilot]

Adding SigV4aSigningRegionSet to IRequestContext modifies a public interface and is a breaking change. Consider an alternative (e.g., a context extension dictionary key, an auxiliary interface, or extension methods) to maintain backward compatibility.

[Copilot]

[nitpick] Auth scheme preference parsing and reordering executes on every request; repeated string Split/Trim and list reconstruction could be avoided by caching a parsed preference list per client instance (e.g., compute once on first access or when AuthSchemePreference changes). Additionally, this private static is tested via reflection (AuthSchemePreferenceTests), which is brittle—consider making it internal and using InternalsVisibleTo for the test assembly or integrating logic into a protected virtual method so tests exercise behavior indirectly.

Suggested change

	private static List<IAuthSchemeOption> ApplyAuthSchemePreference(List<IAuthSchemeOption> authOptions, IClientConfig clientConfig)
	{
	var preferenceList = clientConfig.AuthSchemePreference;
	if (string.IsNullOrEmpty(preferenceList))
	{
	return authOptions;
	}
	// Parse the preference list (comma-separated, trimming spaces and tabs between names)
	var preferences = preferenceList
	.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)
	.Select(s => s.Trim(' ', '\t')) // Trim spaces and tabs between auth scheme names
	.Where(s => !string.IsNullOrEmpty(s))
	.ToList();
	// Cache for parsed preference list per client config instance
	private static readonly object _preferenceCacheLock = new object();
	// Use a dictionary to cache parsed preferences per client config instance
	private static readonly Dictionary<IClientConfig, Tuple<string, List<string>>> _preferenceCache = new Dictionary<IClientConfig, Tuple<string, List<string>>>();
	/// <summary>
	/// Applies the configured auth scheme preference to reorder the auth options.
	/// </summary>
	internal static List<IAuthSchemeOption> ApplyAuthSchemePreference(List<IAuthSchemeOption> authOptions, IClientConfig clientConfig)
	{
	var preferenceList = clientConfig.AuthSchemePreference;
	List<string> preferences;
	lock (_preferenceCacheLock)
	{
	if (_preferenceCache.TryGetValue(clientConfig, out var cached) && cached.Item1 == preferenceList)
	{
	preferences = cached.Item2;
	}
	else
	{
	if (string.IsNullOrEmpty(preferenceList))
	{
	preferences = new List<string>();
	}
	else
	{
	preferences = preferenceList
	.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)
	.Select(s => s.Trim(' ', '\t'))
	.Where(s => !string.IsNullOrEmpty(s))
	.ToList();
	}
	_preferenceCache[clientConfig] = Tuple.Create(preferenceList, preferences);
	}
	}

[Copilot]

[nitpick] Auth scheme preference parsing and reordering executes on every request; repeated string Split/Trim and list reconstruction could be avoided by caching a parsed preference list per client instance (e.g., compute once on first access or when AuthSchemePreference changes). Additionally, this private static is tested via reflection (AuthSchemePreferenceTests), which is brittle—consider making it internal and using InternalsVisibleTo for the test assembly or integrating logic into a protected virtual method so tests exercise behavior indirectly.

[dscpinheiro]

I'm still not sure we actually need to change any tests in the extensions folder.

[dscpinheiro]

I don't think this is needed. We should be able to leverage the existing logic for SigV4A without adding new properties here.

[dscpinheiro]

Why this change? Logger won't be null.

[dscpinheiro]

I thought we discussed this, but if we didn't: This is not necessary.

[dscpinheiro]

We should not be assuming anything here. I think the logic could be a lot simpler by comparing the scheme name from preferences with the supported value from the model.

[dscpinheiro]

Similar to my other comment: This should use the existing signing region set logic.

[dscpinheiro]

Can probably be removed too.

[dscpinheiro]

These comments are redundant. I don't expect the variable name to ever change but these comments don't add any value.

[dscpinheiro]

I should've noticed this before: When this test fails, it mentions other places that should change too (e.g. AWSSDK.Extensions.NETCore.Setup - see the comment on line 97)

[dscpinheiro]

I'm being annoying again, but EP2.0 does not matter here. All of these tests seem more redundant than anything.