BearerTokenAuthenticationPolicy should support CAE token revocation challenges by default

[christothes]

This feature entails adding CAE support for all clients lacking a custom challenge handler i.e., everyone except Key Vault and Storage.

Adding support involves adding logic to your BearerTokenAuthenticationPolicy such that it does the following:

• Detects when a CAE challenge is issued (401 response with a WWW-Authenticate header)
• Parses the WWW-Authenticate header (format here)
  • validate that the error value is "insufficient_claims"
  • capture the claims value and decode it from base64 encoding to a string
• Pass the string value of the un-encoded claims to the TokenCredential via the TokenRequestContext or equivalent for your language via the Claims property
• Ensure that any local token caching is bypassed in the policy when the claims are populated from a CAE challenge
• Authorize the original request with the new token and send it through the pipeline again
• Return any response to the caller (don't try to handle a second challenge)

Example PRs: https://github.com/Azure/azure-sdk-for-go/pull/23414 https://github.com/Azure/azure-sdk-for-net/pull/46277

[joshfree]

stretch: october release cycle, pending access to test resources this week

[weidongxu-microsoft]

there is a version of impl in azure-core-management (be cautious that this may not be the exact version you want in azure-core) https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/core/azure-core-management/src/main/java/com/azure/core/management/http/policy/ArmChallengeAuthenticationPolicy.java