KiotaClientFactory doesn't build a httpclient that will work because it is missing auth middleware

[darrelmiller]

https://github.com/microsoft/kiota-http-dotnet/blob/eb76ee893324bd373462e98dfdafeba95762feff/src/KiotaClientFactory.cs#L36

This issue is related to this ADR https://github.com/microsoft/kiota/issues/3941

We need to think about building an AuthHandler middleware that can use our Kiota Auth Providers so that we can have native HttpClient experiences. Otherwise, we can't satisfy this ADR https://github.com/microsoft/kiota/issues/3200

[baywet]

Capture notes from our discussion, we could add:

• A middleware that would accept an authentication provider as a parameter, copy the URL (and www-authenticate) into the request information, call the authenticate method, copy the relevant fields in the request message. And this only if the request message doesn't already have the relevant fields or has a www-authenticate header.
• another method in the client factory that'd accept an authentication provider, and set default middleware handler + this new one.
• refactor the code so CAE handling is not duplicated between request adapter and this new middleware.

We could consider moving all the authentication considerations out of the request adapter, but that creates two potential issues we designed around by adding it in the request adapter:

• http clients are not portable anymore between different APIs
• it's easier to forget to configure the authentication on the http client, and then have calls fail.

@darrelmiller, would you mind putting together a spec for this middleware handler in the SDK design repository please?

[baywet]

Related https://github.com/microsoft/kiota-http-go/issues/130

[andrueastman]

Transferring issue as part of https://github.com/microsoft/kiota-abstractions-dotnet/issues/238

[baywet]

authored https://github.com/microsoftgraph/msgraph-sdk-design/pull/111 to help move this along

[lvde0]

I stumbled upon this issue since I have a custom "Token Refresh" middleware that tries to re-authenticate the request with the refreshed token. I was wondering if it's possible to access the IAuthenticationProvider somehow to do that? I mean I can still manually tweak the authorization header, but I think it would be cleaner to go via IAuthenticationProvider.

[baywet]

currently it's not, but with the new factory we'd be adding with this work, you could at least access it while initializing the middleware, and pass it to your custom middleware implementation. We started the work in java https://github.com/microsoft/kiota-java/pull/1562