Add HttpClient with default credentials for authenticated proxy support

Co-authored-by: philnach <[email protected]>

Author: Copilot

Extensions/Cosmos/Cosmos.DataTransfer.CosmosExtension/CosmosExtensionServices.cs

@@ -9,11 +9,24 @@
 using Microsoft.Azure.Cosmos.Encryption;
 using Azure.Security.KeyVault.Keys.Cryptography;
 using System.Net;
+using System.Net.Http;
 
 namespace Cosmos.DataTransfer.CosmosExtension
 {
     public static class CosmosExtensionServices
     {
+        // Static HttpClient with default credentials for reuse across connections
+        // This avoids connection exhaustion and properly handles credentials
+        private static readonly Lazy<HttpClient> _httpClientWithDefaultCredentials = new Lazy<HttpClient>(() =>
+        {
+            var handler = new HttpClientHandler
+            {
+                Credentials = CredentialCache.DefaultNetworkCredentials,
+                PreAuthenticate = true
+            };
+            return new HttpClient(handler);
+        });
+
         public static CosmosClient CreateClient(CosmosSettingsBase settings, string displayName, string? sourceDisplayName = null)
         {
             string userAgentString = CreateUserAgentString(displayName, sourceDisplayName);
@@ -44,6 +57,13 @@ public static CosmosClient CreateClient(CosmosSettingsBase settings, string disp
                 }
                 clientOptions.WebProxy = webProxy;
             }
+
+            // When using default credentials, also configure the HttpClient with credentials
+            // This ensures authenticated proxy support for the underlying HTTP connections
+            if (settings.UseDefaultProxyCredentials)
+            {
+                clientOptions.HttpClientFactory = () => _httpClientWithDefaultCredentials.Value;
+            }
 
             CosmosClient? cosmosClient;
             if (settings.UseRbacAuth)

Extensions/Cosmos/README.md

@@ -21,7 +21,7 @@ Source supports the following optional parameters:
 - `PartitionKeyValue` - Allows for filtering to a single partition.
 - `Query` - Allows further filtering using a Cosmos SQL statement.
 - `WebProxy` (`null` by default) - Enables connections through a proxy.
-- `UseDefaultProxyCredentials` (`false` by default) - When `true`, includes default credentials in the proxy request. Use this when connecting through an authenticated proxy that returns [`407 Proxy Authentication Required`](https://learn.microsoft.com/dotnet/api/system.net.webproxy.credentials?view=net-10.0#remarks).
+- `UseDefaultProxyCredentials` (`false` by default) - When `true`, includes default credentials in both the WebProxy and the underlying HttpClient connection to CosmosDB. Use this when connecting through an authenticated proxy that returns [`407 Proxy Authentication Required`](https://learn.microsoft.com/dotnet/api/system.net.webproxy.credentials?view=net-10.0#remarks).
 
 ### Always Encrypted
 
@@ -93,7 +93,7 @@ Or with RBAC:
   - `Direct`
 
 - **`WebProxy`**: Optional. Specifies the proxy server URL to use for connections (e.g., `http://yourproxy.server.com/`).
-- **`UseDefaultProxyCredentials`**: Optional, defaults to `false`. When `true`, includes default credentials in the proxy request. Use this when connecting through an authenticated proxy that returns [`407 Proxy Authentication Required`](https://learn.microsoft.com/dotnet/api/system.net.webproxy.credentials?view=net-10.0#remarks).
+- **`UseDefaultProxyCredentials`**: Optional, defaults to `false`. When `true`, includes default credentials in both the WebProxy and the underlying HttpClient connection to CosmosDB. Use this when connecting through an authenticated proxy that returns [`407 Proxy Authentication Required`](https://learn.microsoft.com/dotnet/api/system.net.webproxy.credentials?view=net-10.0#remarks).
 
 - **`LimitToEndpoint`**: Optional, defaults to `false`. When the value of this property is false, the Cosmos DB SDK will automatically discover
   write and read regions, and use them when the configured application region is not available.