Support authenticated proxies with separate settings for WebProxy, HttpClient credentials, and PreAuthentication

[Copilot]

Adds support for authenticated proxies when connecting to Cosmos DB with flexible configuration options. Users can configure proxy credentials, HttpClient credentials, and pre-authentication independently to resolve 407 Proxy Authentication Required errors.

Changes Made

• CosmosSettingsBase.cs: Added three new properties:
  • UseDefaultProxyCredentials (defaults to false) - Enables default credentials on the WebProxy
  • UseDefaultCredentials (defaults to false) - Enables default credentials on the underlying HttpClient
  • PreAuthenticate (defaults to false) - Sends credentials with the initial request rather than waiting for a 401/407 challenge
• CosmosExtensionServices.cs:
  • Set WebProxy.UseDefaultCredentials when UseDefaultProxyCredentials is enabled
  • Added static Lazy<HttpClient> instances with HttpClientHandler configured with CredentialCache.DefaultNetworkCredentials for HttpClient credential support
  • Separate HttpClient instances for pre-auth and non-pre-auth scenarios to avoid connection exhaustion
  • The HttpClient is reused via CosmosClientOptions.HttpClientFactory when UseDefaultCredentials is enabled
• Documentation: Updated Extensions/Cosmos/README.md and ExampleConfigs.md with all new settings and security warnings for PreAuthenticate
• Tests: Added unit tests for all new settings

Usage

{
    "ConnectionString": "AccountEndpoint=https://...",
    "Database": "myDb",
    "Container": "myContainer",
    "WebProxy": "http://yourproxy.server.com/",
    "UseDefaultProxyCredentials": true,
    "UseDefaultCredentials": true,
    "PreAuthenticate": true
}

Note: PreAuthenticate can save extra round-trips by avoiding 401/407 challenge responses, but should only be used when the endpoint is trusted.

• Fixes Support Authenticated Proxies #219

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Support Authenticated Proxies</issue_title>
<issue_description>Trying to access a Cosmos Db instance through an authenticated proxy returns a 407 Proxy Authentication Required response. I believe adding a configuration option to include default credentials in the proxy request should fix this issue. </issue_description>

<agent_instructions>This seems like a pretty straight forward request. The WebProxy class has an option to use default credentials. Let's add a config setting that allows for the setting to be set. Since the setting only makes sense when using the WebProxy it should only be set when present. We will want to update the readme to include the new config setting. We will want to update any example jsons that use WebProxy as well. If there exists none please add one. The default value for the setting should be false if not present in settings.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Support Authenticated Proxies #219

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[philnach]

@copilot can you make the one pr review change?

[philnach]

@copilot , we also want to support using the default credentials on the HttpClient that underlies the connection to CosmosDB.

We will want to pass a httpclienthandler in for the httpclient. Something like the below. We need to not leak the httpclient and we need to re-use the httpclient so a new connection isn't created everytime and we run into connection exhaustion.

var handler = new HttpClientHandler
{
Credentials = CredentialCache.DefaultNetworkCredentials,
PreAuthenticate = true
};

using var httpClient = new HttpClient(handler);

[Copilot]

@copilot , we also want to support using the default credentials on the HttpClient that underlies the connection to CosmosDB.

We will want to pass a httpclienthandler in for the httpclient. Some...

Implemented in commit a52dec4. Added a static Lazy<HttpClient> with HttpClientHandler configured with CredentialCache.DefaultNetworkCredentials and PreAuthenticate = true. The HttpClient is reused via CosmosClientOptions.HttpClientFactory when UseDefaultProxyCredentials is enabled, avoiding connection exhaustion.

[philnach]

@copilot, let's make it so there's 2 settings 1 for default credentials for the HttpClient and a different 1 for the proxy.. This way people can configure 1, both or neither. Let's also make the preauthentication configurable by the user. Make sure to update the README.MD to include the information about these new settings and specifically for the preauthentication that it can save on extra 401/407 responses, but should only be used if the endpoint is trusted.

[Copilot]

@copilot, let's make it so there's 2 settings 1 for default credentials for the HttpClient and a different 1 for the proxy.. This way people can configure 1, both or neither. Let's also make the pr...

Implemented in commit 36c521f. Split into three separate settings:

• UseDefaultProxyCredentials - for WebProxy credentials only
• UseDefaultCredentials - for HttpClient credentials only
• PreAuthenticate - configurable pre-authentication (defaults to false)

README updated with security warning that PreAuthenticate can save extra 401/407 responses but should only be used when the endpoint is trusted.

[philnach]

Change looks good to me.

[markjbrown]

This looks great! Thanks @philnach