feat: implement multi-auth scheme preferences per SEP

Author: AlexDaines

generator/.DevConfigs/3aa6313d-9526-40ba-b09c-e046e0d4ef2f.json

@@ -0,0 +1,13 @@
+{
+  "core": {
+    "changeLogMessages": [
+      "Implement multi-auth SEP with authentication scheme preference and SigV4a region set configuration",
+      "Add AuthScheme, AuthSchemePreference, and related configuration classes",
+      "Add DefaultAuthSchemeResolver and configuration resolution logic",
+      "Update ClientConfig to support new authentication scheme properties",
+      "Add environment and configuration file support for auth scheme settings"
+    ],
+    "type": "minor",
+    "updateMinimum": true
+  }
+}

sdk/src/Core/AWSConfigs.cs

@@ -402,6 +402,64 @@ public static bool DisableLegacyPersistenceStore
 
         #endregion
 
+        #region Authentication Scheme Preference
+
+        /// <summary>
+        /// Key for the AuthSchemePreference property.
+        /// <seealso cref="Amazon.AWSConfigs.AuthSchemePreference"/>
+        /// </summary>
+        public const string AuthSchemePreferenceKey = "AWSAuthSchemePreference";
+
+        /// <summary>
+        /// Gets or sets the global authentication scheme preference for all AWS service clients.
+        /// <para>
+        /// This property allows you to specify a preference list of authentication schemes
+        /// that will be used to reprioritize the supported authentication schemes globally.
+        /// Individual client configurations can override this global setting.
+        /// </para>
+        /// <para>
+        /// This setting can be configured through environment variables or configuration files:
+        /// - Environment variable: AWS_AUTH_SCHEME_PREFERENCE
+        /// - Configuration file: auth_scheme_preference
+        /// </para>
+        /// </summary>
+        public static string AuthSchemePreference
+        {
+            get { return _rootConfig.AuthSchemePreference; }
+            set { _rootConfig.AuthSchemePreference = value; }
+        }
+
+        #endregion
+
+        #region SigV4a Region Set Configuration
+
+        /// <summary>
+        /// Key for the SigV4aSigningRegionSet property.
+        /// <seealso cref="Amazon.AWSConfigs.SigV4aSigningRegionSet"/>
+        /// </summary>
+        public const string SigV4aSigningRegionSetKey = "AWSSigV4aRegionSet";
+
+        /// <summary>
+        /// Gets or sets the global SigV4a signing region set configuration for all AWS service clients.
+        /// <para>
+        /// This property allows you to specify the region set that will be used for SigV4a signing globally.
+        /// The region set determines which regions the signed request is valid for.
+        /// Individual client configurations can override this global setting.
+        /// </para>
+        /// <para>
+        /// This setting can be configured through environment variables or configuration files:
+        /// - Environment variable: AWS_SIGV4A_SIGNING_REGION_SET
+        /// - Configuration file: sigv4a_signing_region_set
+        /// </para>
+        /// </summary>
+        public static string SigV4aSigningRegionSet
+        {
+            get { return _rootConfig.SigV4aSigningRegionSet; }
+            set { _rootConfig.SigV4aSigningRegionSet = value; }
+        }
+
+        #endregion
+
         #region AWS Config Sections
 
         /// <summary>

sdk/src/Core/Amazon.Runtime/ClientConfig.cs

@@ -1,17 +1,17 @@
- /*
- * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
- * 
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- * 
- *  http://aws.amazon.com/apache2.0
- * 
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
+/*
+* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+* 
+* Licensed under the Apache License, Version 2.0 (the "License").
+* You may not use this file except in compliance with the License.
+* A copy of the License is located at
+* 
+*  http://aws.amazon.com/apache2.0
+* 
+* or in the "license" file accompanying this file. This file is distributed
+* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+* express or implied. See the License for the specific language governing
+* permissions and limitations under the License.
+*/
 using System;
 using System.Collections.Generic;
 using System.Net;
@@ -68,6 +68,7 @@ public abstract partial class ClientConfig : IClientConfig
         private string authServiceName = null;
         private string clientAppId = null;
         private SigningAlgorithm signatureMethod = SigningAlgorithm.HmacSHA256;
+        private bool isSignatureMethodExplicitlySet = false;
         private bool logResponse = false;
         private int bufferSize = AWSSDKUtils.DefaultBufferSize;
         private long progressUpdateInterval = AWSSDKUtils.DefaultProgressUpdateInterval;
@@ -221,7 +222,20 @@ public abstract string ServiceVersion
         public SigningAlgorithm SignatureMethod
         {
             get { return this.signatureMethod; }
-            set { this.signatureMethod = value; }
+            set { 
+                this.signatureMethod = value;
+                this.isSignatureMethodExplicitlySet = true;
+            }
+        }
+
+        /// <summary>
+        /// Gets a value indicating whether the SignatureMethod property was explicitly set by the user.
+        /// This is used for backwards compatibility to determine when legacy SignatureMethod configuration
+        /// should take precedence over auth scheme preferences.
+        /// </summary>
+        public bool IsSignatureMethodExplicitlySet
+        {
+            get { return this.isSignatureMethodExplicitlySet; }
         }
 
         /// <summary>
@@ -317,18 +331,18 @@ public abstract string RegionEndpointServiceName
         /// </summary>
         public string ServiceURL
         {
-            get 
+            get
             {
                 if (!didProcessServiceURL && this.serviceURL == null && IgnoreConfiguredEndpointUrls == false && ServiceId != null)
                 {
-                    
+
                     string serviceSpecificTransformedEnvironmentVariable = TransformServiceId.TransformServiceIdToEnvVariable(ServiceId);
                     string transformedConfigServiceId = TransformServiceId.TransformServiceIdToConfigVariable(ServiceId);
 
                     if (Environment.GetEnvironmentVariable(serviceSpecificTransformedEnvironmentVariable) != null)
                     {
                         Logger.GetLogger(GetType()).InfoFormat($"ServiceURL configured from service specific environment variable: {serviceSpecificTransformedEnvironmentVariable}.");
-                        this.ServiceURL = Environment.GetEnvironmentVariable(serviceSpecificTransformedEnvironmentVariable);                    
+                        this.ServiceURL = Environment.GetEnvironmentVariable(serviceSpecificTransformedEnvironmentVariable);
                     }
                     else if (Environment.GetEnvironmentVariable(EnvironmentVariables.GLOBAL_ENDPOINT_ENVIRONMENT_VARIABLE) != null)
                     {
@@ -381,7 +395,7 @@ public string ServiceURL
                         $"ServiceUrl was set last, ServiceUrl: {value} will be used to make the request and RegionEndpoint: {this.regionEndpoint} has been set to null.");
                 this.regionEndpoint = null;
                 this.probeForRegionEndpoint = false;
-                
+
                 if(!string.IsNullOrEmpty(value))
                 {
                     // If the URL passed in only has a host name make sure there is an ending "/" to avoid signature mismatch issues.
@@ -444,7 +458,7 @@ public string AuthenticationServiceName
             get { return this.authServiceName; }
             set { this.authServiceName = value; }
         }
-        
+
         /// <summary>
         /// The serviceId for the service, which is specified in the metadata in the ServiceModel.
         /// The transformed value of the service ID (replace any spaces in the service ID 
@@ -540,7 +554,7 @@ public long ProgressUpdateInterval
             get { return progressUpdateInterval; }
             set { progressUpdateInterval = value; }
         }
-        
+
 
         /// <summary>
         /// Flag on whether to resign requests on retry or not.
@@ -638,7 +652,7 @@ protected IDefaultConfiguration DefaultConfiguration
         /// </summary>
         public ICredentials ProxyCredentials
         {
-            get 
+            get
             {
                 if(this.proxyCredentials == null &&
                     (!string.IsNullOrEmpty(AWSConfigs.ProxyConfig.Username) ||
@@ -794,7 +808,7 @@ internal CancellationToken BuildDefaultCancellationToken()
         /// </remarks>
         public bool UseDualstackEndpoint
         {
-            get 
+            get
             {
                 if (!this.useDualstackEndpoint.HasValue)
                 {
@@ -873,10 +887,10 @@ public long RequestMinCompressionSizeBytes
 
                 return this.requestMinCompressionSizeBytes.Value;
             }
-            set 
+            set
             {
                 ValidateMinCompression(value);
-                requestMinCompressionSizeBytes = value; 
+                requestMinCompressionSizeBytes = value;
             }
         }
 
@@ -902,7 +916,7 @@ public string ClientAppId
 
                 return this.clientAppId;
             }
-            set 
+            set
             {
                 ValidateClientAppId(value);
                 this.clientAppId = value;
@@ -1034,7 +1048,7 @@ public RequestRetryMode RetryMode
             }
             set { this.retryMode = value; }
         }
-        
+
         /// <summary>
         /// Under Adaptive retry mode, this flag determines if the client should wait for
         /// a send token to become available or don't block and fail the request immediately
@@ -1185,6 +1199,28 @@ public TelemetryProvider TelemetryProvider
             set { this.telemetryProvider = value; }
         }
 
+        /// <summary>
+        /// Gets or sets the authentication scheme preference for this client configuration.
+        /// <para>
+        /// This property allows you to specify a comma-separated preference list of authentication schemes
+        /// (e.g., "sigv4a,sigv4") that will be used to reprioritize the supported authentication schemes for this client.
+        /// If not set, the client will use environment variables, configuration files,
+        /// or fall back to the default model-based authentication scheme resolution.
+        /// </para>
+        /// </summary>
+        public string AuthSchemePreference { get; set; }
+
+        /// <summary>
+        /// Gets or sets the SigV4a signing region set for this client.
+        /// <para>
+        /// This property allows you to specify a comma-separated list of regions (e.g., "us-east-1,us-west-2")
+        /// that will be used for SigV4a signing. The region set determines which regions the signed request is valid for.
+        /// If not set, the client will use environment variables, configuration files,
+        /// endpoints metadata, or fall back to the client's configured region.
+        /// </para>
+        /// </summary>
+        public string SigV4aSigningRegionSet { get; set; }
+
         /// <summary>
         /// Determines the behavior for calculating checksums for request payloads.
         /// By default it is set to <see cref="RequestChecksumCalculation.WHEN_SUPPORTED"/>.

sdk/src/Core/Amazon.Runtime/Credentials/Internal/AuthSchemeOption.cs

@@ -23,11 +23,31 @@ public class AuthSchemeOption : IAuthSchemeOption
         /// <inheritdoc/>
         public string SchemeId { get; set; }
 
+        /// <summary>
+        /// Gets the short name of the authentication scheme (e.g., "sigv4" from "aws.auth#sigv4").
+        /// This is used for configuration purposes.
+        /// </summary>
+        public string Name => GetNameFromSchemeId(SchemeId);
+
         internal const string SigV4 = "aws.auth#sigv4";
         internal const string SigV4A = "aws.auth#sigv4a";
         internal const string Bearer = "smithy.api#httpBearerAuth";
         internal const string NoAuth = "smithy.api#noAuth";
 
+        /// <summary>
+        /// Extracts the short name from a fully qualified scheme ID.
+        /// </summary>
+        /// <param name="schemeId">The fully qualified scheme ID (e.g., "aws.auth#sigv4").</param>
+        /// <returns>The short name (e.g., "sigv4") or the original schemeId if no '#' is present.</returns>
+        public static string GetNameFromSchemeId(string schemeId)
+        {
+            if (string.IsNullOrEmpty(schemeId))
+                return schemeId;
+
+            var parts = schemeId.Split('#');
+            return parts.Length > 1 ? parts[1] : schemeId;
+        }
+
         /// <summary>
         /// Default auth scheme options for services / operations that only support SigV4.
         /// </summary>

sdk/src/Core/Amazon.Runtime/IClientConfig.cs

@@ -148,6 +148,14 @@ public partial interface IClientConfig
         /// </summary>
         SigningAlgorithm SignatureMethod { get; }
 
+        /// <summary>
+        /// Gets a value indicating whether the SignatureMethod property was explicitly set by the user.
+        /// This is used for backwards compatibility to determine when legacy SignatureMethod configuration
+        /// should take precedence over auth scheme preferences.
+        /// </summary>
+        bool IsSignatureMethodExplicitlySet { get; }
+
+
         /// <summary>
         /// Gets the AuthenticationRegion property.
         /// Used in AWS4 request signing, this is an optional property; 
@@ -397,6 +405,30 @@ public partial interface IClientConfig
         /// </summary>
         ResponseChecksumValidation ResponseChecksumValidation { get; }
 
+        /// <summary>
+        /// Gets or sets the authentication scheme preference for this client configuration.
+        /// <para>
+        /// This property allows you to specify a comma-separated preference list of authentication schemes
+        /// (e.g., "sigv4a,sigv4") that will be used to reprioritize the supported authentication schemes for this client.
+        /// If not set, the client will use environment variables, configuration files,
+        /// or fall back to the default model-based authentication scheme resolution.
+        /// </para>
+        /// </summary>
+        string AuthSchemePreference { get; }
+
+        /// <summary>
+        /// Gets or sets the SigV4a signing region set for this client.
+        /// <para>
+        /// This property allows you to specify a comma-separated list of regions (e.g., "us-east-1,us-west-2")
+        /// that will be used for SigV4a signing. The region set determines which regions the signed request is valid for.
+        /// If not set, the client will use environment variables, configuration files,
+        /// endpoints metadata, or fall back to the client's configured region.
+        /// </para>
+        /// </summary>
+        string SigV4aSigningRegionSet { get; }
+
+
+
         /// <summary>
         /// Controls whether the resolved endpoint will include the account id. This allows for direct routing of traffic
         /// to the cell responsible for a given account, which avoids the additional latency of extra backend hops and reduces