From f6a43aafb29dc67b5c989d9fc15b8dd7b494e50c Mon Sep 17 00:00:00 2001
From: Charles Lowell <10964656+chlowell@users.noreply.github.com>
Date: Mon, 14 Aug 2023 10:02:32 -0700
Subject: [PATCH] Add TokenRequestOptions.EnableCAE (#21362)

---
 sdk/azcore/CHANGELOG.md                  | 1 +
 sdk/azcore/internal/exported/exported.go | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/sdk/azcore/CHANGELOG.md b/sdk/azcore/CHANGELOG.md
index 2fc41a00887e..9ce7a8554ca2 100644
--- a/sdk/azcore/CHANGELOG.md
+++ b/sdk/azcore/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### Features Added
 
 * Added function `SanitizePagerPollerPath` to the `server` package to centralize sanitization and formalize the contract.
+* Added `TokenRequestOptions.EnableCAE` to indicate whether to request a CAE token
 
 ### Breaking Changes
 
diff --git a/sdk/azcore/internal/exported/exported.go b/sdk/azcore/internal/exported/exported.go
index 2afb21f64b5f..132f2a474fb9 100644
--- a/sdk/azcore/internal/exported/exported.go
+++ b/sdk/azcore/internal/exported/exported.go
@@ -57,6 +57,13 @@ type TokenRequestOptions struct {
 	// service may return in a claims challenge following an authorization failure. If a service returned the
 	// claims value base64 encoded, it must be decoded before setting this field.
 	Claims string
+
+	// EnableCAE indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. When true,
+	// azidentity credentials request CAE tokens for resource APIs supporting CAE. Clients are responsible for
+	// handling CAE challenges. If a client that doesn't handle CAE challenges receives a CAE token, it may end up
+	// in a loop retrying an API call with a token that has been revoked due to CAE.
+	EnableCAE bool
+
 	// Scopes contains the list of permission scopes required for the token.
 	Scopes []string