Fix OAuth2 scope deduplication in OpenAPI spec generation

[Copilot]

When OAuth2 authentication schemes have multiple flows with the same scopes, the generated OpenAPI spec contained duplicate scope entries in the security section.

For example, with this TypeSpec definition:

model oauth<Scopes extends string[]>
  is OAuth2Auth<
    [
      {
        type: OAuth2FlowType.authorizationCode;
        authorizationUrl: "https://example.org/oauth2/v2.0/authorize";
        tokenUrl: "https://example.org/oauth2/v2.0/token";
        refreshUrl: "https://example.org/oauth2/v2.0/token";
      },
      {
        type: OAuth2FlowType.clientCredentials;
        tokenUrl: "https://example.org/oauth2/v2.0/token";
      }
    ],
    Scopes
  >;

@useAuth(oauth<["api:read"]>)
op Get(): void;

The generated OpenAPI security section would incorrectly show:

security:
  - oauth:
    - api:read
    - api:read  # duplicate

Root Cause:
The makeHttpAuthRef function in packages/http/src/auth.ts was collecting scopes from all flows without deduplication, causing the same scope to appear multiple times when shared across flows.

Fix:
Added Array.from(new Set(scopes)) to deduplicate the scopes array before creating the OAuth2HttpAuthRef object. This follows the same pattern already used in the mergeOAuthScopes function.

Testing:

• Added a comprehensive test case that reproduces the exact issue
• All existing security tests continue to pass (38 tests)
• All http package tests continue to pass (377 tests)

Fixes #7685.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[chrisradek]

/azp run typespec - pr tools

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[azure-sdk]

You can try these changes here

🛝 Playground	🌐 Website	🛝 VSCode Extension

[chrisradek]

@copilot This needs a changelog added for the @typespec/http package.

[Copilot]

@copilot This needs a changelog added for the @typespec/http package.

Added changelog for @typespec/http package in commit e7a6b7c.

[chrisradek]

@copilot Rerun formatter via pnpm format at the root of the repo.

[Copilot]

@copilot Rerun formatter via pnpm format at the root of the repo.

Ran pnpm format at the root of the repo. Fixed trailing whitespace formatting in the test file. See commit d26a8c1.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• telemetry.astro.build
  • Triggering command: node /home/REDACTED/work/typespec/typespec/website/node_modules/.bin/../astro/astro.js build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list