Fix @armProviderNamespace default auth scope

[Copilot]

@armProviderNamespace injects a bare user_impersonation OAuth2 scope, which SDK emitters cannot resolve to an ARM audience at runtime (tokens end up issued for Microsoft Graph). Per the issue discussion (option 2 / 2a), TypeSpec should carry the real scope and typespec-autorest should project it back to the legacy value so existing ARM Swagger in azure-rest-api-specs is unchanged.

Changes

• typespec-azure-resource-manager/src/namespace.ts: @armProviderNamespace now injects https://management.azure.com/.default with the description "Default scope for management APIs" as the sole default scope. Consumers like TCGC / downstream SDK emitters now see the canonical ARM scope.
• typespec-autorest/src/openapi.ts: Added rewriteArmScopeForOpenAPI2, applied in both getOpenAPI2Scheme (securityDefinitions) and getOpenAPISecurity (per-op security refs). When the service namespace isArmProviderNamespace and the scope value is exactly https://management.azure.com/.default, it is rewritten back to user_impersonation. When this rewrite happens, the description is also projected back to the legacy "impersonate your user account" so existing ARM swagger baselines stay byte-identical. Any other scope / non-ARM namespace is passed through unchanged, so existing security.test.ts coverage (e.g. custom read/write scopes) still holds, and all ARM sample openapi.json baselines remain byte-identical.
• Tests
  • typespec-azure-resource-manager/test/authentication.test.ts: asserts getAuthentication on an @armProviderNamespace namespace yields exactly one OAuth2 implicit flow with scope https://management.azure.com/.default and description "Default scope for management APIs".
  • typespec-autorest/test/arm/authentication.test.ts: asserts the emitted OpenAPI v2 still contains azure_auth / user_impersonation (with the original "impersonate your user account" description) in both securityDefinitions.azure_auth.scopes and security.
• Chronus: fix changelog entry covering both packages.

Shape of the rewrite

function rewriteArmScopeForOpenAPI2(scope: string, serviceNamespace: Namespace): string {
  if (
    scope === "https://management.azure.com/.default" &&
    isArmProviderNamespace(program, serviceNamespace)
  ) {
    return "user_impersonation";
  }
  return scope;
}

Notes / follow-ups

• Scoped narrowly to the exact canonical ARM scope string so user-specified scopes and non-ARM services are never touched.
• Sovereign-cloud correctness (option 3 in the investigation — normalize to a "derive from endpoint" sentinel) is intentionally out of scope; this PR addresses the decoupling between TypeSpec truth and Swagger emission only.
• No swagger baselines needed regeneration; the samples suite passes unchanged.

[markcowl]

Please pull the latest from main, make the changes suggested, verify all tests pass and all files are correctly formatted, and that only the changes related to this PR are in the pr diff.

[Copilot]

Please pull the latest from main, make the changes suggested, verify all tests pass and all files are correctly formatted, and that only the changes related to this PR are in the pr diff.

Done in 8e8f4a0. Merged latest main, applied the suggested description change, ran pnpm format, and verified all tests pass for typespec-azure-resource-manager (286), typespec-autorest (467), and typespec-samples (68 — sample baselines unchanged). Only the changes for this PR are in the diff.

[markcowl]

/azp run typespec-azure - PR Tools

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[azure-sdk]

All changed packages have been documented.

• ✅ @azure-tools/typespec-autorest
• ✅ @azure-tools/typespec-azure-resource-manager

Show changes

@azure-tools/typespec-azure-resource-manager - fix ✏️

Fix @armProviderNamespace to inject the canonical absolute ARM scope https://management.azure.com/.default as the default OAuth2 scope instead of the bare relative user_impersonation value. For backwards compatibility with existing ARM Swagger, the @azure-tools/typespec-autorest emitter now rewrites this scope back to user_impersonation when emitting OpenAPI v2 for namespaces decorated with @armProviderNamespace.

@azure-tools/typespec-autorest - fix ✏️

Fix @armProviderNamespace to inject the canonical absolute ARM scope https://management.azure.com/.default as the default OAuth2 scope instead of the bare relative user_impersonation value. For backwards compatibility with existing ARM Swagger, the @azure-tools/typespec-autorest emitter now rewrites this scope back to user_impersonation when emitting OpenAPI v2 for namespaces decorated with @armProviderNamespace.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@azure-tools/typespec-autorest@4322

npm i https://pkg.pr.new/@azure-tools/typespec-azure-resource-manager@4322

commit: b435ddf

[azure-sdk]

You can try these changes here

🛝 Playground	🌐 Website

[azure-sdk]

You can try these changes here

🛝 Playground	🌐 Website