Should OAuth handlers dispose of HttpRequestMessage/HttpResponseMessage?

[martincostello]

While reviewing aspnet-contrib/AspNet.Security.OAuth.Providers#268, I looked at the GoogleHandler class to see if the built-in OAuth handlers do the same as a hint as to whether the disposal is really required or not, which it does not.

This raises the question, should the built-in OAuth handlers be disposing of the HttpRequestMessage/HttpResponseMessage instances they create, or are they a special case for IDisposable like HttpClient and Task/Task<T> where warnings from static analyzers are false positives?

[blowdart]

@Tratcher

I find it not concerning, because they're going to get GCed anyway, and there's no unmanaged resources behind them that need clearing up sooner rather than later, but Chris may have other opinions.

[Tratcher]

There's a long thread on this here: https://github.com/dotnet/corefx/issues/34983

Summary: No. Disposing the HttpRequest/ResponseMessage only calls Dispose on the HttpContent. The HttpContent only needs to be disposed in the streaming scenario. In the buffered / string scenario (default), the underling resources are already cleaned up before HttpClient.SendAsync even returns.

[Tratcher]

That said, I wouldn't object to the use of C#8's new using dispose keyword, it's lighter weight than a using block:
using var response = await Backchannel.SendAsync(request, Context.RequestAborted);

[martincostello]

@blowdart @Tratcher Thanks both - I'll feed that back to the original PR.