Make TokenExtensions.UpdateTokenValue() tokenValue parameter nullable

[shethaadit]

Summary

This PR updates the TokenExtensions.UpdateTokenValue() method signature to make the tokenValue parameter nullable (string? instead of string), addressing the oversight mentioned in #62257.

Description

The tokenValue parameter in TokenExtensions.UpdateTokenValue() is expected to be nullable as it:

• Is not null-guarded in the implementation
• Updates a dictionary entry where values are deliberately nullable
• Is commonly used with the result of GetTokenValue() which returns string?

This change eliminates CS8604 compiler warnings when passing nullable values to the method.

Changes

• Updated UpdateTokenValue() method signature to accept string? for tokenValue parameter
• Added test cases to verify nullable behavior:
  • StoreTokens_StoresTokensWithNullValues - Verifies storing tokens with null values
  • UpdateTokenValue_WorksWithNullGetTokenValueResult - Tests updating with null from GetTokenValue()
  • GetTokens_ExcludesTokensWithNullValues - Confirms null-valued tokens are excluded from GetTokens()

Customer Impact

This is a compile-time only change that:

• Eliminates nullable reference type warnings (CS8604) in common usage patterns
• Provides better API clarity about expected parameter nullability
• Has no runtime impact or breaking changes (binary compatible)

Example of fixed scenario:

// No longer produces CS8604 warning
properties.UpdateTokenValue("refresh_token", result.Properties.GetTokenValue("refresh_token"));

Fixes #62257

[halter73]

I was tempted to say we should make a breaking change and start throwing for null token values rather than continue putting null values in the properties dictionary, but I don't think it's worth it. The behavior isn't that much different than updating a token value with the empty string.

Can you update https://github.com/dotnet/aspnetcore/blob/main/src/Http/Authentication.Abstractions/src/PublicAPI.Unshipped.txt to include the following? That should fix the RS0016 errors.

#nullable enable
*REMOVED*static Microsoft.AspNetCore.Authentication.AuthenticationTokenExtensions.UpdateTokenValue(this Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties, string! tokenName, string! tokenValue) -> bool
static Microsoft.AspNetCore.Authentication.AuthenticationTokenExtensions.UpdateTokenValue(this Microsoft.AspNetCore.Authentication.AuthenticationProperties! properties, string! tokenName, string? tokenValue) -> bool

Thanks!

[kevinchalet]

I was tempted to say we should make a breaking change and start throwing for null token values rather than continue putting null values in the properties dictionary, but I don't think it's worth it.

If you're not against making a potentially-observable change, a better approach would be to remove the token entry when the value is null, which is what the AuthenticationProperties Set*() methods do for null values. E.g:

aspnetcore/src/Http/Authentication.Abstractions/src/AuthenticationProperties.cs

Lines 178 to 193 in 5098e3e

	/// <summary>
	/// Set or remove a <see cref="bool"/> value in the <see cref="Items"/> collection.
	/// </summary>
	/// <param name="key">Property key.</param>
	/// <param name="value">Value to set or <see langword="null" /> to remove the property.</param>
	protected void SetBool(string key, bool? value)
	{
	if (value.HasValue)
	{
	Items[key] = value.GetValueOrDefault().ToString();
	}
	else
	{
	Items.Remove(key);
	}
	}

aspnetcore/src/Http/Authentication.Abstractions/src/AuthenticationProperties.cs

Lines 129 to 144 in 5098e3e

	/// <summary>
	/// Set or remove a string value from the <see cref="Items"/> collection.
	/// </summary>
	/// <param name="key">Property key.</param>
	/// <param name="value">Value to set or <see langword="null" /> to remove the property.</param>
	public void SetString(string key, string? value)
	{
	if (value != null)
	{
	Items[key] = value;
	}
	else
	{
	Items.Remove(key);
	}
	}