[csharp][generichost] Multiple oauth tokens

[devhl-labs]

PR checklist

• Read the contribution guidelines.
• Pull Request title clearly describes the work in the pull request and Pull Request description provides details about how to validate the work. Missing information here may result in delayed response from the community.
• Run the following to build the project and update samples:

  ./mvnw clean package || exit
  ./bin/generate-samples.sh ./bin/configs/*.yaml || exit
  ./bin/utils/export_docs_generators.sh || exit
  

  (For Windows users, please run the script in WSL)
  Commit all changed files.
  This is important, as CI jobs will verify all generator outputs of your HEAD commit as it would merge with master.
  These must match the expectations made by your contribution.
  You may regenerate an individual generator by passing the relevant config(s) as an argument to the script, for example ./bin/generate-samples.sh bin/configs/java*.
  IMPORTANT: Do NOT purge/delete any folders/files (e.g. tests) when regenerating the samples as manually written tests may be removed.
• File the PR against the correct branch: master (upcoming 7.x.0 minor release - breaking changes with fallbacks), 8.0.x (breaking changes without fallbacks)
• If your PR solves a reported issue, reference it using GitHub's linking syntax (e.g., having "fixes #123" present in the PR description)
• If your PR is targeting a particular programming language, @mention the technical committee members, so they are more likely to review the pull request.

---

Summary by cubic

Adds support for multiple OAuth tokens in C# generichost clients and updates samples to include a second OAuth2 scheme (petstore_auth2). Generated APIs now apply all required OAuth tokens per operation, and tests verify DI registration of multiple tokens.

• New Features
  • Handle multiple OAuth2 security schemes per operation in C# generichost; register multiple OAuthTokens via repeated options.AddTokens(...).
  • Update petstore specs/docs to add petstore_auth2; generated PetApi applies both OAuth tokens and http_signature_test when required.
  • Improve DI tests by generating unique OAuth token variable names and add coverage for multiple token registration.
  • For httpclient samples, include auth for petstore_auth2 and add the Authorization header when configured.

^{Written for commit 8594e5f. Summary will update on new commits.}

[cubic-dev-ai]

35 issues found across 119 files

Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="samples/client/petstore/csharp/restsharp/standard2.0/ConditionalSerialization/docs/PetApi.md">

<violation number="1" location="samples/client/petstore/csharp/restsharp/standard2.0/ConditionalSerialization/docs/PetApi.md:43">
P2: The newly added OAuth2 example line is misleading: it sets the same global `AccessToken` property for a second scheme, which overwrites the prior value instead of configuring a distinct token per scheme.</violation>
</file>

<file name="samples/client/petstore/csharp/httpclient/standard2.0/Petstore/docs/PetApi.md">

<violation number="1" location="samples/client/petstore/csharp/httpclient/standard2.0/Petstore/docs/PetApi.md:44">
P2: The example is misleading: it configures two OAuth schemes by assigning the same `AccessToken` property twice, so the second token overwrites the first and distinct per-scheme tokens cannot be represented.</violation>
</file>

<file name="samples/client/petstore/csharp/unityWebRequest/net9/Petstore/docs/PetApi.md">

<violation number="1" location="samples/client/petstore/csharp/unityWebRequest/net9/Petstore/docs/PetApi.md:43">
P2: The added multi-OAuth example is incorrect: it assigns `config.AccessToken` twice, so the second token overwrites the first and does not configure distinct tokens per scheme.</violation>
</file>

<file name="samples/client/petstore/csharp/httpclient/net10/Petstore/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/httpclient/net10/Petstore/src/Org.OpenAPITools/Api/PetApi.cs:757">
P2: The new petstore_auth2 auth block is effectively a no-op. It uses the same global AccessToken and is guarded by `!HeaderParameters.ContainsKey("Authorization")`, so once the petstore_auth block sets the header, this block never runs. This still prevents using a distinct OAuth token per scheme.</violation>
</file>

<file name="samples/client/petstore/csharp/unityWebRequest/standard2.0/Petstore/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/unityWebRequest/standard2.0/Petstore/src/Org.OpenAPITools/Api/PetApi.cs:687">
P2: The added petstore_auth2 authentication block is a no-op: it uses the same Configuration.AccessToken and the same Authorization guard as petstore_auth, so it never runs after the first block and cannot send a distinct token for the second OAuth scheme.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net10/NullReferenceTypes/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net10/NullReferenceTypes/src/Org.OpenAPITools/Api/PetApi.cs:856">
P2: Second OAuth token overwrites the first because both calls use Authorization without a scheme identifier, so multiple OAuth credentials aren’t actually sent.</violation>
</file>

<file name="samples/client/petstore/csharp/httpclient/net9/Petstore/docs/PetApi.md">

<violation number="1" location="samples/client/petstore/csharp/httpclient/net9/Petstore/docs/PetApi.md:44">
P2: The new AddPet doc example claims to configure two OAuth schemes but writes both to the same `AccessToken` property, so the second assignment overwrites the first and does not configure distinct tokens.</violation>
</file>

<file name="samples/client/petstore/csharp/httpclient/net10/Petstore/docs/PetApi.md">

<violation number="1" location="samples/client/petstore/csharp/httpclient/net10/Petstore/docs/PetApi.md:44">
P2: The AddPet docs incorrectly show configuring two OAuth schemes by assigning `config.AccessToken` twice, which overwrites the first token and misleads users about multi-token support.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net10/FormModels/src/Org.OpenAPITools.Test/Api/ApiTestsBase.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net10/FormModels/src/Org.OpenAPITools.Test/Api/ApiTestsBase.cs:79">
P2: Second OAuth token registration overwrites the first because AddTokens registers a singleton TokenContainer per token type, so only one OAuthToken is retained and both are loaded from the same config key.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net10/Petstore/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net10/Petstore/src/Org.OpenAPITools/Api/PetApi.cs:850">
P2: Second OAuth token overwrites the first because UseInHeader always sets the Authorization header; two OAuth requirements cannot both be sent.</violation>
</file>

<file name="samples/client/petstore/csharp/restsharp/net8/Petstore/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/restsharp/net8/Petstore/src/Org.OpenAPITools/Api/PetApi.cs:726">
P2: The added petstore_auth2 block still uses the single global OAuth configuration and a shared Authorization header/RequestOptions.OAuth flag. There is no per-scheme token or identifier, so an operation requiring two OAuth schemes cannot send or acquire distinct tokens; the second block is effectively a no-op once Authorization is set.</violation>
</file>

<file name="samples/client/petstore/csharp/httpclient/net9/Petstore/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/httpclient/net9/Petstore/src/Org.OpenAPITools/Api/PetApi.cs:757">
P2: Added `petstore_auth2` OAuth block is ineffective: it reuses the same token and `Authorization` guard, so it never applies independently.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net10/FormModels/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net10/FormModels/src/Org.OpenAPITools/Api/PetApi.cs:850">
P2: AddPetAsync requests two OAuth tokens from the same provider with no discriminator and applies both to the Authorization header, so the second UseInHeader call overwrites the first. The client still cannot send two distinct OAuth credentials for two schemes.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net8/FormModels/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net8/FormModels/src/Org.OpenAPITools/Api/PetApi.cs:854">
P2: Second OAuth token is fetched from the same provider and applied to the same Authorization header, so it overwrites the first token and cannot represent two distinct OAuth schemes.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net10/Petstore/docs/apis/PetApi.md">

<violation number="1" location="samples/client/petstore/csharp/generichost/net10/Petstore/docs/apis/PetApi.md:37">
P3: New petstore_auth2 link points to a README anchor that does not exist, creating a dead documentation link.</violation>
</file>

<file name="samples/client/petstore/csharp/unityWebRequest/standard2.0/Petstore/docs/PetApi.md">

<violation number="1" location="samples/client/petstore/csharp/unityWebRequest/standard2.0/Petstore/docs/PetApi.md:43">
P2: The added multi-OAuth example is misleading: assigning `AccessToken` twice overwrites the first token, so it does not configure separate tokens per auth scheme.</violation>
</file>

<file name="samples/client/petstore/csharp/restsharp/net8/Petstore/docs/PetApi.md">

<violation number="1" location="samples/client/petstore/csharp/restsharp/net8/Petstore/docs/PetApi.md:42">
P2: The added AddPet doc example is misleading: assigning `config.AccessToken` for `petstore_auth2` overwrites the previous OAuth token assignment, so it does not configure two separate OAuth tokens.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net8/NullReferenceTypes/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net8/NullReferenceTypes/src/Org.OpenAPITools/Api/PetApi.cs:856">
P2: The new second OAuth token application overwrites the Authorization header. OAuthToken.UseInHeader always sets request.Headers.Authorization, so calling it twice means only the last token survives and the client still cannot represent two distinct OAuth credentials.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/standard2.0/Petstore/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/standard2.0/Petstore/src/Org.OpenAPITools/Api/PetApi.cs:853">
P2: Second OAuth token overwrites the first Authorization header, so multiple OAuth schemes cannot be sent distinctly.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net4.7/Petstore/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net4.7/Petstore/src/Org.OpenAPITools/Api/PetApi.cs:854">
P2: Second OAuth token overwrites the Authorization header set by the first token, so only the last token is actually sent.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net10/SourceGeneration/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net10/SourceGeneration/src/Org.OpenAPITools/Api/PetApi.cs:856">
P2: Two OAuth tokens are fetched from the same provider and both applied via UseInHeader, which always overwrites Authorization; the second token replaces the first, so distinct OAuth schemes cannot be represented.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net8/SourceGeneration/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net8/SourceGeneration/src/Org.OpenAPITools/Api/PetApi.cs:852">
P2: Second OAuth token application overwrites the first because OAuthToken.UseInHeader always sets the Authorization header; calling the same provider twice without a scheme identifier cannot represent two distinct OAuth credentials.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net4.7/FormModels/src/Org.OpenAPITools.Test/Api/ApiTestsBase.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net4.7/FormModels/src/Org.OpenAPITools.Test/Api/ApiTestsBase.cs:79">
P2: Second OAuth token uses the same configuration key as the first, preventing distinct credentials for multiple OAuth schemes.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net4.8/FormModels/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net4.8/FormModels/src/Org.OpenAPITools/Api/PetApi.cs:854">
P2: Second OAuth token application overwrites the Authorization header and cannot represent a distinct OAuth scheme, so the added multi-token support is ineffective.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net9/FormModels/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net9/FormModels/src/Org.OpenAPITools/Api/PetApi.cs:854">
P2: AddPetAsync fetches two OAuth tokens from the same provider and applies both with UseInHeader, which always sets the Authorization header. The second call overwrites the first, so the client cannot send two distinct OAuth credentials despite the new multi-oauth flow.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net9/SourceGeneration/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net9/SourceGeneration/src/Org.OpenAPITools/Api/PetApi.cs:856">
P2: Second OAuth token overwrites the first because UseInHeader assigns the Authorization header; only the last token is sent.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net9/Petstore/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net9/Petstore/src/Org.OpenAPITools/Api/PetApi.cs:854">
P2: AddPetAsync retrieves two OAuth tokens from the same provider and applies both with UseInHeader, but OAuthToken.UseInHeader always sets the single Authorization header, so the second token overwrites the first and multiple OAuth schemes cannot be represented on one request.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net4.8/FormModels/src/Org.OpenAPITools.Test/Api/ApiTestsBase.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net4.8/FormModels/src/Org.OpenAPITools.Test/Api/ApiTestsBase.cs:79">
P2: Both OAuthToken registrations use the same config key and the same token type, so they cannot be configured independently; the second AddTokens registration can shadow the first TokenContainer<OAuthToken> in DI, defeating “multiple oauth tokens” behavior.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net4.8/Petstore/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net4.8/Petstore/src/Org.OpenAPITools/Api/PetApi.cs:850">
P2: Second OAuth token overwrites the first because UseInHeader assigns the Authorization header, so the multi-token flow does not preserve both OAuth credentials.</violation>
</file>

<file name="samples/client/petstore/csharp/httpclient/standard2.0/Petstore/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/httpclient/standard2.0/Petstore/src/Org.OpenAPITools/Api/PetApi.cs:757">
P2: The new petstore_auth2 OAuth block is ineffective: it reuses the single global AccessToken and is gated by the same Authorization header check as petstore_auth, so the second scheme is always skipped after the first header is added. This means multiple OAuth schemes are not actually supported despite the added block.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net4.7/Petstore/docs/apis/PetApi.md">

<violation number="1" location="samples/client/petstore/csharp/generichost/net4.7/Petstore/docs/apis/PetApi.md:37">
P3: The new petstore_auth2 authorization link points to ../README.md#petstore_auth2, but that README has no such anchor/section, so the documentation link is broken.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net10/NullReferenceTypes/src/Org.OpenAPITools.Test/Api/ApiTestsBase.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net10/NullReferenceTypes/src/Org.OpenAPITools.Test/Api/ApiTestsBase.cs:79">
P2: Both OAuth tokens are built from the same configuration key and OAuthToken has no scheme identifier, so multiple OAuth schemes cannot be distinguished and share one token value.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net4.7/FormModels/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net4.7/FormModels/src/Org.OpenAPITools/Api/PetApi.cs:854">
P2: Second OAuth token overwrites the first by writing to Authorization twice without a scheme identifier, so operations requiring multiple OAuth schemes will only send one effective credential.</violation>
</file>

<file name="samples/client/petstore/csharp/unityWebRequest/net10/Petstore/docs/PetApi.md">

<violation number="1" location="samples/client/petstore/csharp/unityWebRequest/net10/Petstore/docs/PetApi.md:42">
P2: The sample assigns `config.AccessToken` twice for two OAuth schemes, but the client only supports a single AccessToken string. The second assignment overwrites the first, so the example can’t actually configure separate tokens for `petstore_auth` and `petstore_auth2` and is misleading.</violation>
</file>

<file name="samples/client/petstore/csharp/generichost/net9/NullReferenceTypes/src/Org.OpenAPITools/Api/PetApi.cs">

<violation number="1" location="samples/client/petstore/csharp/generichost/net9/NullReferenceTypes/src/Org.OpenAPITools/Api/PetApi.cs:856">
P2: Second OAuth token overwrites the first because UseInHeader assigns Authorization directly; the request will only carry the last token, so the new multi-token behavior is ineffective.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: The added petstore_auth2 authentication block is a no-op: it uses the same Configuration.AccessToken and the same Authorization guard as petstore_auth, so it never runs after the first block and cannot send a distinct token for the second OAuth scheme.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At samples/client/petstore/csharp/unityWebRequest/standard2.0/Petstore/src/Org.OpenAPITools/Api/PetApi.cs, line 687:

<comment>The added petstore_auth2 authentication block is a no-op: it uses the same Configuration.AccessToken and the same Authorization guard as petstore_auth, so it never runs after the first block and cannot send a distinct token for the second OAuth scheme.</comment>

<file context>
@@ -682,6 +682,12 @@ public Org.OpenAPITools.Client.ApiResponse<Object> AddPetWithHttpInfo(Pet pet)
             }
+            // authentication (petstore_auth2) required
+            // oauth required
+            if (!string.IsNullOrEmpty(this.Configuration.AccessToken) && !localVarRequestOptions.HeaderParameters.ContainsKey("Authorization"))
+            {
+                localVarRequestOptions.HeaderParameters.Add("Authorization", "Bearer " + this.Configuration.AccessToken);
</file context>

[cubic-dev-ai]

P2: The sample assigns config.AccessToken twice for two OAuth schemes, but the client only supports a single AccessToken string. The second assignment overwrites the first, so the example can’t actually configure separate tokens for petstore_auth and petstore_auth2 and is misleading.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At samples/client/petstore/csharp/unityWebRequest/net10/Petstore/docs/PetApi.md, line 42:

<comment>The sample assigns `config.AccessToken` twice for two OAuth schemes, but the client only supports a single AccessToken string. The second assignment overwrites the first, so the example can’t actually configure separate tokens for `petstore_auth` and `petstore_auth2` and is misleading.</comment>

<file context>
@@ -39,6 +39,8 @@ namespace Example
             config.BasePath = "http://petstore.swagger.io:80/v2";
             // Configure OAuth2 access token for authorization: petstore_auth
             config.AccessToken = "YOUR_ACCESS_TOKEN";
+            // Configure OAuth2 access token for authorization: petstore_auth2
+            config.AccessToken = "YOUR_ACCESS_TOKEN";
 
</file context>