Add bearer auth tunnel option

cs/src/Contracts/TunnelOptions.cs

@@ -95,6 +95,31 @@ public class TunnelOptions
         [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingDefault)]
         public bool? IsPartitionedSiteAuthenticationEnabled { get; set; }
 
+        /// <summary>
+        /// Gets or sets a value indicating whether web requests to the tunnel or port can be directly
+        /// authenticated with bearer token authentication by supplying an `Authorization` header with
+        /// an Entra ID or GitHub token of a user with access to the tunnel. The default is false,
+        /// which means only the tunnel web authentication cookie or `X-Tunnel-Authorization` header
+        /// can be used for authenticating web requests to the tunnel.
+        /// </summary>
+        /// <remarks>
+        /// When this option is enabled, AND neither a tunnel web authentication cookie nor an
+        /// `X-Tunnel-Authorization` header is present in a web request, the tunnel relay will attempt
+        /// to authenticate the request using the `Authorization` header with Entra ID or GitHub
+        /// credentials. In that case the `Authorization` header will be stripped from the request
+        /// before it is forwarded to the host application.
+        ///
+        /// Enabling this option may be desirable for API tunnels, where clients are likely to have
+        /// better support for bearer token authentication using the `Authorization` header. However,
+        /// interception of that header could block host applications which themselves implement
+        /// bearer token authentication, which is why this option is disabled by default.
+        ///
+        /// This option does not apply to the tunnel management API, which always supports bearer
+        /// token authentication using the `Authorization` header.
+        /// </remarks>
+        [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingDefault)]
+        public bool? IsBearerTokenAuthenticationEnabled { get; set; }
+
         /// <summary>
         /// Gets or sets the timeout for HTTP requests to the tunnel or port.
         /// </summary>

go/tunnels/tunnel_options.go

@@ -59,6 +59,26 @@ type TunnelOptions struct {
 	// do not support partitioning.
 	IsPartitionedSiteAuthenticationEnabled bool `json:"isPartitionedSiteAuthenticationEnabled,omitempty"`
 
+	// Gets or sets a value indicating whether web requests to the tunnel or port can be
+	// directly authenticated with bearer token authentication by supplying an
+	// `Authorization` header with an Entra ID or GitHub token of a user with access to the
+	// tunnel. The default is false, which means only the tunnel web authentication cookie or
+	// `X-Tunnel-Authorization` header can be used for authenticating web requests to the
+	// tunnel.
+	//
+	// When this option is enabled, AND neither a tunnel web authentication cookie nor an
+	// `X-Tunnel-Authorization` header is present in a web request, the tunnel relay will
+	// attempt to authenticate the request using the `Authorization` header with Entra ID or
+	// GitHub credentials. In that case the `Authorization` header will be stripped from the
+	// request before it is forwarded to the host application.  Enabling this option may be
+	// desirable for API tunnels, where clients are likely to have better support for bearer
+	// token authentication using the `Authorization` header. However, interception of that
+	// header could block host applications which themselves implement bearer token
+	// authentication, which is why this option is disabled by default.  This option does not
+	// apply to the tunnel management API, which always supports bearer token authentication
+	// using the `Authorization` header.
+	IsBearerTokenAuthenticationEnabled     bool `json:"isBearerTokenAuthenticationEnabled,omitempty"`
+
 	// Gets or sets the timeout for HTTP requests to the tunnel or port.
 	//
 	// The default timeout is 100 seconds. Set this to 0 to disable the timeout. The timeout

go/tunnels/tunnels.go

@@ -10,7 +10,7 @@ import (
 	"github.com/rodaine/table"
 )
 
-const PackageVersion = "0.1.19"
+const PackageVersion = "0.1.20"
 
 func (tunnel *Tunnel) requestObject() (*Tunnel, error) {
 	convertedTunnel := &Tunnel{

java/src/main/java/com/microsoft/tunnels/contracts/TunnelOptions.java

@@ -88,6 +88,29 @@ public class TunnelOptions {
     @Expose
     public boolean isPartitionedSiteAuthenticationEnabled;
 
+    /**
+     * Gets or sets a value indicating whether web requests to the tunnel or port can be
+     * directly authenticated with bearer token authentication by supplying an
+     * `Authorization` header with an Entra ID or GitHub token of a user with access to
+     * the tunnel. The default is false, which means only the tunnel web authentication
+     * cookie or `X-Tunnel-Authorization` header can be used for authenticating web
+     * requests to the tunnel.
+     *
+     * When this option is enabled, AND neither a tunnel web authentication cookie nor an
+     * `X-Tunnel-Authorization` header is present in a web request, the tunnel relay will
+     * attempt to authenticate the request using the `Authorization` header with Entra ID
+     * or GitHub credentials. In that case the `Authorization` header will be stripped
+     * from the request before it is forwarded to the host application.  Enabling this
+     * option may be desirable for API tunnels, where clients are likely to have better
+     * support for bearer token authentication using the `Authorization` header. However,
+     * interception of that header could block host applications which themselves
+     * implement bearer token authentication, which is why this option is disabled by
+     * default.  This option does not apply to the tunnel management API, which always
+     * supports bearer token authentication using the `Authorization` header.
+     */
+    @Expose
+    public boolean isBearerTokenAuthenticationEnabled;
+
     /**
      * Gets or sets the timeout for HTTP requests to the tunnel or port.
      *

rs/src/contracts/tunnel_options.rs

@@ -70,6 +70,27 @@ pub struct TunnelOptions {
     #[serde(default)]
     pub is_partitioned_site_authentication_enabled: Option<bool>,
 
+    // Gets or sets a value indicating whether web requests to the tunnel or port can be
+    // directly authenticated with bearer token authentication by supplying an
+    // `Authorization` header with an Entra ID or GitHub token of a user with access to
+    // the tunnel. The default is false, which means only the tunnel web authentication
+    // cookie or `X-Tunnel-Authorization` header can be used for authenticating web
+    // requests to the tunnel.
+    //
+    // When this option is enabled, AND neither a tunnel web authentication cookie nor an
+    // `X-Tunnel-Authorization` header is present in a web request, the tunnel relay will
+    // attempt to authenticate the request using the `Authorization` header with Entra ID
+    // or GitHub credentials. In that case the `Authorization` header will be stripped
+    // from the request before it is forwarded to the host application.  Enabling this
+    // option may be desirable for API tunnels, where clients are likely to have better
+    // support for bearer token authentication using the `Authorization` header. However,
+    // interception of that header could block host applications which themselves
+    // implement bearer token authentication, which is why this option is disabled by
+    // default.  This option does not apply to the tunnel management API, which always
+    // supports bearer token authentication using the `Authorization` header.
+    #[serde(default)]
+    pub is_bearer_token_authentication_enabled: Option<bool>,
+
     // Gets or sets the timeout for HTTP requests to the tunnel or port.
     //
     // The default timeout is 100 seconds. Set this to 0 to disable the timeout. The

ts/src/connections/package.json

@@ -18,8 +18,8 @@
 		"buffer": "^5.2.1",
 		"debug": "^4.1.1",
 		"vscode-jsonrpc": "^4.0.0",
-		"@microsoft/dev-tunnels-contracts": "^1.3.7",
-		"@microsoft/dev-tunnels-management": "^1.3.7",
+		"@microsoft/dev-tunnels-contracts": "^1.3.8",
+		"@microsoft/dev-tunnels-management": "^1.3.8",
 		"@microsoft/dev-tunnels-ssh": "^3.12.12",
 		"@microsoft/dev-tunnels-ssh-tcp": "^3.12.12",
 		"uuid": "^3.3.3",

ts/src/contracts/tunnelOptions.ts

@@ -77,6 +77,28 @@ export interface TunnelOptions {
      */
     isPartitionedSiteAuthenticationEnabled?: boolean;
 
+    /**
+     * Gets or sets a value indicating whether web requests to the tunnel or port can be
+     * directly authenticated with bearer token authentication by supplying an
+     * `Authorization` header with an Entra ID or GitHub token of a user with access to
+     * the tunnel. The default is false, which means only the tunnel web authentication
+     * cookie or `X-Tunnel-Authorization` header can be used for authenticating web
+     * requests to the tunnel.
+     *
+     * When this option is enabled, AND neither a tunnel web authentication cookie nor an
+     * `X-Tunnel-Authorization` header is present in a web request, the tunnel relay will
+     * attempt to authenticate the request using the `Authorization` header with Entra ID
+     * or GitHub credentials. In that case the `Authorization` header will be stripped
+     * from the request before it is forwarded to the host application.  Enabling this
+     * option may be desirable for API tunnels, where clients are likely to have better
+     * support for bearer token authentication using the `Authorization` header. However,
+     * interception of that header could block host applications which themselves
+     * implement bearer token authentication, which is why this option is disabled by
+     * default.  This option does not apply to the tunnel management API, which always
+     * supports bearer token authentication using the `Authorization` header.
+     */
+    isBearerTokenAuthenticationEnabled?: boolean;
+
     /**
      * Gets or sets the timeout for HTTP requests to the tunnel or port.
      *

ts/src/management/package.json

@@ -18,7 +18,7 @@
 		"buffer": "^5.2.1",
 		"debug": "^4.1.1",
 		"vscode-jsonrpc": "^4.0.0",
-		"@microsoft/dev-tunnels-contracts": "^1.3.7",
+		"@microsoft/dev-tunnels-contracts": "^1.3.8",
 		"axios": "^1.8.4"
 	}
 }