[Plugin generation] Kiota should throw error when api contains OAuth with implicit flow

[SLdragon]

What are you generating using Kiota, clients or plugins?

Kiota plugin

In what context or format are you using Kiota?

Windows executable

Client library/SDK language

None

Describe the bug

Copilot not support OAuth with implicit flow, currently it only support OAuth with authcode flow. Kiota should throw error if user selected API contains OAuth with implicit flow.

components:
  securitySchemes:
    oAuth2AuthImplicit:  
      type: oauth2
      description: This API uses OAuth 2 with the implicit grant flow. [More info](https://api.example.com/docs/auth)
      flows:
        implicit:   # <---- OAuth flow(authorizationCode, implicit, password or clientCredentials)
          authorizationUrl: https://api.example.com/oauth2/authorize
          scopes:
            read_pets: read your pets
            write_pets: modify pets in your account

Sample schema:
https://raw.githubusercontent.com/SLdragon/example-openapi-spec/main/oauth-implicit.yaml

Related bug:
#5288
#5070
#5162

Expected behavior

Kiota should throw error

How to reproduce

Open sample schema: https://raw.githubusercontent.com/SLdragon/example-openapi-spec/main/oauth-implicit.yaml -> click generate plugin

Open API description file

No response

Kiota Version

v1.18.100000002

Latest Kiota version known to work for scenario above?(Not required)

No response

Known Workarounds

No response

Configuration

No response

Debug output

Click to expand log

```

</details>


### Other information

_No response_

[petrhollayms]

The original issue for checking the authentication type #5070 was underspecified, TTK really only supports oauth2 with authcode flow when looking into https://github.com/OfficeDev/teams-toolkit/blob/7422a1dffb7d54ca5e926e025fcdc72ae0380e17/packages/spec-parser/src/manifestUpdater.ts#L115

@sebastienlevert , @darrelmiller Please confirm Sydney does not support OAuth with implicit flow for GA.

[darrelmiller]

Implicit OAuth2 flow is not supported by Copilot. However, just because an OpenAPI does not say the API supports OAuth2 AuthCode does not mean the API doesn't support it. We should not fail to generate a Plugin because of this.

There are many OpenAPI descriptions that do not describe the security capabilities of an API. In fact only 25% of OpenAPI descriptions contain security information. Security information is often conveyed out-of-band.

[petrhollayms]

Thanks @darrelmiller , so closing as WON'T DO for GA now. We can come back later and revisit if needed.

[SLdragon]

There are many OpenAPI descriptions that do not describe the security capabilities of an API. In fact only 25% of OpenAPI descriptions contain security information. Security information is often conveyed out-of-band.

@darrelmiller , I think you're right If a user doesn't specify security in their API spec, it doesn't imply the API has no authentication. However, if the API spec includes authentication, we should assume it only supports the specified auth schemes. We could either throw an error or warn the user if an unsupported auth scheme is used, to prevent errors when their plugin runs in Copilot.

Currently, Kiota generates an auth code flow auth property in the ai-plugin.json file when encountering an implicit OAuth flow in OpenAPI spec without throw error or warning messages, potentially causing unexpected behavior when running in Copilot.

If we want to avoid blocking the user from generating the plugin file, it's advisable to display a warning message and generate the ai-plugin file without authentication. This allows the user to add the authentication details themselves later.

[maisarissi]

I agree with @SLdragon . We shouldn't fail on OpenAPI descriptions that doesn't specify security, but it the security is specified, we should check and just create plugins when the authentication flow is supported.
@petrhollayms could you please prioritize this work?