Refactor MCP token provider selection and fallback logic

[MattB-msft]

Rename DevMcpTokenProvider to EnvMcpTokenProvider and update all usages. Introduce TokenProviderCollection to allow chaining multiple token providers, enabling fallback from environment-based to OBO-based authentication. Update token acquisition logic to handle failures more robustly by removing servers that fail token acquisition and logging warnings. Update tests and remove obsolete aliases. These changes improve flexibility, reliability, and diagnostics for MCP token handling.

This pull request introduces a new TokenProviderCollection to support chaining multiple token providers, improves error handling during token acquisition, and standardizes the naming of the environment-based token provider. The changes enhance flexibility and robustness in how tokens are acquired for MCP servers, especially across different environments (development and production).

Token Provider Refactoring and Chaining:

• Introduced the TokenProviderCollection class, which allows chaining multiple IMcpTokenProvider implementations and tries each in order until a valid token is obtained. This enables seamless fallback between environment-based and agentic token providers. (TokenProviderCollection.cs src/Tooling/Core/Services/TokenProviderCollection.csR1-R44)
• Updated all usages of the old DevMcpTokenProvider to use the new EnvMcpTokenProvider, and replaced direct instantiations with the new TokenProviderCollection to allow for provider chaining in all registration services. [1] [2] [3] [4] [5] [6]

Error Handling Improvements:

• Enhanced error handling in McpToolServerConfigurationService.AttachPerAudienceTokensAsync by logging token acquisition failures per server, aggregating failed servers, and removing them from the list to prevent downstream authentication errors. [1] [2]

Code Cleanup and Renaming:

• Renamed DevMcpTokenProvider to EnvMcpTokenProvider throughout the codebase for clarity and consistency, and updated related references and comments. [1] [2]
• Removed obsolete using statements for the old provider aliases in all affected files. [1] [2] [3]

These changes collectively make the token acquisition process more robust, maintainable, and adaptable to different deployment scenarios.

OTEL telemetry indicating continue after tool lookup failure :

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[Copilot]

Pull request overview

This PR refactors MCP token acquisition to support chaining/fallback across multiple IMcpTokenProvider implementations (environment-based first, then OBO/agentic), and improves robustness by removing servers that fail per-audience token attachment.

Changes:

• Introduces TokenProviderCollection to try multiple token providers in order until a token is obtained.
• Renames DevMcpTokenProvider to EnvMcpTokenProvider and updates extension registration services to use the chained provider approach.
• Updates per-audience token attachment to log acquisition failures and remove servers that cannot be authenticated.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
src/Tooling/Extensions/SemanticKernel/Services/McpToolRegistrationService.cs	Switches to chained token providers for MCP tool enumeration.
src/Tooling/Extensions/AzureAIFoundry/Services/McpToolRegistrationService.cs	Uses chained token providers; adds dev/prod selection logic (with a nullability concern noted).
src/Tooling/Extensions/AgentFramework/Services/McpToolRegistrationService.cs	Switches to chained token providers for MCP tool enumeration.
src/Tooling/Core/Services/TokenProviderCollection.cs	Adds new chaining token provider implementation (several issues noted).
src/Tooling/Core/Services/McpToolServerConfigurationService.cs	Adds failure handling during token attachment by removing failing servers (cancellation and perf concerns noted).
src/Tooling/Core/Services/EnvMcpTokenProvider.cs	Renames the dev env-var provider class to EnvMcpTokenProvider.
src/Tests/Microsoft.Agents.A365.Tooling.Core.Tests/DevMcpTokenProviderTests.cs	Updates tests to target EnvMcpTokenProvider (naming consistency noted).

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 11 comments.

Comments suppressed due to low confidence (2)

src/Tooling/Extensions/AgentFramework/Services/McpToolRegistrationService.cs:141

• Same issue as above: this TokenProviderCollection ordering will typically trigger an exception path on every token acquisition in production when env vars aren't set. Consider choosing provider order based on IsDevScenario, or avoiding exception-driven fallback.

            IMcpTokenProvider tokenProvider = new TokenProviderCollection(
                    new EnvMcpTokenProvider(_configuration, _logger),
                    new AgenticMcpTokenProvider(userAuthorization, authHandlerName, turnContext, _configuration, _logger));

src/Tooling/Core/Services/McpToolServerConfigurationService.cs:587

• servers.RemoveAll(s => failedToAquireServers.Contains(s)) is O(n^2) due to List.Contains inside RemoveAll. Consider using a HashSet (or removing by index) to avoid quadratic behavior if the server list grows.

                _logger.LogWarning("Failed to acquire tokens for {Count} MCP servers: {ServerNames}",
                    failedToAquireServers.Count, string.Join(", ", failedToAquireServers.Select(s => s.mcpServerName)));
                // remove servers we failed to acquire tokens for, since they'll likely fail authentication anyway
                servers.RemoveAll(s => failedToAquireServers.Contains(s));
                failedToAquireServers.Clear();