Add support for custom scopes in agentic instance tokens#818
Open
MattB-msft wants to merge 5 commits into
Open
Add support for custom scopes in agentic instance tokens#818MattB-msft wants to merge 5 commits into
MattB-msft wants to merge 5 commits into
Conversation
The GetAgenticInstanceTokenAsync method now accepts an optional scopes parameter, allowing callers to specify custom scopes when acquiring an agentic instance token. If no scopes are provided, the default "api://AzureAdTokenExchange/.default" is used. All interface definitions and call sites have been updated for compatibility.
MattB-msft
requested review from
a team,
ceciliaavila and
sw-joelmut
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the agentic authentication surface to allow callers to request agentic instance tokens with custom OAuth scopes, while preserving a default scope (api://AzureAdTokenExchange/.default) when none are provided.
Changes:
- Extended the agentic instance-token acquisition API to accept a scopes list and updated internal call sites accordingly.
- Updated
MsalAuthto resolve scopes (caller-provided vs default) before calling MSALAcquireTokenForClient. - Propagated the new parameter through builder-layer helpers that wrap/consume
IAgenticTokenProvider.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/libraries/Core/Microsoft.Agents.Authentication/IAgenticTokenProvider.cs | Updates the public token-provider interface to accept scopes for instance-token acquisition. |
| src/libraries/Builder/Microsoft.Agents.Builder/UserAuth/AgenticAuth/AgenticUserAuthorization.cs | Updates the agentic auth flow to pass the new scopes argument (currently null) when requesting instance tokens. |
| src/libraries/Builder/Microsoft.Agents.Builder/RestChannelServiceClientFactory.cs | Updates agentic connector-client token acquisition call to include the new scopes argument (currently null). |
| src/libraries/Builder/Microsoft.Agents.Builder/App/AgenticAuthorization.cs | Adds an optional scopes parameter to the builder-facing helper and forwards it to the token provider. |
| src/libraries/Authentication/Authentication.Msal/MsalAuth.cs | Implements scope resolution for instance tokens (custom scopes or default) before acquiring the token via MSAL. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -11,7 +11,7 @@ public interface IAgenticTokenProvider | |||
| { | |||
| Task<string> GetAgenticApplicationTokenAsync(string tenantId, string agentAppInstanceId, CancellationToken cancellationToken = default); | |||
|
|
|||
Member
There was a problem hiding this comment.
Probably should add another GetAgenticInstanceTokenAsync with the scopes argument for now.
| @@ -55,7 +55,7 @@ public AgenticAuthorization(IConnections connections) | |||
| _connections = connections; | |||
| } | |||
|
|
|||
Comment on lines
+213
to
217
| IList<string> resolvedScopes = scopes != null && scopes.Count > 0 ? scopes : new List<string>() { "api://AzureAdTokenExchange/.default" }; | ||
|
|
||
| var agentInstanceToken = await instanceApp | ||
| .AcquireTokenForClient(["api://AzureAdTokenExchange/.default"]) | ||
| .AcquireTokenForClient(resolvedScopes) | ||
| .ExecuteAsync(cancellationToken).ConfigureAwait(false); |
Member
Author
There was a problem hiding this comment.
@copilot apply changes based on this feedback
make sure you account for a null scopes list case in testing
Contributor
There was a problem hiding this comment.
Implemented in commit 6c21012. I added focused MsalAuthTests coverage for GetAgenticInstanceTokenAsync to verify custom scopes are used and that both null and empty scope lists correctly fall back to api://AzureAdTokenExchange/.default.
Agent-Logs-Url: https://github.com/microsoft/Agents-for-net/sessions/3f53bdf6-edc7-4b96-8ace-06b820c2d94e Co-authored-by: MattB-msft <10568244+MattB-msft@users.noreply.github.com>
Agent-Logs-Url: https://github.com/microsoft/Agents-for-net/sessions/3f53bdf6-edc7-4b96-8ace-06b820c2d94e Co-authored-by: MattB-msft <10568244+MattB-msft@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The GetAgenticInstanceTokenAsync method now accepts an optional scopes parameter, allowing callers to specify custom scopes when acquiring an agentic instance token. If no scopes are provided, the default "api://AzureAdTokenExchange/.default" is used. All interface definitions and call sites have been updated for compatibility.
This pull request updates the agentic authentication flow to allow specifying custom scopes when acquiring instance tokens. The changes add an optional
scopesparameter to the relevant methods and ensure backward compatibility by defaulting to the original scope if none is provided.Authentication API changes:
IList<string> scopesparameter toGetAgenticInstanceTokenAsyncin theIAgenticTokenProviderinterface and its implementations, allowing callers to specify custom scopes for token acquisition. [1] [2] [3]MsalAuth.csto use the provided scopes or fall back to the default"api://AzureAdTokenExchange/.default"scope if none are specified.Call site updates:
GetAgenticInstanceTokenAsyncto pass the newscopesparameter, usingnullwhere custom scopes are not needed, ensuring backward compatibility. [1] [2] [3] [4]