[#1044] Align Workload identity configuration support to current Connection Configuration Specification

[ceciliaavila]

Fixes #1044
Fixes #1075

Description

This pull request enhances the authentication configuration system for agent connections by introducing a new authtype property and supporting federated token files for Workload Identity. It standardizes and expands the supported authentication types, updates the logic for acquiring tokens, and improves test coverage for the new configuration options.
Additionally, it fixes an issue with SystemManagedIdentity that was failing when acquiring the access token.

Detailed Change

Authentication configuration and type support:

• Added an AuthType enum to define supported authentication types (e.g., Certificate, ClientSecret, WorkloadIdentity, etc.), and extended the AuthConfiguration interface with new properties: authtype and federatedtokenfile. The WIDAssertionFile property is now marked as deprecated in favor of these new options. [1] [2]

Configuration loading and environment variable support:

• Updated the logic in loadPrevAuthConfigFromEnv and buildLegacyAuthConfig to read the new authtype and federatedtokenfile from environment variables, ensuring backward compatibility and easier configuration. [1] [2]

Token acquisition logic:

• Refactored MsalTokenProvider to use the new authtype property, supporting all defined authentication types through a switch statement. The logic now prioritizes authtype and falls back to legacy properties if not set. Federated token file support is integrated into Workload Identity flows. [1] [2] [3] [4]

Connection management:

• Updated MsalConnectionManager to use the new authtype property for determining the authentication method, improving clarity in connection logging and management.

Testing:

• Added a new test case to verify that tokens can be acquired using the authtype set to WorkloadIdentity and the new federatedtokenfile property, ensuring correct behavior for the updated configuration. [1] [2]

Testing

These images show a sample running and authenticating via WID successfully.

These images show the SystemManagedIdentity token retrieval working.

[Copilot]

Pull request overview

This PR updates agents-hosting authentication configuration to align with the current Connection Configuration Specification by introducing an explicit authtype and federatedtokenfile for Workload Identity, while also adding a dedicated System Managed Identity token acquisition path.

Changes:

• Added AuthType enum and expanded AuthConfiguration with authtype + federatedtokenfile (with WIDAssertionFile marked deprecated).
• Refactored MsalTokenProvider (and connection logging) to prefer authtype and support Workload Identity + SystemManagedIdentity explicitly, with new structured errors.
• Added/updated tests to cover Workload Identity acquisition via the new authtype + federatedtokenfile settings.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
packages/agents-hosting/src/auth/authConfiguration.ts	Introduces AuthType, adds authtype and federatedtokenfile, and loads them from env/config.
packages/agents-hosting/src/auth/msalTokenProvider.ts	Switches token acquisition to be driven by authtype, adds System Managed Identity path, and integrates new validation errors.
packages/agents-hosting/src/auth/msalConnectionManager.ts	Updates connection logging to prefer authtype and new AuthType values.
packages/agents-hosting/src/errorHelper.ts	Adds new error definitions for unsupported auth types and missing required config for specific auth modes.
packages/agents-hosting/test/hosting/msalTokenProvider.test.ts	Adds WID test coverage for authtype=WorkloadIdentity + federatedtokenfile and adjusts WID test stubbing.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.