Add support for Agentic identity tokens#641
Merged
tracyboehrer merged 69 commits intomainfrom Oct 16, 2025
Merged
Conversation
…a patched msal-node
…TeamsChannelAccount
…gents-for-js into users/benbro/agentic-identity
…r-attachments Adjusted CloudAdapter uploadAttachment/getAttachmentInfo/getAttachment
…microsoft/Agents-for-js into users/benbro/merge-with-cecilia
Co-authored-by: Tracy Boehrer <trboehre@microsoft.com>
…s was not handled properly (#665) Co-authored-by: tracyboehrer <tracyboehrer@users.noreply.github.com>
Co-authored-by: Tracy Boehrer <trboehre@microsoft.com>
Co-authored-by: Tracy Boehrer <trboehre@microsoft.com>
Co-authored-by: tracyboehrer <tracyboehrer@users.noreply.github.com>
* Fix cloudAdapter linter problems * update syntax for adapter members * Do not start cache purge unless values exist * throw an error if payload of jwt is empty * remove console.log --------- Co-authored-by: tracyboehrer <tracyboehrer@users.noreply.github.com>
Co-authored-by: Tracy Boehrer <trboehre@microsoft.com>
* Add OBO connection and scopes * Fix jsdoc * Add default sign-in text * Fix doc
* For agentic access token, use agenticUserId field instead of ID field. * Change `username` to `user_id` in agenticUserToken request --------- Co-authored-by: tracyboehrer <tracyboehrer@users.noreply.github.com>
tracyboehrer
previously approved these changes
Oct 16, 2025
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for Agentic identity tokens, enabling agent applications to respond appropriately to multiple agentic identities by creating access tokens for specific app and/or user contexts rather than using the default agent identity.
Key changes include:
- Introduction of new authorization system with multiple handler types (Azure Bot and Agentic)
- Addition of agentic token acquisition methods (instance, user, and application tokens)
- Breaking changes to
continueConversationand attachment methods requiring additional parameters - Removal of deprecated OAuth flow components and SSO handlers
Reviewed Changes
Copilot reviewed 71 out of 72 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| test-agents/web-chat/src/webChatSso.ts | Removed entire WebChatSso handler implementation |
| test-agents/web-chat/src/index.ts | Updated continueConversation call and removed webChatSso case |
| test-agents/root-agent/src/agent.ts | Updated postActivity call with placeholder config |
| test-agents/application-style/src/webChatSso.ts | Removed entire application-style WebChatSso handler |
| samples/teams/teamsInfoExample.ts | Updated to extract tenantId from channel data instead of adapter config |
| samples/basic/routes.ts | Added agentic route handler example |
| samples/basic/proactive.ts | Updated continueConversation calls with clientId parameter |
| packages/agents-hosting/src/cloudAdapter.ts | Major refactor with new connection management and agentic token support |
Comments suppressed due to low confidence (2)
packages/agents-hosting/src/cloudAdapter.ts:1
- The magic number
325should be extracted to a named constant to improve code readability and maintainability. Consider adding a comment explaining why this specific limit exists.
/**
packages/agents-hosting/src/cloudAdapter.ts:1
- Duplicate code: The conversation ID trimming logic appears multiple times. Consider extracting this into a private method to avoid repetition and ensure consistent behavior.
/**
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
benbrown
commented
Oct 16, 2025
benbrown
commented
Oct 16, 2025
benbrown
commented
Oct 16, 2025
benbrown
commented
Oct 16, 2025
benbrown
commented
Oct 16, 2025
benbrown
commented
Oct 16, 2025
benbrown
commented
Oct 16, 2025
benbrown
commented
Oct 16, 2025
Contributor
Author
benbrown
left a comment
benbrown
left a comment
There was a problem hiding this comment.
Approved pending a few small tweaks as mentioned
Co-authored-by: tracyboehrer <tracyboehrer@users.noreply.github.com>
ceciliaavila
approved these changes
Oct 16, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of #604, this change introduces new methods to obtain new types of agentic token.
These are used when an incoming request contains Agentic identity elements in the recipient object. Rather than create an outbound connection with the default agent identity, this will load the appropriate agentic identity and create access tokens for that app and/or user.
This will allow a single agent application to respond appropriately to multiple agentic identities.
Resolves #627 update the model
Resolves #629 add the APX scope constants
Fixes #626 Connections and Connection Map
Fixes #630
Fixes #605
Fixes #648
Fixes #377
Fixes #466
Fixes #516
Fixes #517
Fixes #628
Breaking changes
CloudAdapter.continueConversationadds thebotAppIdOrIdentity: string | JwtPayloadargumentAgentApplication.sendProactiveActivityadds thebotAppIdOrIdentity: string | JwtPayloadargumentTurnContextargumentCloudAdapter.ConnectorClientandCloudAdapter.UserTokenClienthave been removed. Get current of each viaTurnContext.turnStateAgentApplication.authorization.beginOrContinueFlowremoved,AgentApplication.authorization.authHandlersremoved.oAuthFlowclass removedindex.ts.