Refactor Authorization flow #650
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR refactors the internal authorization structure in the AgentApplication, removing deprecated classes while preserving public API functionality for samples. The changes streamline the authentication flow by replacing the complex beginOrContinueFlow mechanism with a simpler authorization manager approach.
- Complete removal of deprecated OAuthFlow class and related internal authorization classes
- Replacement with new AuthorizationManager system that handles route-level authorization checking
- Preservation of essential public methods (getToken, exchangeToken, signOut) for backward compatibility
Reviewed Changes
Copilot reviewed 32 out of 32 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| test-agents/web-chat/src/webChatSso.ts | Removed deprecated WebChatSsoHandler using old OAuthFlow approach |
| test-agents/web-chat/src/index.ts | Removed webChatSso agent registration from test agents |
| test-agents/application-style/src/webChatSso.ts | Removed deprecated application-style SSO implementation |
| test-agents/application-style/src/index.ts | Removed webChatSso module loading |
| samples/compat/oauthFlowHandler.ts | Removed compatibility sample using deprecated OAuthFlowHandler |
| samples/auth/oneProvider.ts | Removed deprecated beginOrContinueFlow call |
| samples/auth/oAuthAgent.ts | Removed deprecated OAuth agent sample implementation |
| samples/auth/createAppDemo.ts | Removed deprecated create app demo |
| samples/auth/autoAuth.ts | Updated to use new authorization flow patterns and improved error handling |
| packages/agents-hosting/test/hosting/oauthflow.test.ts | Removed tests for deprecated OAuthFlow class |
| packages/agents-hosting/test/hosting/app/authorization.test.ts | Updated tests for new authorization structure |
| packages/agents-hosting/test/cases/ | Added comprehensive authentication test documentation |
| packages/agents-hosting/src/oauth/userTokenClient.types.ts | Added optional connectionName to TokenExchangeRequest |
| packages/agents-hosting/src/oauth/oAuthFlow.ts | Removed deprecated OAuthFlow class |
| packages/agents-hosting/src/oauth/index.ts | Removed OAuthFlow export |
| packages/agents-hosting/src/app/auth/ | Added new authorization system with handlers and manager |
| packages/agents-hosting/src/app/agentApplication.ts | Updated to use new authorization manager for route processing |
| compat/baseline/agents-hosting.api.md | Updated API documentation reflecting breaking changes |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| * Licensed under the MIT License. | ||
| */ | ||
|
|
||
| import { debug } from '@microsoft/agents-activity' |
There was a problem hiding this comment.
Incorrect import path. The debug function should be imported from '@microsoft/agents-activity/logger', not '@microsoft/agents-activity'.
Suggested change
| import { debug } from '@microsoft/agents-activity' | |
| import { debug } from '@microsoft/agents-activity/logger' |
Copilot uses AI. Check for mistakes.
| this.onConversationUpdate('membersAdded', this._status) | ||
| this.authorization.onSignInSuccess(this._singinSuccess) | ||
| // this.authorization.onSignInFailure(this._singinFailure) | ||
| this.authorization.onSignInFailure(this._singinFailure) |
There was a problem hiding this comment.
Corrected spelling of 'signin' to 'signin' in method name.
Copilot uses AI. Check for mistakes.
…a' into southworks/update/refactor-auth
sw-joelmut
changed the base branch from
main
to
users/benbro/merge-with-cecilia
…a' into southworks/update/refactor-auth
tracyboehrer
approved these changes
Oct 15, 2025
tracyboehrer
merged commit 2f53b31
into
users/benbro/merge-with-cecilia
1 of 2 checks passed
tracyboehrer
added a commit
that referenced
this pull request
Oct 16, 2025
* add baseline support for agentic identity tokens. currently requires a patched msal-node * no more dependency on modified msal * Implement connections and connectionsMap * clean up console.logs, add memory cache * apply linter formatting rules * Use default connection to populate settings * Define constnats for new roles -- see #627 * fix samples * add helper functions for agentic identity * Add descriptions of new fields in channelAccount * Add getTokenProviderFromActivity method * Simplify loadConnections function with object-path package * Simplify loadAuthConfigFromEnv by reusing code * move tenantId to the root of ChannelAccount instead of being only in TeamsChannelAccount * Resolves #629 add APX Scope constants * update function names to match JS style * fix case * Clarify purpose of custom http auth call * lint fix * Fix default connection logic * merged code * move to use dynamic token provider * Adjusted CloudAdapter uploadAttachment/getAttachmentInfo/getAttachment * fixes for agentic with connections manager * Update UserTokenClient to be created per request * update to use symbol key * Remove comments * Remove unused authConfig param * Update verifyToken to use connection settings * Fix lint * ContinueConversation * Cleanup and merge fixes * Lint fixes * [#605] Add Agentic flag to AgentApplication routes (#647) * Add isAgenticRoute flag * Add agentic routes unit tests * Update routes sample * Fix failing test in jwt-middleware.test * Lint fixes * Sample fixes * Lint fix --------- Co-authored-by: tracyboehrer <[email protected]> Co-authored-by: Tracy Boehrer <[email protected]> * Creating UserTokenClient for process and continueConversation * Removed unused UserTokenClient properties and arguments * Corrected some argument types * start:anon (#653) Co-authored-by: Tracy Boehrer <[email protected]> * Fixed UserTokenClient scope (#656) Co-authored-by: Tracy Boehrer <[email protected]> * Corrected UserTokenClient endpoint (#660) * Corrected UserTokenClient endpoint * Lint corrections --------- Co-authored-by: Tracy Boehrer <[email protected]> * Refactor Authorization flow (#650) * Refactor authorization functionality * Fix some small issues * Fix some issues * fix test * Fix types and add comments * Fix user token client * Fix connections and shared data across handlers * [#603] Rethink how authority and issuers can be customized when not using load** (#661) * Add function to get custom AuthConfig with defaults * Improve function * Fix scope in createUserTokenClient --------- Co-authored-by: tracyboehrer <[email protected]> * Remove unused * Add missing param in continueConversation (#663) * Corrected AgentApplication tests (#662) Co-authored-by: Tracy Boehrer <[email protected]> * fix cloud adapter tests, fix issue in cloudAdapter where expectReplies was not handled properly (#665) Co-authored-by: tracyboehrer <[email protected]> * Lint fixes (#666) Co-authored-by: Tracy Boehrer <[email protected]> * More lint fixes (#667) Co-authored-by: Tracy Boehrer <[email protected]> * Fix AgentApplication unit tests (#673) * Truncate conversationIds longer than 325 (#668) Co-authored-by: tracyboehrer <[email protected]> * Fix turncontext tests (#671) * Fix cloudAdapter linter problems * update syntax for adapter members * Do not start cache purge unless values exist * throw an error if payload of jwt is empty * remove console.log --------- Co-authored-by: tracyboehrer <[email protected]> * MemoryCache lint errors (#674) Co-authored-by: Tracy Boehrer <[email protected]> * Add OBO connection and scopes (#677) * Add OBO connection and scopes * Fix jsdoc * Add default sign-in text * Fix doc * Use agenticUserId field (#669) * For agentic access token, use agenticUserId field instead of ID field. * Change `username` to `user_id` in agenticUserToken request --------- Co-authored-by: tracyboehrer <[email protected]> * Fix some samples (#678) Co-authored-by: tracyboehrer <[email protected]> --------- Co-authored-by: CeciliaAvila <[email protected]> Co-authored-by: Tracy Boehrer <[email protected]> Co-authored-by: tracyboehrer <[email protected]> Co-authored-by: Cecilia Avila <[email protected]> Co-authored-by: Joel Mut <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #377
Fixes #466
Fixes #516
Fixes #517
Fixes #628
Doesn't fix these issues yet
#590
Important
The new internal authorization structure removed all related classes like authorization.ts, oAuthFlow.ts, and samples.
More information of breaking changes can be found in compat/baseline/agents-hosting.api.md
Description
This PR refactors the internals of the AgentApplication authorization flow, leaving just the necessary functionality to be used from a sample's perspective, getToken, exchangeToken, signout, etc.
We removed the use of beginOrContinueFlow as this is intended to be used internally.
The new auth flow consists of detecting when a route handler is authorized to be executed. When having an authorization handler configured, the new auth flow will detect it and initiate the authentication flow, retrieving the signin oAuth card, then, the user will copy&paste the magic code, and the auth flow will detect there is an active auth flow, and send the magic code to the service, retrieving the token.
Related classes for the structure:
Sequence diagram
Testing
The following image shows a few of the tested flows.
