Support Entra inbound Agent ID tokens#629
Conversation
|
This change is part of the following stack: Change managed by git-spice. |
2c70876 to
4ca9f2f
Compare
|
Addressed all review comments: "kind of a weird thing to test for JwtValidator construction times" — Agreed, removed. Now testing behavior (correct args to "No need for this" / "But wait why is it called twice?" — It was called twice because once in the constructor (BotFramework validator) and once for the Entra validator. Removed those assertions — they were testing implementation details. Cache test now checks "Do we really need to mock JwtValidator? Can't we just call it?" — We need the mock because the real |
66a1dec to
96485b1
Compare
4ca9f2f to
16d77d7
Compare
There was a problem hiding this comment.
Pull request overview
Adds support for validating inbound Microsoft Entra ID JWTs (Agent 365) in addition to existing Bot Framework service tokens, by routing validation based on the token issuer and using tenant-specific Entra validation configuration.
Changes:
- Route tokens by unverified
issclaim (Entra vs Bot Framework) and validate Entra tokens with per-tenantJwtValidatorinstances cached bytid. - Add
decodeJwtPayloadexport to enable pre-validation inspection of JWT payload claims. - Extend unit tests to cover issuer routing, Entra
tidrequirements, and validator caching behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| packages/apps/src/middleware/auth/service-token-validator.ts | Adds issuer-based routing and per-tenant Entra validator cache. |
| packages/apps/src/middleware/auth/service-token-validator.spec.ts | Updates mocks and adds tests for Entra/Bot Framework routing and cache bounding. |
| packages/apps/src/middleware/auth/jwt-validator.ts | Exposes a helper to decode JWT payloads without verification for routing/inspection. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
16d77d7 to
293e949
Compare
ada0911 to
7be4e41
Compare
afaa70d to
6dfaf59
Compare
corinagum
left a comment
There was a problem hiding this comment.
Qq: for Agent 365, is the bot's appId the same registration as the "blueprint app id" these Entra tokens are minted for?
7be4e41 to
3e448b6
Compare
6dfaf59 to
2b1d766
Compare
3e448b6 to
535d55d
Compare
2b1d766 to
fbf7183
Compare
59528ac to
4627565
Compare
Yup. Bot's app id == blueprint id |
4627565 to
571e1a9
Compare
571e1a9 to
8f1f858
Compare
Adds support for validating inbound Entra ID tokens (used by Agent 365) alongside existing BotFramework tokens:
ServiceTokenValidatornow routes tokens based on issuer — Entra vs BotFrameworkissandtidclaimsJwtValidatorinstances with bounded LRU cache (max 100)decodeJwtPayloadfromjwt-validatorfor pre-validation inspectionNote: Does not currently do service url validation (not present in Token)