Skip to content

Add agentic auth provider infrastructure#630

Open
heyitsaamir wants to merge 2 commits into
agent365-inbound-entra-tokensfrom
agentic-auth-provider-infra
Open

Add agentic auth provider infrastructure#630
heyitsaamir wants to merge 2 commits into
agent365-inbound-entra-tokensfrom
agentic-auth-provider-infra

Conversation

@heyitsaamir

@heyitsaamir heyitsaamir commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Adds the auth provider abstraction layer that sits between the app and the API client:

  • AuthProvider type — { token(options: { scope?, agenticIdentity? }) }
  • AuthProviderInterceptor — HTTP interceptor that resolves tokens via AuthProvider, reads per-request agentic identity from extensions
  • AppAuthProvider — default implementation backed by TokenManager, handles bot/agentic token routing
  • Client (ApiClient) constructor extended to accept cloud, authProvider, agenticIdentity
  • HttpClient interceptor interface updated to receive log in request context
  • App.api wired to use provider-based auth

@heyitsaamir

Copy link
Copy Markdown
Collaborator Author

Comment thread packages/api/src/clients/index.ts Outdated
Comment thread packages/api/src/clients/index.ts Outdated
Comment thread packages/apps/src/app.ts Outdated
@heyitsaamir heyitsaamir marked this pull request as ready for review June 26, 2026 20:05
@heyitsaamir heyitsaamir force-pushed the agentic-auth-provider-infra branch from 72a4732 to 19b5bc3 Compare June 26, 2026 20:06
@heyitsaamir heyitsaamir force-pushed the agent365-inbound-entra-tokens branch from 4ca9f2f to 16d77d7 Compare June 26, 2026 20:19
@heyitsaamir heyitsaamir force-pushed the agentic-auth-provider-infra branch from 19b5bc3 to 53c5fef Compare June 26, 2026 20:19
@heyitsaamir heyitsaamir requested a review from Copilot June 26, 2026 20:30

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces an auth-provider abstraction layer between the apps package and the API client, enabling token resolution via a pluggable AuthProvider and supporting per-request “agentic identity” metadata passed through HTTP request extensions.

Changes:

  • Added AuthProvider contract and an AuthProviderInterceptor that injects Authorization headers based on provider-resolved tokens.
  • Implemented AppAuthProvider backed by TokenManager and wired App.api to use provider-based auth instead of per-client token callbacks.
  • Extended the common HTTP client infrastructure to support SDK-local request extensions and to expose registered interceptors.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
packages/common/src/http/interceptor.ts Extends request context config typing to include optional extensions.
packages/common/src/http/client.ts Adds extensions to RequestConfig, renames internal interceptor registry, and exposes a read-only interceptors list.
packages/common/src/http/client.spec.ts Updates interceptor registry assertions and adds coverage for preserving extensions.
packages/apps/src/index.ts Exposes the new auth-provider module via the apps public API.
packages/apps/src/auth-provider.ts Adds AppAuthProvider implementation backed by TokenManager.
packages/apps/src/auth-provider.spec.ts Adds unit tests for app vs agentic token routing and default scopes.
packages/apps/src/app.ts Wires App.api to use authProvider/cloud-managed settings and constructs AppAuthProvider.
packages/api/src/models/account.ts Adds agentic identity-related fields to Account and a helper to extract AgenticIdentity.
packages/api/src/clients/user/token.ts Threads cloud into settings merge for token client construction.
packages/api/src/clients/user/index.ts Threads cloud into settings merge and token subclient construction.
packages/api/src/clients/index.ts Adds auth-provider plumbing to API client construction and shared HttpClient reuse.
packages/api/src/clients/index.spec.ts Tests that the auth provider interceptor is applied once and re-applied on HTTP client replacement.
packages/api/src/clients/bot/sign-in.ts Threads cloud into settings merge for sign-in client construction.
packages/api/src/clients/bot/index.ts Threads cloud into settings merge and sign-in subclient construction.
packages/api/src/clients/auth.ts Introduces the AuthProvider type contract for resolving tokens.
packages/api/src/clients/auth-provider-interceptor.ts Adds the interceptor that sets Authorization based on provider tokens and per-request agentic identity.
packages/api/src/clients/auth-provider-interceptor.spec.ts Adds unit tests for interceptor behavior (auth header injection, override rules, agentic identity forwarding).
packages/api/src/clients/api-client-settings.ts Extends ApiClientSettings with cloud, authProvider, and agenticIdentity.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/api/src/clients/auth-provider-interceptor.ts
Comment thread packages/api/src/clients/api-client-settings.ts
Comment thread packages/api/src/clients/auth-provider-interceptor.spec.ts Outdated
@heyitsaamir heyitsaamir force-pushed the agent365-inbound-entra-tokens branch from 16d77d7 to 293e949 Compare June 26, 2026 21:58
@heyitsaamir heyitsaamir force-pushed the agentic-auth-provider-infra branch 2 times, most recently from 0420261 to 79309bc Compare June 26, 2026 22:03
@heyitsaamir heyitsaamir requested a review from Copilot June 26, 2026 22:14

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 18 out of 18 changed files in this pull request and generated 2 comments.

Comment thread packages/api/src/clients/auth-provider-interceptor.ts
Comment thread packages/api/src/clients/index.ts
@heyitsaamir heyitsaamir force-pushed the agent365-inbound-entra-tokens branch from 293e949 to afaa70d Compare June 29, 2026 21:26
@heyitsaamir heyitsaamir force-pushed the agentic-auth-provider-infra branch from 79309bc to bdf4270 Compare June 29, 2026 21:26
@heyitsaamir heyitsaamir force-pushed the agent365-inbound-entra-tokens branch from afaa70d to 6dfaf59 Compare June 29, 2026 21:33
@heyitsaamir heyitsaamir force-pushed the agentic-auth-provider-infra branch from bdf4270 to ae21553 Compare June 29, 2026 21:33
export class AuthProviderInterceptor implements Interceptor {
constructor(
readonly authProvider: AuthProvider,
readonly defaultAgenticIdentity?: AgenticIdentity

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This interceptor-level defaultAgenticIdentity  is TS only concept, meaning default identity applies to all requests on the cflient. Can you confirm this is intentional vs PY's client-level threading?

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


export type AuthProvider = {
readonly token: (options: {
readonly scope?: string;

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

api nit: PY's token requires scope, whereas here it is optional. Should be consistent.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@corinagum corinagum left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Default agentic identity lives in a different layer than PY. Here the interceptor holds defaultAgenticIdentity and falls back to it when no per-request extension is set. In PY the interceptor has no default: agentic_identity is threaded into the sub-clients, and the interceptor only reads the per-request extension. Is the interceptor-level default the intended TS design, or should it match PY's client-level threading?
  2. The summary says the constructor was "extended", but it's actually a positional removal.  Client / ApiClient 's 4th cloud?  param was removed; That's a breaking change for new ApiClient(url, http, settings, cloud) (loud compile error for typed consumers, which is good). Should word as a breaking change and a quick check that no sample/doc constructs ApiClient with cloud positionally.

@heyitsaamir heyitsaamir force-pushed the agent365-inbound-entra-tokens branch from 6dfaf59 to 2b1d766 Compare July 1, 2026 00:03
@heyitsaamir heyitsaamir force-pushed the agentic-auth-provider-infra branch from ae21553 to 4bd79dd Compare July 1, 2026 00:03
@heyitsaamir heyitsaamir force-pushed the agent365-inbound-entra-tokens branch from 2b1d766 to fbf7183 Compare July 1, 2026 05:31
@heyitsaamir heyitsaamir force-pushed the agentic-auth-provider-infra branch from 4bd79dd to e61cd55 Compare July 1, 2026 05:31
@heyitsaamir heyitsaamir force-pushed the agent365-inbound-entra-tokens branch from fbf7183 to 59528ac Compare July 1, 2026 21:39
@heyitsaamir heyitsaamir force-pushed the agentic-auth-provider-infra branch from e61cd55 to b4b82f7 Compare July 1, 2026 21:39
@heyitsaamir

Copy link
Copy Markdown
Collaborator Author
  1. Default agentic identity lives in a different layer than PY. Here the interceptor holds defaultAgenticIdentity and falls back to it when no per-request extension is set. In PY the interceptor has no default: agentic_identity is threaded into the sub-clients, and the interceptor only reads the per-request extension. Is the interceptor-level default the intended TS design, or should it match PY's client-level threading?
  2. The summary says the constructor was "extended", but it's actually a positional removal.  Client / ApiClient 's 4th cloud?  param was removed; That's a breaking change for new ApiClient(url, http, settings, cloud) (loud compile error for typed consumers, which is good). Should word as a breaking change and a quick check that no sample/doc constructs ApiClient with cloud positionally.
  1. In Py, the interceptor also holds a default agentic identity (that's passed in from ApiClient). Lmk if you disagree with this design :).
  2. Yeah, agree that cloud was removed. I moved it to apiclientsettings instead of keeping it as the 4th object. Agree it's breaking, but APIClient should be mostly an internal class, so there's a low chance of this being created independently. I'm proposing we move it to settings instead of keeping it an option (this way it can be included in the apisettings plumbing that already exists). Lmk if you're uncomfortable with this and I can move it back.

@heyitsaamir heyitsaamir force-pushed the agent365-inbound-entra-tokens branch from 59528ac to 4627565 Compare July 1, 2026 23:08
@heyitsaamir heyitsaamir force-pushed the agentic-auth-provider-infra branch from b4b82f7 to a92c9ad Compare July 1, 2026 23:08
@heyitsaamir heyitsaamir force-pushed the agent365-inbound-entra-tokens branch from 4627565 to 571e1a9 Compare July 1, 2026 23:12
@heyitsaamir heyitsaamir force-pushed the agentic-auth-provider-infra branch from a92c9ad to b965beb Compare July 1, 2026 23:12
heyitsaamir and others added 2 commits July 1, 2026 16:16
- AuthProvider.token scope is now optional; provider defaults to cloud scopes
- AuthProviderInterceptor accepts defaultAgenticIdentity as fallback
- Client (ApiClient) accepts agenticIdentity and passes to interceptor
- AppAuthProvider defaults to cloud.botScope / cloud.agenticBotScope

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@heyitsaamir heyitsaamir force-pushed the agent365-inbound-entra-tokens branch from 571e1a9 to 8f1f858 Compare July 1, 2026 23:16
@heyitsaamir heyitsaamir force-pushed the agentic-auth-provider-infra branch from b965beb to c62f6ec Compare July 1, 2026 23:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants