Support Entra inbound Agent ID tokens#462
Merged
heyitsaamir merged 6 commits intoJun 22, 2026
Merged
Conversation
Collaborator
Author
|
Closing duplicate manual PR. GitSpice-created replacement is #463. |
Collaborator
Author
|
This change is part of the following stack: Change managed by git-spice. |
Closed
heyitsaamir
force-pushed
the
add_inbound_token_validation
branch
6 times, most recently
from
737d931 to
1d1f555
Compare
This was referenced Jun 11, 2026
heyitsaamir
force-pushed
the
add_inbound_token_validation
branch
2 times, most recently
from
323b80b to
b41b95c
Compare
This was referenced Jun 13, 2026
heyitsaamir
force-pushed
the
add_agent365_token_support
branch
from
da0981d to
e222f20
Compare
heyitsaamir
force-pushed
the
add_inbound_token_validation
branch
from
b41b95c to
a4e89ca
Compare
This was referenced Jun 18, 2026
heyitsaamir
force-pushed
the
add_inbound_token_validation
branch
from
a4e89ca to
9fab384
Compare
lilyydu
approved these changes
Jun 18, 2026
Base automatically changed from
add_agent365_token_support
to
feature_agent365_support
June 18, 2026 23:36
heyitsaamir
force-pushed
the
add_inbound_token_validation
branch
from
9fab384 to
c825d9c
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds support for validating inbound Agent ID activities authenticated with Entra access tokens, while preserving the existing Bot Framework connector token validation path. This updates the HTTP server to use a new inbound validator that branches validation based on the token issuer.
Changes:
- Introduces
InboundActivityTokenValidatorto route inbound validation between Bot Framework service tokens and Entra tokens (per-tenant JWKS). - Updates
HttpServerto use the new inbound validator for activity authentication. - Adds unit tests covering issuer-based routing and tenant validator caching.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| packages/apps/src/microsoft_teams/apps/auth/token_validator.py | Adds inbound activity token branching logic and Entra-per-tenant validator caching. |
| packages/apps/src/microsoft_teams/apps/http/http_server.py | Switches inbound auth from TokenValidator.for_service(...) to InboundActivityTokenValidator. |
| packages/apps/src/microsoft_teams/apps/auth/init.py | Re-exports InboundActivityTokenValidator from the auth package. |
| packages/apps/tests/test_token_validator.py | Adds tests for inbound token branching and tenant validator caching behavior. |
corinagum
approved these changes
Jun 19, 2026
heyitsaamir
added a commit
that referenced
this pull request
Jun 24, 2026
Adds inbound validation for Agent ID activities using Entra tokens. Why: Agent 365 inbound activities can arrive with *Entra access tokens* whose audience is the agent identity blueprint app ID. Classic Bot Framework validation looks at the wrong JWKS for those tokens, so the request is rejected before handlers run. Interesting bits: - TokenValidator now owns the inbound activity token branching. - We do one untrusted JWT parse up front to choose the validation path. This is only routing info (`iss` / `tid`), not authentication. The token is accepted only after the chosen validator does full signature, issuer, audience, and scope validation. - Entra issuers validate with tenant Entra JWKS and blueprint audience. - Classic Bot Framework tokens keep the existing service token validation path. - The per-tenant Entra validator cache is bounded so random tenant IDs can’t grow it forever. Testing: - uv run pytest packages/apps/tests/test_token_validator.py::TestInboundActivityTokenValidator::test_validate_token_uses_service_validator_for_bot_framework_tokens packages/apps/tests/test_token_validator.py::TestInboundActivityTokenValidator::test_get_entra_validator_caches_by_tenant packages/apps/tests/test_token_validator.py::TestInboundActivityTokenValidator::test_get_entra_validator_cache_is_bounded - uv run ruff check packages/apps/src/microsoft_teams/apps/auth/token_validator.py packages/apps/tests/test_token_validator.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds inbound validation for Agent ID activities using Entra tokens.
Why:
Agent 365 inbound activities can arrive with Entra access tokens whose audience is the agent identity blueprint app ID. Classic Bot Framework validation looks at the wrong JWKS for those tokens, so the request is rejected before handlers run.
Interesting bits:
iss/tid), not authentication. The token is accepted only after the chosen validator does full signature, issuer, audience, and scope validation.Testing: