Add AgenticIdentity API surface#478
Conversation
|
This change is part of the following stack: Change managed by git-spice. |
b41b95c to
a4e89ca
Compare
c6becbe to
9e101e1
Compare
a4e89ca to
9fab384
Compare
4a16fc5 to
414e668
Compare
9fab384 to
c825d9c
Compare
38bbf08 to
8652367
Compare
There was a problem hiding this comment.
Pull request overview
This PR introduces an AgenticIdentity model and threads it through the Teams API client layer to enable per-call “agentic” authentication, plus adds an apps-layer AppAuthProvider/TokenManager support to mint the appropriate tokens when an agentic identity is used.
Changes:
- Added
AgenticIdentitymodel and surfaced it through API clients (default + per-call override) via a newAuthProviderhook. - Updated
TokenManager/credentials typing to support token providers that can optionally acceptagentic_identity. - Added/updated unit tests and the
examples/agent365sample to demonstrate API-level agentic calls.
Reviewed changes
Copilot reviewed 22 out of 22 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/apps/tests/test_token_manager.py | Adds coverage for passing agentic_identity through token providers and for AppAuthProvider behavior. |
| packages/apps/src/microsoft_teams/apps/token_manager.py | Adds app-level token APIs and extends token-provider invocation to support agentic tokens. |
| packages/apps/src/microsoft_teams/apps/options.py | Broadens token option typing to allow agentic-aware token providers. |
| packages/apps/src/microsoft_teams/apps/auth_provider.py | Introduces AppAuthProvider to mint app vs agentic tokens using TokenManager. |
| packages/apps/src/microsoft_teams/apps/app.py | Wires AppAuthProvider into ApiClient and adds get_agentic_identity() helper. |
| packages/api/tests/unit/test_reaction_client.py | Updates reaction client tests for agentic token plumbing. |
| packages/api/tests/unit/test_conversation_client.py | Adds tests for service URL override and agentic identity usage in activity operations. |
| packages/api/tests/unit/test_api_client.py | Verifies ApiClient propagates auth defaults into lazily created sub-clients. |
| packages/api/src/microsoft_teams/api/models/agentic_identity.py | Adds the AgenticIdentity model. |
| packages/api/src/microsoft_teams/api/models/account.py | Adds Agent ID fields and a convenience agentic_identity property. |
| packages/api/src/microsoft_teams/api/models/init.py | Exports AgenticIdentity from the models package. |
| packages/api/src/microsoft_teams/api/clients/reaction/client.py | Adds agentic auth support (default + per-call) to reaction operations. |
| packages/api/src/microsoft_teams/api/clients/conversation/client.py | Adds agentic identity + service URL overrides to activity operation surfaces and plumbs auth defaults. |
| packages/api/src/microsoft_teams/api/clients/conversation/activity.py | Implements service URL override and agentic token injection for activity calls. |
| packages/api/src/microsoft_teams/api/clients/bot/token_client.py | Updates deprecated token client to tolerate token providers that accept agentic_identity. |
| packages/api/src/microsoft_teams/api/clients/base_client.py | Adds AuthProvider protocol and centralized agentic token factory logic. |
| packages/api/src/microsoft_teams/api/clients/api_client.py | Adds auth defaults to ApiClient and propagates them to sub-clients. |
| packages/api/src/microsoft_teams/api/clients/init.py | Exposes AuthProvider in the clients package exports. |
| packages/api/src/microsoft_teams/api/auth/credentials.py | Updates TokenCredentials.token typing to support agentic-aware token providers. |
| packages/api/src/microsoft_teams/api/auth/cloud_environment.py | Adds agentic_bot_scope to the cloud environment configuration. |
| examples/agent365/src/main.py | Updates the sample to send via API client using agentic_identity. |
| examples/agent365/README.md | Updates documentation to match the new sample flow and env var expectations. |
b335f67 to
22c23a6
Compare
corinagum
left a comment
There was a problem hiding this comment.
Can agentic identity not create conversations or list members? Looks like only sending/modifying activities is performable?
30f6a0c to
4e1274e
Compare
dd2f47d to
36ad717
Compare
3d65157 to
5090e99
Compare
36ad717 to
307c694
Compare
5090e99 to
70506df
Compare
307c694 to
ea94db0
Compare
| self.service_url = service_url.rstrip("/") | ||
|
|
||
| async def create(self, conversation_id: str, activity: ActivityParams) -> SentActivity: | ||
| def _get_service_url(self, service_url: str | None = None) -> str: |
There was a problem hiding this comment.
move this to the bottom.
45dbacd to
e37e732
Compare
70506df to
e2b8163
Compare
e37e732 to
7b4376b
Compare
e2b8163 to
cfdbefa
Compare
16b61b4 to
14c6a68
Compare
lilyydu
left a comment
There was a problem hiding this comment.
Looks pretty clean to me!
cfdbefa to
e102800
Compare
14c6a68 to
5a364f3
Compare
e102800 to
5f44f4a
Compare
5a364f3 to
9f395c9
Compare
f39b58f to
6198553
Compare
9f395c9 to
84bccbd
Compare
This PR adds
AgenticIdentityas a new auth context across the Teams API surface.Why:
Agent ID calls need a user-shaped Agent ID token instead of the normal bot token. The API methods now accept
agentic_identitywhere needed, and the shared auth interceptor uses local request metadata to pick the right auth path.Interesting bits:
agentic_identityto conversation create, activity operations, conversation members, reactions, teams, and meetings.service_urloverrides across the service-url based APIs touched here.httpxrequest extensions, not headers. So it stays inside the client pipeline and does not leak to Teams endpoints.Reviewer tips:
Start with the API method signatures, then the changed call sites in
ConversationActivityClient,ConversationMemberClient,ReactionClient,TeamClient, andMeetingClient. The auth plumbing itself lives one PR down in #485.Testing:
Live smoke tested with Agent ID token:
Known limitation: