Support Entra inbound Agent ID tokens#629
Conversation
|
This change is part of the following stack: Change managed by git-spice. |
heyitsaamir
force-pushed
the
agent365-inbound-entra-tokens
branch
from
2c70876 to
4ca9f2f
Compare
|
Addressed all review comments: "kind of a weird thing to test for JwtValidator construction times" — Agreed, removed. Now testing behavior (correct args to "No need for this" / "But wait why is it called twice?" — It was called twice because once in the constructor (BotFramework validator) and once for the Entra validator. Removed those assertions — they were testing implementation details. Cache test now checks "Do we really need to mock JwtValidator? Can't we just call it?" — We need the mock because the real |
heyitsaamir
force-pushed
the
agent365-token-support
branch
from
66a1dec to
96485b1
Compare
heyitsaamir
force-pushed
the
agent365-inbound-entra-tokens
branch
from
4ca9f2f to
16d77d7
Compare
There was a problem hiding this comment.
Pull request overview
Adds support for validating inbound Microsoft Entra ID JWTs (Agent 365) in addition to existing Bot Framework service tokens, by routing validation based on the token issuer and using tenant-specific Entra validation configuration.
Changes:
- Route tokens by unverified
issclaim (Entra vs Bot Framework) and validate Entra tokens with per-tenantJwtValidatorinstances cached bytid. - Add
decodeJwtPayloadexport to enable pre-validation inspection of JWT payload claims. - Extend unit tests to cover issuer routing, Entra
tidrequirements, and validator caching behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| packages/apps/src/middleware/auth/service-token-validator.ts | Adds issuer-based routing and per-tenant Entra validator cache. |
| packages/apps/src/middleware/auth/service-token-validator.spec.ts | Updates mocks and adds tests for Entra/Bot Framework routing and cache bounding. |
| packages/apps/src/middleware/auth/jwt-validator.ts | Exposes a helper to decode JWT payloads without verification for routing/inspection. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
heyitsaamir
force-pushed
the
agent365-inbound-entra-tokens
branch
from
16d77d7 to
293e949
Compare
| private decodePayload(rawToken: string): Record<string, any> | null { | ||
| return decodeJwtPayload(rawToken); | ||
| } |
| ); | ||
| } | ||
|
|
||
| private async validateEntraToken(rawToken: string, unverifiedPayload: Record<string, any> | null) { |
| tenantId, | ||
| loginEndpoint: this.cloud.loginEndpoint, | ||
| validateIssuer: { allowedTenantIds: [tenantId] }, | ||
| jwksUriOptions: { type: 'tenantId' }, | ||
| }); |
Adds support for validating inbound Entra ID tokens (used by Agent 365) alongside existing BotFramework tokens:
ServiceTokenValidatornow routes tokens based on issuer — Entra vs BotFrameworkissandtidclaimsJwtValidatorinstances with bounded LRU cache (max 100)decodeJwtPayloadfromjwt-validatorfor pre-validation inspectionNote: Does not currently do service url validation (not present in Token)