Skip to content

Integrate agentic identity support into the SDK#137

Merged
rodrigobr-msft merged 37 commits intomainfrom
users/robrandao/agentic-msal
Oct 2, 2025
Merged

Integrate agentic identity support into the SDK#137
rodrigobr-msft merged 37 commits intomainfrom
users/robrandao/agentic-msal

Conversation

@rodrigobr-msft
Copy link
Contributor

@rodrigobr-msft rodrigobr-msft commented Sep 23, 2025
edited
Loading

This pull request introduces significant enhancements and new features for agentic identity and user token management, as well as improvements to connection configuration and selection logic. The changes add support for agentic roles and tokens, extend MSAL authentication flows, and improve robustness in connection management and activity processing.

Agentic identity and token support

  • Added new agentic role types (agentic_identity, agentic_user) to RoleTypes, and extended ChannelAccount with agentic_user_id, agentic_app_id, and tenant_id fields for agentic identity tracking. [1] [2]
  • Implemented agentic request detection and retrieval methods in Activity (is_agentic_request, get_agentic_instance_id, get_agentic_user) to facilitate agentic context handling.

MSAL authentication and agentic token flows

  • Added methods in MsalAuth for acquiring agentic application, instance, and user tokens, including JWT decoding for blueprint ID extraction and error handling for token acquisition failures.
  • Improved error handling in get_access_token to log and raise exceptions when token acquisition fails, and fixed method naming (acquire_token_on_behalf_of).

Authorization Handling Overhaul

  • Added support for separate processes of authorization handling for each auth handler in the config
  • Integrate configured scopes to automatically exchange tokens received from the old user OAuth flows.
  • Created a new authorization handler in the form of the AgenticUserAuthorization that acts as intermediary to the agentic token flows mentioned above.

Connection configuration and selection logic

  • Updated MsalConnectionManager to handle connection maps as lists, improved initialization, and implemented logic to select the appropriate connection based on audience and service URL, including regex matching and error reporting. [1] [2]
  • Improved configuration loading to convert CONNECTIONSMAP to a list of connections for easier processing.

Robustness and cleanup

  • Improved handling of claims identity in activity processing to default to an anonymous identity when missing.
  • Cleaned up unused imports and removed deprecated OAuth flow exports from __init__.py. [1] [2]

Breaking changes

  • Authorization.sign_out(context) calls where no auth handler Id is specified no longer sign out the user from all handlers but instead only from the default handler.

@rodrigobr-msft rodrigobr-msft changed the title Implement asynchronous token retrieval methods in AgenticMsalAuth class Implement agentic token retrieval methods in AgenticMsalAuth class Sep 23, 2025
@rodrigobr-msft rodrigobr-msft changed the title Implement agentic token retrieval methods in AgenticMsalAuth class Integrate agentic identity support into the SDK Sep 26, 2025
This was linked to issues Sep 26, 2025
Add support for getting agentic identity support to UserAuthorization #122
Closed
Add Agentic flag to AgentApplication routes #138
Closed
This was unlinked from issues Sep 26, 2025
Add support for getting agentic identity support to UserAuthorization #122
Closed
Add Agentic flag to AgentApplication routes #138
Closed
This was linked to issues Sep 26, 2025
Agentic identity Support #120
Closed
Add support for getting agentic identity support to UserAuthorization #122
Closed
@rodrigobr-msft rodrigobr-msft linked an issue Oct 1, 2025 that may be closed by this pull request
Support Multiple Connector Clients #140
Closed
cleemullins
cleemullins requested changes Oct 1, 2025
View reviewed changes
Copy link
Collaborator

@cleemullins cleemullins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quick initial pass for key stuff to get merged today.

cleemullins
cleemullins approved these changes Oct 2, 2025
View reviewed changes
Copy link
Collaborator

@cleemullins cleemullins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review done in person, and comments addressed.

@rodrigobr-msft rodrigobr-msft marked this pull request as ready for review October 2, 2025 18:30
rodrigobr-msft
rodrigobr-msft commented Oct 2, 2025
View reviewed changes
@rodrigobr-msft rodrigobr-msft enabled auto-merge (squash) October 2, 2025 18:31
@rodrigobr-msft rodrigobr-msft merged commit 4ea2c57 into main Oct 2, 2025
8 checks passed
@cleemullins cleemullins deleted the users/robrandao/agentic-msal branch October 2, 2025 21:06
@cleemullins cleemullins mentioned this pull request Oct 2, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tracyboehrer tracyboehrer tracyboehrer left review comments

@cleemullins cleemullins cleemullins approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support Multiple Connector Clients Add support for getting agentic identity support to UserAuthorization Agentic identity Support

3 participants

@rodrigobr-msft @tracyboehrer @cleemullins

Comments