@microsoft/agents-hosting 0.5.4-ga4d0401645 → 0.5.16-g6bdf69cc43

package/src/auth/msalTokenProvider.ts

@@ -25,7 +25,7 @@ export class MsalTokenProvider implements AuthProvider {
    * @param scope The scope for the token.
    * @returns A promise that resolves to the access token.
    */
-  async getAccessToken (authConfig: AuthConfiguration, scope: string): Promise<string> {
+  public async getAccessToken (authConfig: AuthConfiguration, scope: string): Promise<string> {
     if (!authConfig.clientId && process.env.NODE_ENV !== 'production') {
       return ''
     }
@@ -51,6 +51,22 @@ export class MsalTokenProvider implements AuthProvider {
     return token
   }
 
+  public async acquireTokenOnBehalfOf (authConfig: AuthConfiguration, scopes: string[], oboAssertion: string): Promise<string> {
+    const cca = new ConfidentialClientApplication({
+      auth: {
+        clientId: authConfig.clientId as string,
+        authority: `https://login.microsoftonline.com/${authConfig.tenantId || 'botframework.com'}`,
+        clientSecret: authConfig.clientSecret
+      },
+      system: this.sysOptions
+    })
+    const token = await cca.acquireTokenOnBehalfOf({
+      oboAssertion,
+      scopes
+    })
+    return token?.accessToken as string
+  }
+
   private readonly sysOptions: NodeSystemOptions = {
     loggerOptions: {
       logLevel: LogLevel.Trace,

package/src/cards/cardFactory.ts

@@ -13,8 +13,7 @@ import { O365ConnectorCard } from './o365ConnectorCard'
 import { ThumbnailCard } from './thumbnailCard'
 import { VideoCard } from './videoCard'
 import { CardImage } from './cardImage'
-import { OAuthCard } from '../oauth/oAuthCard'
-import { SigningResource } from '../oauth/signingResource'
+import { OAuthCard, SignInResource } from '../oauth/userTokenClient.types'
 import { SigninCard } from './signinCard'
 
 /**
@@ -218,7 +217,7 @@ export class CardFactory {
    * @param signingResource The signing resource.
    * @returns The OAuth card attachment.
    */
-  static oauthCard (connectionName: string, title: string, text: string, signingResource: SigningResource) : Attachment {
+  static oauthCard (connectionName: string, title: string, text: string, signingResource: SignInResource) : Attachment {
     const card: Partial<OAuthCard> = {
       buttons: [{
         type: ActionTypes.Signin,

package/src/oauth/index.ts

@@ -1,6 +1,3 @@
-export * from './oAuthCard'
-export * from './signingResource'
 export * from './userTokenClient'
-export * from './tokenExchangeRequest'
 export * from './oAuthFlow'
-export * from './tokenResponse'
+export * from './userTokenClient.types'

package/src/oauth/oAuthFlow.ts

@@ -1,28 +1,44 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 import { debug } from './../logger'
-import { ActivityTypes, Attachment } from '@microsoft/agents-activity'
+import { Activity, ActivityTypes, Attachment } from '@microsoft/agents-activity'
 import {
   CardFactory,
-  AgentStatePropertyAccessor,
-  UserState,
   TurnContext,
-  MessageFactory,
-  TokenExchangeRequest,
-  UserTokenClient
+  Storage,
+  MessageFactory
 } from '../'
-import { TokenRequestStatus, TokenResponse } from './tokenResponse'
+import { UserTokenClient } from './userTokenClient'
+import { TokenExchangeRequest, TokenResponse } from './userTokenClient.types'
 
 const logger = debug('agents:oauth-flow')
 
-export class FlowState {
-  public flowStarted: boolean = false
-  public flowExpires: number = 0
+/**
+ * Represents the state of the OAuth flow.
+ * @interface FlowState
+ */
+export interface FlowState {
+  /** Indicates whether the OAuth flow has been started */
+  flowStarted: boolean | undefined,
+  /** Timestamp when the OAuth flow expires (in milliseconds since epoch) */
+  flowExpires: number | undefined,
+  /** The absolute OAuth connection name used for the flow, null if not set */
+  absOauthConnectionName: string
+  /** Optional activity to continue the flow with, used for multi-turn scenarios */
+  continuationActivity?: Activity | null
+
+  eTag?: string // Optional ETag for optimistic concurrency control
 }
 
 interface TokenVerifyState {
   state: string
 }
+
+interface CachedToken {
+  token: TokenResponse
+  expiresAt: number
+}
+
 /**
  * Manages the OAuth flow
  */
@@ -35,17 +51,17 @@ export class OAuthFlow {
   /**
    * The current state of the OAuth flow.
    */
-  state: FlowState | null
+  state: FlowState
 
   /**
-   * The accessor for managing the flow state in user state.
+   * The ID of the token exchange request, used to deduplicate requests.
    */
-  flowStateAccessor: AgentStatePropertyAccessor<FlowState | null>
+  tokenExchangeId: string | null = null
 
   /**
-   * The ID of the token exchange request, used to deduplicate requests.
+   * In-memory cache for tokens with expiration.
    */
-  tokenExchangeId: string | null = null
+  private tokenCache: Map<string, CachedToken> = new Map()
 
   /**
    * The name of the OAuth connection.
@@ -64,11 +80,14 @@ export class OAuthFlow {
 
   /**
    * Creates a new instance of OAuthFlow.
-   * @param userState The user state.
+   * @param storage The storage provider for persisting flow state.
+   * @param absOauthConnectionName The absolute OAuth connection name.
+   * @param tokenClient Optional user token client. If not provided, will be initialized automatically.
+   * @param cardTitle Optional title for the OAuth card. Defaults to 'Sign in'.
+   * @param cardText Optional text for the OAuth card. Defaults to 'login'.
    */
-  constructor (userState: UserState, absOauthConnectionName: string, tokenClient?: UserTokenClient, cardTitle?: string, cardText?: string) {
-    this.state = new FlowState()
-    this.flowStateAccessor = userState.createProperty('flowState')
+  constructor (private storage: Storage, absOauthConnectionName: string, tokenClient?: UserTokenClient, cardTitle?: string, cardText?: string) {
+    this.state = { flowStarted: undefined, flowExpires: undefined, absOauthConnectionName }
     this.absOauthConnectionName = absOauthConnectionName
     this.userTokenClient = tokenClient ?? null!
     this.cardTitle = cardTitle ?? this.cardTitle
@@ -76,77 +95,138 @@ export class OAuthFlow {
   }
 
   /**
-   * Retrieves the user token from the user token service.
+   * Retrieves the user token from the user token service with in-memory caching for 10 minutes.
    * @param context The turn context containing the activity information.
    * @returns A promise that resolves to the user token response.
    * @throws Will throw an error if the channelId or from properties are not set in the activity.
    */
   public async getUserToken (context: TurnContext): Promise<TokenResponse> {
     await this.initializeTokenClient(context)
-    logger.info('Get token from user token service')
     const activity = context.activity
-    if (activity.channelId && activity.from && activity.from.id) {
-      return await this.userTokenClient.getUserToken(this.absOauthConnectionName, activity.channelId, activity.from.id)
-    } else {
+
+    if (!activity.channelId || !activity.from || !activity.from.id) {
       throw new Error('UserTokenService requires channelId and from to be set')
     }
+
+    const cacheKey = this.getCacheKey(context)
+
+    const cachedEntry = this.tokenCache.get(cacheKey)
+    if (cachedEntry && Date.now() < cachedEntry.expiresAt) {
+      logger.info(`Returning cached token for user with cache key: ${cacheKey}`)
+      return cachedEntry.token
+    }
+
+    logger.info('Get token from user token service')
+    const tokenResponse = await this.userTokenClient.getUserToken(this.absOauthConnectionName, activity.channelId, activity.from.id)
+
+    // Cache the token if it's valid (has a token value)
+    if (tokenResponse && tokenResponse.token) {
+      const cacheExpiry = Date.now() + (10 * 60 * 1000) // 10 minutes from now
+      this.tokenCache.set(cacheKey, {
+        token: tokenResponse,
+        expiresAt: cacheExpiry
+      })
+      logger.info('Token cached for 10 minutes')
+    }
+
+    return tokenResponse
   }
 
   /**
    * Begins the OAuth flow.
    * @param context The turn context.
-   * @returns A promise that resolves to the user token.
+   * @returns A promise that resolves to the user token if available, or undefined if OAuth flow needs to be started.
    */
-  public async beginFlow (context: TurnContext): Promise<TokenResponse> {
-    this.state = await this.getUserState(context)
+  public async beginFlow (context: TurnContext): Promise<TokenResponse | undefined> {
+    this.state = await this.getFlowState(context)
     if (this.absOauthConnectionName === '') {
       throw new Error('connectionName is not set')
     }
     logger.info('Starting OAuth flow for connectionName:', this.absOauthConnectionName)
     await this.initializeTokenClient(context)
 
-    const tokenResponse = await this.userTokenClient.getUserToken(this.absOauthConnectionName, context.activity.channelId!, context.activity.from?.id!)
-    if (tokenResponse?.status === TokenRequestStatus.Success) {
-      this.state.flowStarted = false
-      this.state.flowExpires = 0
-      await this.flowStateAccessor.set(context, this.state)
-      logger.info('User token retrieved successfully from service')
-      return tokenResponse
+    const act = context.activity
+
+    // Check cache first before starting OAuth flow
+    if (act.channelId && act.from && act.from.id) {
+      const cacheKey = this.getCacheKey(context)
+      const cachedEntry = this.tokenCache.get(cacheKey)
+      if (cachedEntry && Date.now() < cachedEntry.expiresAt) {
+        logger.info(`Returning cached token for user in beginFlow with cache key: ${cacheKey}`)
+        return cachedEntry.token
+      }
     }
 
-    const authConfig = context.adapter.authConfig
-    const signingResource = await this.userTokenClient.getSignInResource(authConfig.clientId!, this.absOauthConnectionName, context.activity.getConversationReference(), context.activity.relatesTo)
-    const oCard: Attachment = CardFactory.oauthCard(this.absOauthConnectionName, this.cardTitle, this.cardText, signingResource)
-    await context.sendActivity(MessageFactory.attachment(oCard))
-    this.state.flowStarted = true
-    this.state.flowExpires = Date.now() + 30000
-    await this.flowStateAccessor.set(context, this.state)
-    logger.info('OAuth begin flow completed, waiting for user to sign in')
-    return {
-      token: undefined,
-      status: TokenRequestStatus.InProgress
+    const output = await this.userTokenClient.getTokenOrSignInResource(act.from?.id!, this.absOauthConnectionName, act.channelId!, act.getConversationReference(), act.relatesTo!, undefined!)
+    if (output && output.tokenResponse) {
+      // Cache the token if it's valid
+      if (act.channelId && act.from && act.from.id) {
+        const cacheKey = this.getCacheKey(context)
+        const cacheExpiry = Date.now() + (10 * 60 * 1000) // 10 minutes from now
+        this.tokenCache.set(cacheKey, {
+          token: output.tokenResponse,
+          expiresAt: cacheExpiry
+        })
+        logger.info('Token cached for 10 minutes in beginFlow')
+        this.state = { flowStarted: false, flowExpires: 0, absOauthConnectionName: this.absOauthConnectionName }
+      }
+      logger.info('Token retrieved successfully')
+      return output.tokenResponse
     }
+    const oCard: Attachment = CardFactory.oauthCard(this.absOauthConnectionName, this.cardTitle, this.cardText, output.signInResource)
+    await context.sendActivity(MessageFactory.attachment(oCard))
+    this.state = { flowStarted: true, flowExpires: Date.now() + 60 * 5 * 1000, absOauthConnectionName: this.absOauthConnectionName }
+    await this.storage.write({ [this.getFlowStateKey(context)]: this.state })
+    logger.info('OAuth card sent, flow started')
+    return undefined
   }
 
   /**
    * Continues the OAuth flow.
    * @param context The turn context.
-   * @returns A promise that resolves to the user token.
+   * @returns A promise that resolves to the user token response.
    */
   public async continueFlow (context: TurnContext): Promise<TokenResponse> {
-    this.state = await this.getUserState(context)
+    this.state = await this.getFlowState(context)
     await this.initializeTokenClient(context)
-    if (this.state?.flowExpires !== 0 && Date.now() > this.state!.flowExpires) {
+    if (this.state?.flowExpires !== 0 && Date.now() > this.state?.flowExpires!) {
       logger.warn('Flow expired')
-      this.state!.flowStarted = false
       await context.sendActivity(MessageFactory.text('Sign-in session expired. Please try again.'))
-      return { status: TokenRequestStatus.Expired, token: undefined }
+      this.state!.flowStarted = false
+      return { token: undefined }
     }
     const contFlowActivity = context.activity
     if (contFlowActivity.type === ActivityTypes.Message) {
       const magicCode = contFlowActivity.text as string
-      const result = await this.userTokenClient?.getUserToken(this.absOauthConnectionName, contFlowActivity.channelId!, contFlowActivity.from?.id!, magicCode)!
-      return result
+      if (magicCode.match(/^\d{6}$/)) {
+        const result = await this.userTokenClient?.getUserToken(this.absOauthConnectionName, contFlowActivity.channelId!, contFlowActivity.from?.id!, magicCode)!
+        if (result && result.token) {
+          // Cache the token if it's valid
+          if (contFlowActivity.channelId && contFlowActivity.from && contFlowActivity.from.id) {
+            const cacheKey = this.getCacheKey(context)
+            const cacheExpiry = Date.now() + (10 * 60 * 1000) // 10 minutes from now
+            this.tokenCache.set(cacheKey, {
+              token: result,
+              expiresAt: cacheExpiry
+            })
+            logger.info('Token cached for 10 minutes in continueFlow (magic code)')
+          }
+
+          await this.storage.delete([this.getFlowStateKey(context)])
+          logger.info('Token retrieved successfully')
+          return result
+        } else {
+          // await context.sendActivity(MessageFactory.text('Invalid code. Please try again.'))
+          logger.warn('Invalid magic code provided')
+          this.state = { flowStarted: true, flowExpires: Date.now() + 30000, absOauthConnectionName: this.absOauthConnectionName }
+          await this.storage.write({ [this.getFlowStateKey(context)]: this.state })
+          return { token: undefined }
+        }
+      } else {
+        logger.warn('Invalid magic code format')
+        await context.sendActivity(MessageFactory.text('Invalid code format. Please enter a 6-digit code.'))
+        return { token: undefined }
+      }
     }
 
     if (contFlowActivity.type === ActivityTypes.Invoke && contFlowActivity.name === 'signin/verifyState') {
@@ -154,6 +234,16 @@ export class OAuthFlow {
       const tokenVerifyState = contFlowActivity.value as TokenVerifyState
       const magicCode = tokenVerifyState.state
       const result = await this.userTokenClient?.getUserToken(this.absOauthConnectionName, contFlowActivity.channelId!, contFlowActivity.from?.id!, magicCode)!
+      // Cache the token if it's valid
+      if (result && result.token && contFlowActivity.channelId && contFlowActivity.from && contFlowActivity.from.id) {
+        const cacheKey = this.getCacheKey(context)
+        const cacheExpiry = Date.now() + (10 * 60 * 1000) // 10 minutes from now
+        this.tokenCache.set(cacheKey, {
+          token: result,
+          expiresAt: cacheExpiry
+        })
+        logger.info('Token cached for 10 minutes in continueFlow (verifyState)')
+      }
       return result
     }
 
@@ -161,22 +251,34 @@ export class OAuthFlow {
       logger.info('Continuing OAuth flow with tokenExchange')
       const tokenExchangeRequest = contFlowActivity.value as TokenExchangeRequest
       if (this.tokenExchangeId === tokenExchangeRequest.id) { // dedupe
-        return { status: TokenRequestStatus.InProgress, token: undefined }
+        logger.debug('Token exchange request already processed, skipping')
+        return { token: undefined }
       }
       this.tokenExchangeId = tokenExchangeRequest.id!
       const userTokenResp = await this.userTokenClient?.exchangeTokenAsync(contFlowActivity.from?.id!, this.absOauthConnectionName, contFlowActivity.channelId!, tokenExchangeRequest)
-      if (userTokenResp?.status === TokenRequestStatus.Success) {
+      if (userTokenResp && userTokenResp.token) {
+        // Cache the token if it's valid
+        if (contFlowActivity.channelId && contFlowActivity.from && contFlowActivity.from.id) {
+          const cacheKey = this.getCacheKey(context)
+          const cacheExpiry = Date.now() + (10 * 60 * 1000) // 10 minutes from now
+          this.tokenCache.set(cacheKey, {
+            token: userTokenResp,
+            expiresAt: cacheExpiry
+          })
+          logger.info('Token cached for 10 minutes in continueFlow (tokenExchange)')
+        }
+
         logger.info('Token exchanged')
         this.state!.flowStarted = false
-        await this.flowStateAccessor.set(context, this.state)
+        await this.storage.write({ [this.getFlowStateKey(context)]: this.state })
         return userTokenResp
       } else {
         logger.warn('Token exchange failed')
         this.state!.flowStarted = true
-        return { status: TokenRequestStatus.Failed, token: undefined }
+        return { token: undefined }
       }
     }
-    return { status: TokenRequestStatus.Failed, token: undefined }
+    return { token: undefined }
   }
 
   /**
@@ -185,32 +287,86 @@ export class OAuthFlow {
    * @returns A promise that resolves when the sign-out operation is complete.
    */
   public async signOut (context: TurnContext): Promise<void> {
-    this.state = await this.getUserState(context)
     await this.initializeTokenClient(context)
+
+    // Clear cached token for this user
+    const activity = context.activity
+    if (activity.channelId && activity.from && activity.from.id) {
+      const cacheKey = this.getCacheKey(context)
+      this.tokenCache.delete(cacheKey)
+      logger.info('Cached token cleared for user')
+    }
+
     await this.userTokenClient?.signOut(context.activity.from?.id as string, this.absOauthConnectionName, context.activity.channelId as string)
-    this.state!.flowExpires = 0
-    await this.flowStateAccessor.set(context, this.state)
-    logger.info('User signed out successfully')
+    this.state = { flowStarted: false, flowExpires: 0, absOauthConnectionName: this.absOauthConnectionName }
+    await this.storage.delete([this.getFlowStateKey(context)])
+    logger.info('User signed out successfully from connection:', this.absOauthConnectionName)
   }
 
   /**
-   * Gets the user state.
+   * Gets the user state for the OAuth flow.
    * @param context The turn context.
-   * @returns A promise that resolves to the user state.
+   * @returns A promise that resolves to the flow state.
    */
-  private async getUserState (context: TurnContext) {
-    let userProfile: FlowState | null = await this.flowStateAccessor.get(context, null)
-    if (userProfile === null) {
-      userProfile = new FlowState()
-    }
-    return userProfile
+  public async getFlowState (context: TurnContext) : Promise<FlowState> {
+    const key = this.getFlowStateKey(context)
+    const data = await this.storage.read([key])
+    const flowState: FlowState = data[key] // ?? { flowStarted: false, flowExpires: 0 }
+    return flowState
+  }
+
+  /**
+   * Sets the flow state for the OAuth flow.
+   * @param context The turn context.
+   * @param flowState The flow state to set.
+   * @returns A promise that resolves when the flow state is set.
+   */
+  public async setFlowState (context: TurnContext, flowState: FlowState) : Promise<void> {
+    const key = this.getFlowStateKey(context)
+    await this.storage.write({ [key]: flowState })
+    this.state = flowState
+    logger.info('Flow state set:', flowState)
   }
 
+  /**
+   * Initializes the user token client if not already initialized.
+   * @param context The turn context used to get authentication credentials.
+   */
   private async initializeTokenClient (context: TurnContext) {
     if (this.userTokenClient === undefined || this.userTokenClient === null) {
       const scope = 'https://api.botframework.com'
       const accessToken = await context.adapter.authProvider.getAccessToken(context.adapter.authConfig, scope)
-      this.userTokenClient = new UserTokenClient(accessToken)
+      this.userTokenClient = new UserTokenClient(accessToken, context.adapter.authConfig.clientId!)
+    }
+  }
+
+  /**
+   * Generates a cache key for storing user tokens.
+   * @param context The turn context containing activity information.
+   * @returns The cache key string in format: channelId_userId_connectionName.
+   * @throws Will throw an error if required activity properties are missing.
+   */
+  private getCacheKey (context: TurnContext): string {
+    const activity = context.activity
+    if (!activity.channelId || !activity.from || !activity.from.id) {
+      throw new Error('ChannelId and from.id must be set in the activity for cache key generation')
+    }
+    return `${activity.channelId}_${activity.from.id}_${this.absOauthConnectionName}`
+  }
+
+  /**
+   * Generates a storage key for persisting OAuth flow state.
+   * @param context The turn context containing activity information.
+   * @returns The storage key string in format: oauth/channelId/conversationId/userId/flowState.
+   * @throws Will throw an error if required activity properties are missing.
+   */
+  private getFlowStateKey (context: TurnContext): string {
+    const channelId = context.activity.channelId
+    const conversationId = context.activity.conversation?.id
+    const userId = context.activity.from?.id
+    if (!channelId || !conversationId || !userId) {
+      throw new Error('ChannelId, conversationId, and userId must be set in the activity')
     }
+    return `oauth/${channelId}/${userId}/${this.absOauthConnectionName}/flowState`
   }
 }

package/src/oauth/userTokenClient.ts

@@ -2,12 +2,10 @@
 // Licensed under the MIT License.
 
 import axios, { AxiosInstance } from 'axios'
-import { SigningResource } from './signingResource'
 import { ConversationReference } from '@microsoft/agents-activity'
 import { debug } from '../logger'
-import { TokenExchangeRequest } from './tokenExchangeRequest'
 import { normalizeTokenExchangeState } from '../activityWireCompat'
-import { TokenRequestStatus, TokenResponse } from './tokenResponse'
+import { AadResourceUrls, SignInResource, TokenExchangeRequest, TokenOrSinginResourceResponse, TokenResponse, TokenStatus } from './userTokenClient.types'
 import { getProductInfo } from '../getProductInfo'
 
 const logger = debug('agents:user-token-client')
@@ -17,12 +15,14 @@ const logger = debug('agents:user-token-client')
  */
 export class UserTokenClient {
   client: AxiosInstance
-
+  msAppId: string
   /**
    * Creates a new instance of UserTokenClient.
    * @param token The token to use for authentication.
+   * @param msAppId The Microsoft application ID.
    */
-  constructor (token: string) {
+  constructor (token: string, appId: string) {
+    this.msAppId = appId
     const baseURL = 'https://api.botframework.com'
     const axiosInstance = axios.create({
       baseURL,
@@ -47,15 +47,12 @@ export class UserTokenClient {
     try {
       const params = { connectionName, channelId, userId, code }
       const response = await this.client.get('/api/usertoken/GetToken', { params })
-      return { ...response.data, status: TokenRequestStatus.Success }
+      return response.data as TokenResponse
     } catch (error: any) {
       if (error.response?.status !== 404) {
         logger.error(error)
       }
-      return {
-        status: TokenRequestStatus.Failed,
-        token: undefined
-      }
+      return { token: undefined }
     }
   }
 
@@ -81,24 +78,24 @@ export class UserTokenClient {
 
   /**
    * Gets the sign-in resource.
-   * @param appId The application ID.
-   * @param cnxName The connection name.
+   * @param msAppId The application ID.
+   * @param connectionName The connection name.
    * @param activity The activity.
    * @returns A promise that resolves to the signing resource.
    */
-  async getSignInResource (appId: string, cnxName: string, conversationReference: ConversationReference, relatesTo?: ConversationReference) : Promise<SigningResource> {
+  async getSignInResource (msAppId: string, connectionName: string, conversation: ConversationReference, relatesTo?: ConversationReference) : Promise<SignInResource> {
     try {
       const tokenExchangeState = {
-        connectionName: cnxName,
-        conversation: conversationReference,
+        connectionName,
+        conversation,
         relatesTo,
-        msAppId: appId
+        msAppId
       }
       const tokenExchangeStateNormalized = normalizeTokenExchangeState(tokenExchangeState)
       const state = Buffer.from(JSON.stringify(tokenExchangeStateNormalized)).toString('base64')
       const params = { state }
       const response = await this.client.get('/api/botsignin/GetSignInResource', { params })
-      return response.data as SigningResource
+      return response.data as SignInResource
     } catch (error: any) {
       logger.error(error)
       throw error
@@ -117,10 +114,56 @@ export class UserTokenClient {
     try {
       const params = { userId, connectionName, channelId }
       const response = await this.client.post('/api/usertoken/exchange', tokenExchangeRequest, { params })
-      return { ...response.data, status: TokenRequestStatus.Success }
+      return response.data as TokenResponse
     } catch (error: any) {
       logger.error(error)
-      return { status: TokenRequestStatus.Failed, token: undefined }
+      return { token: undefined }
     }
   }
+
+  /**
+   * Gets the token or sign-in resource.
+   * @param userId The user ID.
+   * @param connectionName The connection name.
+   * @param channelId The channel ID.
+   * @param conversation The conversation reference.
+   * @param relatesTo The related conversation reference.
+   * @param code The code.
+   * @param finalRedirect The final redirect URL.
+   * @param fwdUrl The forward URL.
+   * @returns A promise that resolves to the token or sign-in resource response.
+   */
+  async getTokenOrSignInResource (userId: string, connectionName: string, channelId: string, conversation: ConversationReference, relatesTo: ConversationReference, code: string, finalRedirect: string = '', fwdUrl: string = '') : Promise<TokenOrSinginResourceResponse> {
+    const state = Buffer.from(JSON.stringify({ conversation, relatesTo, connectionName, msAppId: this.msAppId })).toString('base64')
+    const params = { userId, connectionName, channelId, state, code, finalRedirect, fwdUrl }
+    const response = await this.client.get('/api/usertoken/GetTokenOrSignInResource', { params })
+    return response.data as TokenOrSinginResourceResponse
+  }
+
+  /**
+   * Gets the token status.
+   * @param userId The user ID.
+   * @param channelId The channel ID.
+   * @param include The optional include parameter.
+   * @returns A promise that resolves to the token status.
+   */
+  async getTokenStatus (userId: string, channelId: string, include: string = null!): Promise<TokenStatus[]> {
+    const params = { userId, channelId, include }
+    const response = await this.client.get('/api/usertoken/GetTokenStatus', { params })
+    return response.data as TokenStatus[]
+  }
+
+  /**
+   * Gets the AAD tokens.
+   * @param userId The user ID.
+   * @param connectionName The connection name.
+   * @param channelId The channel ID.
+   * @param resourceUrls The resource URLs.
+   * @returns A promise that resolves to the AAD tokens.
+   */
+  async getAadTokens (userId: string, connectionName: string, channelId: string, resourceUrls: AadResourceUrls) : Promise<Record<string, TokenResponse>> {
+    const params = { userId, connectionName, channelId }
+    const response = await this.client.post('/api/usertoken/GetAadTokens', resourceUrls, { params })
+    return response.data as Record<string, TokenResponse>
+  }
 }