@microsoft/agents-hosting 1.5.0-beta.6.ga236d9a19c → 1.5.1

package/src/auth/msalConnectionManager.ts

@@ -4,11 +4,14 @@
  */
 
 import { Activity, RoleTypes } from '@microsoft/agents-activity'
+import { debug } from '@microsoft/agents-telemetry'
 import { AuthConfiguration, resolveAuthority } from './authConfiguration'
 import { Connections } from './connections'
 import { MsalTokenProvider } from './msalTokenProvider'
 import { JwtPayload } from 'jsonwebtoken'
 
+const logger = debug('agents:authorization:connections')
+
 export interface ConnectionMapItem {
   audience?: string
   serviceUrl: string
@@ -38,6 +41,22 @@ export class MsalConnectionManager implements Connections {
         this._serviceConnectionConfiguration = config
       }
     }
+
+    for (const [name, provider] of this._connections.entries()) {
+      const cfg = provider.connectionSettings
+      const authType = cfg?.certPemFile
+        ? 'certificate'
+        : cfg?.clientSecret
+          ? 'clientSecret'
+          : cfg?.WIDAssertionFile || cfg?.FICClientId
+            ? 'workloadIdentity'
+            : 'none'
+      logger.debug('connection "%s" clientId=%s tenantId=%s authType=%s', name, cfg?.clientId ?? '<none>', cfg?.tenantId ?? '<none>', authType)
+    }
+
+    for (const item of this._connectionsMap) {
+      logger.debug('connectionsMap: %s -> %s audience=%s', item.serviceUrl, item.connection, item.audience ?? '')
+    }
   }
 
   /**
@@ -107,6 +126,7 @@ export class MsalConnectionManager implements Connections {
     if (!audience || !serviceUrl) throw new Error('Audience and Service URL are required to get the token provider.')
 
     if (this._connectionsMap.length === 0) {
+      logger.debug('no connectionsMap, using default connection for serviceUrl=%s', serviceUrl)
       return this.getDefaultConnection()
     }
 
@@ -120,11 +140,13 @@ export class MsalConnectionManager implements Connections {
 
       if (audienceMatch) {
         if (item.serviceUrl === '*' || !item.serviceUrl) {
+          logger.debug('connection "%s" matched (wildcard/no serviceUrl) for audience=%s', item.connection, audience)
           return this.getConnection(item.connection)
         }
 
         const regex = new RegExp(item.serviceUrl, 'i')
         if (regex.test(serviceUrl)) {
+          logger.debug('connection "%s" matched serviceUrl=%s for audience=%s', item.connection, serviceUrl, audience)
           return this.getConnection(item.connection)
         }
       }

package/src/auth/msalTokenCredential.ts

@@ -1,5 +1,8 @@
 import { GetTokenOptions, TokenCredential } from '@azure/core-auth'
 import { AuthConfiguration, MsalTokenProvider } from './'
+import { debug } from '@microsoft/agents-telemetry'
+
+const logger = debug('agents:msal')
 
 /**
  * Token credential implementation that uses MSAL (Microsoft Authentication Library) to acquire access tokens.
@@ -19,6 +22,7 @@ export class MsalTokenCredential implements TokenCredential {
    * @returns Promise that resolves to an access token with expiration timestamp.
    */
   public async getToken (scopes: string[], options?: GetTokenOptions) {
+    logger.debug('getToken scopes=%o', scopes)
     const scope = scopes[0].substring(0, scopes[0].lastIndexOf('/'))
     const token = await new MsalTokenProvider().getAccessToken(this.authConfig, scope)
     return {

package/src/auth/msalTokenProvider.ts

@@ -7,13 +7,14 @@ import { ConfidentialClientApplication, LogLevel, ManagedIdentityApplication, No
 import axios from 'axios'
 import { AuthConfiguration, resolveAuthority as resolveAuthorityUtil } from './authConfiguration'
 import { AuthProvider } from './authProvider'
-import { debug } from '@microsoft/agents-activity/logger'
+import { debug, trace } from '@microsoft/agents-telemetry'
 import { v4 } from 'uuid'
 import { MemoryCache } from './MemoryCache'
 import jwt from 'jsonwebtoken'
 
 import fs from 'fs'
 import crypto from 'crypto'
+import { AuthenticationTraceDefinitions } from '../observability'
 
 const audience = 'api://AzureADTokenExchange'
 const logger = debug('agents:msal')
@@ -43,121 +44,146 @@ export class MsalTokenProvider implements AuthProvider {
    * @returns A promise that resolves to the access token.
    */
   public async getAccessToken (authConfig: AuthConfiguration, scope: string): Promise<string>
-
   public async getAccessToken (authConfigOrScope: AuthConfiguration | string, scope?: string): Promise<string> {
-    let authConfig: AuthConfiguration
-    let actualScope: string
+    return trace(AuthenticationTraceDefinitions.getAccessToken, async ({ record }) => {
+      let authConfig: AuthConfiguration
+      let actualScope: string
+
+      if (typeof authConfigOrScope === 'string') {
+      // Called as getAccessToken(scope)
+        if (!this.connectionSettings) {
+          throw new Error('Connection settings must be provided to constructor when calling getAccessToken(scope)')
+        }
+        authConfig = this.connectionSettings
+        actualScope = authConfigOrScope
+      } else {
+      // Called as getAccessToken(authConfig, scope)
+        authConfig = authConfigOrScope
+        actualScope = scope as string
+      }
 
-    if (typeof authConfigOrScope === 'string') {
-    // Called as getAccessToken(scope)
-      if (!this.connectionSettings) {
-        throw new Error('Connection settings must be provided to constructor when calling getAccessToken(scope)')
+      record({ scope: actualScope })
+
+      if (!authConfig.clientId && process.env.NODE_ENV !== 'production') {
+        record({ method: 'unknown' })
+        return ''
       }
-      authConfig = this.connectionSettings
-      actualScope = authConfigOrScope
-    } else {
-    // Called as getAccessToken(authConfig, scope)
-      authConfig = authConfigOrScope
-      actualScope = scope as string
-    }
 
-    if (!authConfig.clientId && process.env.NODE_ENV !== 'production') {
-      return ''
-    }
-    let token
-    if (authConfig.WIDAssertionFile !== undefined) {
-      token = await this.acquireAccessTokenViaWID(authConfig, actualScope)
-    } else if (authConfig.FICClientId !== undefined) {
-      token = await this.acquireAccessTokenViaFIC(authConfig, actualScope)
-    } else if (authConfig.clientSecret !== undefined) {
-      token = await this.acquireAccessTokenViaSecret(authConfig, actualScope)
-    } else if (authConfig.certPemFile !== undefined &&
-      authConfig.certKeyFile !== undefined) {
-      token = await this.acquireTokenWithCertificate(authConfig, actualScope)
-    } else if (authConfig.clientSecret === undefined &&
-      authConfig.certPemFile === undefined &&
-      authConfig.certKeyFile === undefined) {
-      token = await this.acquireTokenWithUserAssignedIdentity(authConfig, actualScope)
-    } else {
-      throw new Error('Invalid authConfig. ')
-    }
-    if (token === undefined) {
-      throw new Error('Failed to acquire token')
-    }
+      let token
+      if (authConfig.WIDAssertionFile !== undefined) {
+        record({ method: 'wid' })
+        logger.debug('getAccessToken via WID clientId=%s scope=%s', authConfig.clientId, actualScope)
+        token = await this.acquireAccessTokenViaWID(authConfig, actualScope)
+      } else if (authConfig.FICClientId !== undefined) {
+        record({ method: 'fic' })
+        logger.debug('getAccessToken via FIC clientId=%s scope=%s', authConfig.clientId, actualScope)
+        token = await this.acquireAccessTokenViaFIC(authConfig, actualScope)
+      } else if (authConfig.clientSecret !== undefined) {
+        record({ method: 'secret' })
+        logger.debug('getAccessToken via secret clientId=%s scope=%s', authConfig.clientId, actualScope)
+        token = await this.acquireAccessTokenViaSecret(authConfig, actualScope)
+      } else if (authConfig.certPemFile !== undefined &&
+          authConfig.certKeyFile !== undefined) {
+        record({ method: 'certificate' })
+        logger.debug('getAccessToken via certificate clientId=%s scope=%s', authConfig.clientId, actualScope)
+        token = await this.acquireTokenWithCertificate(authConfig, actualScope)
+      } else if (authConfig.clientSecret === undefined &&
+          authConfig.certPemFile === undefined &&
+          authConfig.certKeyFile === undefined) {
+        record({ method: 'managed_identity' })
+        logger.debug('getAccessToken via managed identity clientId=%s scope=%s', authConfig.clientId, actualScope)
+        token = await this.acquireTokenWithUserAssignedIdentity(authConfig, actualScope)
+      } else {
+        throw new Error('Invalid authConfig. ')
+      }
+      if (token === undefined) {
+        throw new Error('Failed to acquire token')
+      }
 
-    return token
+      return token
+    })
   }
 
   public async acquireTokenOnBehalfOf (scopes: string[], oboAssertion: string): Promise<string>
   public async acquireTokenOnBehalfOf (authConfig: AuthConfiguration, scopes: string[], oboAssertion: string): Promise<string>
-
   public async acquireTokenOnBehalfOf (
     authConfigOrScopes: AuthConfiguration | string[],
     scopesOrOboAssertion?: string[] | string,
     oboAssertion?: string
   ): Promise<string> {
-    let authConfig: AuthConfiguration
-    let actualScopes: string[]
-    let actualOboAssertion: string
+    return trace(AuthenticationTraceDefinitions.acquireTokenOnBehalfOf, async ({ record }) => {
+      let authConfig: AuthConfiguration
+      let actualScopes: string[]
+      let actualOboAssertion: string
+
+      if (Array.isArray(authConfigOrScopes)) {
+      // Called as acquireTokenOnBehalfOf(scopes, oboAssertion)
+        if (!this.connectionSettings) {
+          throw new Error('Connection settings must be provided to constructor when calling acquireTokenOnBehalfOf(scopes, oboAssertion)')
+        }
+        authConfig = this.connectionSettings
+        actualScopes = authConfigOrScopes
+        actualOboAssertion = scopesOrOboAssertion as string
+      } else {
+      // Called as acquireTokenOnBehalfOf(authConfig, scopes, oboAssertion)
+        authConfig = authConfigOrScopes
+        actualScopes = scopesOrOboAssertion as string[]
+        actualOboAssertion = oboAssertion!
+      }
 
-    if (Array.isArray(authConfigOrScopes)) {
-    // Called as acquireTokenOnBehalfOf(scopes, oboAssertion)
-      if (!this.connectionSettings) {
-        throw new Error('Connection settings must be provided to constructor when calling acquireTokenOnBehalfOf(scopes, oboAssertion)')
+      record({ scopes: actualScopes })
+      logger.debug('acquireTokenOnBehalfOf clientId=%s scopes=%o', authConfig.clientId, actualScopes)
+
+      const cca = new ConfidentialClientApplication({
+        auth: {
+          clientId: authConfig.clientId as string,
+          authority: `${authConfig.authority}/${authConfig.tenantId || 'botframework.com'}`,
+          clientSecret: authConfig.clientSecret
+        },
+        system: this.sysOptions
+      })
+      const token = await cca.acquireTokenOnBehalfOf({
+        oboAssertion: actualOboAssertion,
+        scopes: actualScopes
+      })
+      if (!token?.accessToken) {
+        throw new Error('Failed to acquire token on behalf of user')
       }
-      authConfig = this.connectionSettings
-      actualScopes = authConfigOrScopes
-      actualOboAssertion = scopesOrOboAssertion as string
-    } else {
-    // Called as acquireTokenOnBehalfOf(authConfig, scopes, oboAssertion)
-      authConfig = authConfigOrScopes
-      actualScopes = scopesOrOboAssertion as string[]
-      actualOboAssertion = oboAssertion!
-    }
 
-    const cca = new ConfidentialClientApplication({
-      auth: {
-        clientId: authConfig.clientId as string,
-        authority: `${authConfig.authority}/${authConfig.tenantId || 'botframework.com'}`,
-        clientSecret: authConfig.clientSecret
-      },
-      system: this.sysOptions
-    })
-    const token = await cca.acquireTokenOnBehalfOf({
-      oboAssertion: actualOboAssertion,
-      scopes: actualScopes
+      return token.accessToken
     })
-    if (!token?.accessToken) {
-      throw new Error('Failed to acquire token on behalf of user')
-    }
-    return token.accessToken
   }
 
   public async getAgenticInstanceToken (tenantId: string, agentAppInstanceId: string): Promise<string> {
-    logger.debug('Getting agentic instance token')
-    if (!this.connectionSettings) {
-      throw new Error('Connection settings must be provided when calling getAgenticInstanceToken')
-    }
-    const appToken = await this.getAgenticApplicationToken(tenantId, agentAppInstanceId)
-    const cca = new ConfidentialClientApplication({
-      auth: {
-        clientId: agentAppInstanceId,
-        clientAssertion: appToken,
-        authority: this.resolveAuthority(tenantId),
-      },
-      system: this.sysOptions
-    })
+    return trace(AuthenticationTraceDefinitions.getAgenticInstanceToken, async ({ record }) => {
+      logger.debug('getAgenticInstanceToken tenantId=%s agentAppInstanceId=%s', tenantId, agentAppInstanceId)
+      record({ agenticInstanceId: agentAppInstanceId })
 
-    const token = await cca.acquireTokenByClientCredential({
-      scopes: ['api://AzureAdTokenExchange/.default'],
-      correlationId: v4()
-    })
+      if (!this.connectionSettings) {
+        throw new Error('Connection settings must be provided when calling getAgenticInstanceToken')
+      }
 
-    if (!token?.accessToken) {
-      throw new Error(`Failed to acquire instance token for agent instance: ${agentAppInstanceId}`)
-    }
+      const appToken = await this.getAgenticApplicationToken(tenantId, agentAppInstanceId)
+      const cca = new ConfidentialClientApplication({
+        auth: {
+          clientId: agentAppInstanceId,
+          clientAssertion: appToken,
+          authority: this.resolveAuthority(tenantId),
+        },
+        system: this.sysOptions
+      })
+
+      const token = await cca.acquireTokenByClientCredential({
+        scopes: ['api://AzureAdTokenExchange/.default'],
+        correlationId: v4()
+      })
+
+      if (!token?.accessToken) {
+        throw new Error(`Failed to acquire instance token for agent instance: ${agentAppInstanceId}`)
+      }
 
-    return token.accessToken
+      return token.accessToken
+    })
   }
 
   /**
@@ -205,6 +231,7 @@ export class MsalTokenProvider implements AuthProvider {
       throw new Error('Connection settings must be provided when calling getAgenticInstanceToken')
     }
 
+    logger.debug('acquireTokenForAgenticScenarios clientId=%s tenantId=%s scopes=%o grant_type=%s', clientId, tenantId, scopes, tokenBodyParameters.grant_type)
     // Check cache first
     const cacheKey = `${clientId}/${Object.keys(tokenBodyParameters).map(key => key !== 'user_federated_identity_credential' ? `${key}=${tokenBodyParameters[key]}` : '').join('&')}/${scopes.join(';')}`
     if (this._agenticTokenCache.get(cacheKey)) {
@@ -249,28 +276,32 @@ export class MsalTokenProvider implements AuthProvider {
   }
 
   public async getAgenticUserToken (tenantId: string, agentAppInstanceId: string, agenticUserId: string, scopes: string[]): Promise<string> {
-    logger.debug('Getting agentic user token')
-    const agentToken = await this.getAgenticApplicationToken(tenantId, agentAppInstanceId)
-    const instanceToken = await this.getAgenticInstanceToken(tenantId, agentAppInstanceId)
-
-    const token = await this.acquireTokenForAgenticScenarios(tenantId, agentAppInstanceId, agentToken, scopes, {
-      user_id: agenticUserId,
-      user_federated_identity_credential: instanceToken,
-      grant_type: 'user_fic',
-    })
+    return trace(AuthenticationTraceDefinitions.getAgenticUserToken, async ({ record }) => {
+      logger.debug('getAgenticUserToken tenantId=%s agentAppInstanceId=%s scopes=%o', tenantId, agentAppInstanceId, scopes)
+      record({ agenticInstanceId: agentAppInstanceId, agenticUserId, scopes })
 
-    if (!token) {
-      throw new Error(`Failed to acquire instance token for user token: ${agentAppInstanceId}`)
-    }
+      const agentToken = await this.getAgenticApplicationToken(tenantId, agentAppInstanceId)
+      const instanceToken = await this.getAgenticInstanceToken(tenantId, agentAppInstanceId)
 
-    return token
+      const token = await this.acquireTokenForAgenticScenarios(tenantId, agentAppInstanceId, agentToken, scopes, {
+        user_id: agenticUserId,
+        user_federated_identity_credential: instanceToken,
+        grant_type: 'user_fic',
+      })
+
+      if (!token) {
+        throw new Error(`Failed to acquire instance token for user token: ${agentAppInstanceId}`)
+      }
+
+      return token
+    })
   }
 
   public async getAgenticApplicationToken (tenantId: string, agentAppInstanceId: string): Promise<string> {
     if (!this.connectionSettings?.clientId) {
       throw new Error('Connection settings must be provided when calling getAgenticApplicationToken')
     }
-    logger.debug('Getting agentic application token')
+    logger.debug('getAgenticApplicationToken clientId=%s tenantId=%s agentAppInstanceId=%s', this.connectionSettings.clientId, tenantId, agentAppInstanceId)
 
     let clientAssertion
 
@@ -496,7 +527,7 @@ export class MsalTokenProvider implements AuthProvider {
       system: this.sysOptions
     })
     const token = await cca.acquireTokenByClientCredential({ scopes })
-    logger.info('got token using WID client assertion')
+    logger.debug('got token using WID client assertion')
     if (!token?.accessToken) {
       throw new Error('Failed to acquire token using WID client assertion')
     }

package/src/baseAdapter.ts

@@ -5,7 +5,7 @@
 
 import { Middleware, MiddlewareHandler, MiddlewareSet } from './middlewareSet'
 import { TurnContext } from './turnContext'
-import { debug } from '@microsoft/agents-activity/logger'
+import { debug } from '@microsoft/agents-telemetry'
 import { Activity, ConversationReference } from '@microsoft/agents-activity'
 import { ResourceResponse } from './connector-client/resourceResponse'
 import { AttachmentData } from './connector-client/attachmentData'