microsoft-agents-authentication-msal 0.3.2__tar.gz → 0.4.0__tar.gz

{microsoft_agents_authentication_msal-0.3.2 → microsoft_agents_authentication_msal-0.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: microsoft-agents-authentication-msal
-Version: 0.3.2
+Version: 0.4.0
 Summary: A msal-based authentication library for Microsoft Agents
 Author: Microsoft Corporation
 Project-URL: Homepage, https://github.com/microsoft/Agents
@@ -8,7 +8,7 @@ Classifier: Programming Language :: Python :: 3
 Classifier: License :: OSI Approved :: MIT License
 Classifier: Operating System :: OS Independent
 Requires-Python: >=3.9
-Requires-Dist: microsoft-agents-hosting-core==0.3.2
+Requires-Dist: microsoft-agents-hosting-core==0.4.0
 Requires-Dist: msal>=1.31.1
 Requires-Dist: requests>=2.32.3
 Requires-Dist: cryptography>=44.0.0

microsoft_agents_authentication_msal-0.4.0/microsoft_agents/authentication/msal/msal_auth.py

@@ -0,0 +1,395 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+from __future__ import annotations
+
+import logging
+import jwt
+from typing import Optional
+from urllib.parse import urlparse, ParseResult as URI
+from msal import (
+    ConfidentialClientApplication,
+    ManagedIdentityClient,
+    UserAssignedManagedIdentity,
+    SystemAssignedManagedIdentity,
+)
+from requests import Session
+from cryptography.x509 import load_pem_x509_certificate
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
+
+from microsoft_agents.hosting.core import (
+    AuthTypes,
+    AccessTokenProviderBase,
+    AgentAuthConfiguration,
+)
+
+logger = logging.getLogger(__name__)
+
+
+# this is deferred because jwt.decode is expensive and we don't want to do it unless we
+# have logging.DEBUG enabled
+class _DeferredLogOfBlueprintId:
+    def __init__(self, jwt_token: str):
+        self.jwt_token = jwt_token
+
+    def __str__(self):
+        payload = jwt.decode(self.jwt_token, options={"verify_signature": False})
+        agentic_blueprint_id = payload.get("xms_par_app_azp")
+        return f"Agentic blueprint id: {agentic_blueprint_id}"
+
+
+class MsalAuth(AccessTokenProviderBase):
+
+    _client_credential_cache = None
+
+    def __init__(self, msal_configuration: AgentAuthConfiguration):
+        self._msal_configuration = msal_configuration
+        logger.debug(
+            f"Initializing MsalAuth with configuration: {self._msal_configuration}"
+        )
+
+    async def get_access_token(
+        self, resource_url: str, scopes: list[str], force_refresh: bool = False
+    ) -> str:
+        logger.debug(
+            f"Requesting access token for resource: {resource_url}, scopes: {scopes}"
+        )
+        valid_uri, instance_uri = self._uri_validator(resource_url)
+        if not valid_uri:
+            raise ValueError("Invalid instance URL")
+
+        local_scopes = self._resolve_scopes_list(instance_uri, scopes)
+        msal_auth_client = self._create_client_application()
+
+        if isinstance(msal_auth_client, ManagedIdentityClient):
+            logger.info("Acquiring token using Managed Identity Client.")
+            auth_result_payload = msal_auth_client.acquire_token_for_client(
+                resource=resource_url
+            )
+        elif isinstance(msal_auth_client, ConfidentialClientApplication):
+            logger.info("Acquiring token using Confidential Client Application.")
+            auth_result_payload = msal_auth_client.acquire_token_for_client(
+                scopes=local_scopes
+            )
+        else:
+            auth_result_payload = None
+
+        res = auth_result_payload.get("access_token") if auth_result_payload else None
+        if not res:
+            logger.error("Failed to acquire token for resource %s", auth_result_payload)
+            raise ValueError(f"Failed to acquire token. {str(auth_result_payload)}")
+        return res
+
+    async def acquire_token_on_behalf_of(
+        self, scopes: list[str], user_assertion: str
+    ) -> str:
+        """
+        Acquire a token on behalf of a user.
+        :param scopes: The scopes for which to get the token.
+        :param user_assertion: The user assertion token.
+        :return: The access token as a string.
+        """
+
+        msal_auth_client = self._create_client_application()
+        if isinstance(msal_auth_client, ManagedIdentityClient):
+            logger.error(
+                "Attempted on-behalf-of flow with Managed Identity authentication."
+            )
+            raise NotImplementedError(
+                "On-behalf-of flow is not supported with Managed Identity authentication."
+            )
+        elif isinstance(msal_auth_client, ConfidentialClientApplication):
+            # TODO: Handling token error / acquisition failed
+
+            token = msal_auth_client.acquire_token_on_behalf_of(
+                user_assertion=user_assertion, scopes=scopes
+            )
+
+            if "access_token" not in token:
+                logger.error(
+                    f"Failed to acquire token on behalf of user: {user_assertion}"
+                )
+                raise ValueError(f"Failed to acquire token. {str(token)}")
+
+            return token["access_token"]
+
+        logger.error(
+            f"On-behalf-of flow is not supported with the current authentication type: {msal_auth_client.__class__.__name__}"
+        )
+        raise NotImplementedError(
+            f"On-behalf-of flow is not supported with the current authentication type: {msal_auth_client.__class__.__name__}"
+        )
+
+    def _create_client_application(
+        self,
+    ) -> ManagedIdentityClient | ConfidentialClientApplication:
+        msal_auth_client = None
+
+        if self._msal_configuration.AUTH_TYPE == AuthTypes.user_managed_identity:
+            msal_auth_client = ManagedIdentityClient(
+                UserAssignedManagedIdentity(
+                    client_id=self._msal_configuration.CLIENT_ID
+                ),
+                http_client=Session(),
+            )
+
+        elif self._msal_configuration.AUTH_TYPE == AuthTypes.system_managed_identity:
+            msal_auth_client = ManagedIdentityClient(
+                SystemAssignedManagedIdentity(),
+                http_client=Session(),
+            )
+        else:
+            authority_path = self._msal_configuration.TENANT_ID or "botframework.com"
+            authority = f"https://login.microsoftonline.com/{authority_path}"
+
+            if self._client_credential_cache:
+                logger.info("Using cached client credentials for MSAL authentication.")
+                pass
+            elif self._msal_configuration.AUTH_TYPE == AuthTypes.client_secret:
+                self._client_credential_cache = self._msal_configuration.CLIENT_SECRET
+            elif self._msal_configuration.AUTH_TYPE == AuthTypes.certificate:
+                with open(self._msal_configuration.CERT_KEY_FILE) as file:
+                    logger.info(
+                        "Loading certificate private key for MSAL authentication."
+                    )
+                    private_key = file.read()
+
+                with open(self._msal_configuration.CERT_PEM_FILE) as file:
+                    logger.info("Loading public certificate for MSAL authentication.")
+                    public_certificate = file.read()
+
+                # Create an X509 object and calculate the thumbprint
+                logger.info("Calculating thumbprint for the public certificate.")
+                cert = load_pem_x509_certificate(
+                    data=bytes(public_certificate, "UTF-8"), backend=default_backend()
+                )
+                thumbprint = cert.fingerprint(hashes.SHA1()).hex()
+
+                self._client_credential_cache = {
+                    "thumbprint": thumbprint,
+                    "private_key": private_key,
+                }
+            else:
+                logger.error(
+                    f"Unsupported authentication type: {self._msal_configuration.AUTH_TYPE}"
+                )
+                raise NotImplementedError("Authentication type not supported")
+
+            msal_auth_client = ConfidentialClientApplication(
+                client_id=self._msal_configuration.CLIENT_ID,
+                authority=authority,
+                client_credential=self._client_credential_cache,
+            )
+
+        return msal_auth_client
+
+    @staticmethod
+    def _uri_validator(url_str: str) -> tuple[bool, Optional[URI]]:
+        try:
+            result = urlparse(url_str)
+            return all([result.scheme, result.netloc]), result
+        except AttributeError:
+            logger.error(f"URI parsing error for {url_str}")
+            return False, None
+
+    def _resolve_scopes_list(self, instance_url: URI, scopes=None) -> list[str]:
+        if scopes:
+            return scopes
+
+        temp_list: list[str] = []
+        for scope in self._msal_configuration.SCOPES:
+            scope_placeholder = scope
+            if "{instance}" in scope_placeholder.lower():
+                scope_placeholder = scope_placeholder.replace(
+                    "{instance}", f"{instance_url.scheme}://{instance_url.hostname}"
+                )
+            temp_list.append(scope_placeholder)
+        logger.debug(f"Resolved scopes: {temp_list}")
+        return temp_list
+
+    # the call to MSAL is blocking, but in the future we want to create an asyncio task
+    # to avoid this
+    async def get_agentic_application_token(
+        self, agent_app_instance_id: str
+    ) -> Optional[str]:
+        """Gets the agentic application token for the given agent application instance ID.
+
+        :param agent_app_instance_id: The agent application instance ID.
+        :type agent_app_instance_id: str
+        :return: The agentic application token, or None if not found.
+        :rtype: Optional[str]
+        """
+
+        if not agent_app_instance_id:
+            raise ValueError("Agent application instance Id must be provided.")
+
+        logger.info(
+            "Attempting to get agentic application token from agent_app_instance_id %s",
+            agent_app_instance_id,
+        )
+        msal_auth_client = self._create_client_application()
+
+        if isinstance(msal_auth_client, ConfidentialClientApplication):
+
+            # https://github.dev/AzureAD/microsoft-authentication-library-for-dotnet
+            auth_result_payload = msal_auth_client.acquire_token_for_client(
+                ["api://AzureAdTokenExchange/.default"],
+                data={"fmi_path": agent_app_instance_id},
+            )
+
+            if auth_result_payload:
+                return auth_result_payload.get("access_token")
+
+        return None
+
+    async def get_agentic_instance_token(
+        self, agent_app_instance_id: str
+    ) -> tuple[str, str]:
+        """Gets the agentic instance token for the given agent application instance ID.
+
+        :param agent_app_instance_id: The agent application instance ID.
+        :type agent_app_instance_id: str
+        :return: A tuple containing the agentic instance token and the agent application token.
+        :rtype: tuple[str, str]
+        """
+
+        if not agent_app_instance_id:
+            raise ValueError("Agent application instance Id must be provided.")
+
+        logger.info(
+            "Attempting to get agentic instance token from agent_app_instance_id %s",
+            agent_app_instance_id,
+        )
+        agent_token_result = await self.get_agentic_application_token(
+            agent_app_instance_id
+        )
+
+        if not agent_token_result:
+            logger.error(
+                "Failed to acquire agentic instance token or agent token for agent_app_instance_id %s",
+                agent_app_instance_id,
+            )
+            raise Exception(
+                f"Failed to acquire agentic instance token or agent token for agent_app_instance_id {agent_app_instance_id}"
+            )
+
+        authority = (
+            f"https://login.microsoftonline.com/{self._msal_configuration.TENANT_ID}"
+        )
+
+        instance_app = ConfidentialClientApplication(
+            client_id=agent_app_instance_id,
+            authority=authority,
+            client_credential={"client_assertion": agent_token_result},
+        )
+
+        agentic_instance_token = instance_app.acquire_token_for_client(
+            ["api://AzureAdTokenExchange/.default"]
+        )
+
+        if not agentic_instance_token:
+            logger.error(
+                "Failed to acquire agentic instance token or agent token for agent_app_instance_id %s",
+                agent_app_instance_id,
+            )
+            raise Exception(
+                f"Failed to acquire agentic instance token or agent token for agent_app_instance_id {agent_app_instance_id}"
+            )
+
+        # future scenario where we don't know the blueprint id upfront
+
+        token = agentic_instance_token.get("access_token")
+        if not token:
+            logger.error(
+                "Failed to acquire agentic instance token, %s", agentic_instance_token
+            )
+            raise ValueError(f"Failed to acquire token. {str(agentic_instance_token)}")
+
+        logger.debug(_DeferredLogOfBlueprintId(token))
+
+        return agentic_instance_token["access_token"], agent_token_result
+
+    async def get_agentic_user_token(
+        self, agent_app_instance_id: str, upn: str, scopes: list[str]
+    ) -> Optional[str]:
+        """Gets the agentic user token for the given agent application instance ID and user principal name and the scopes.
+
+        :param agent_app_instance_id: The agent application instance ID.
+        :type agent_app_instance_id: str
+        :param upn: The user principal name.
+        :type upn: str
+        :param scopes: The scopes to request for the token.
+        :type scopes: list[str]
+        :return: The agentic user token, or None if not found.
+        :rtype: Optional[str]
+        """
+        if not agent_app_instance_id or not upn:
+            raise ValueError(
+                "Agent application instance Id and user principal name must be provided."
+            )
+
+        logger.info(
+            "Attempting to get agentic user token from agent_app_instance_id %s and upn %s",
+            agent_app_instance_id,
+            upn,
+        )
+        instance_token, agent_token = await self.get_agentic_instance_token(
+            agent_app_instance_id
+        )
+
+        if not instance_token or not agent_token:
+            logger.error(
+                "Failed to acquire instance token or agent token for agent_app_instance_id %s and upn %s",
+                agent_app_instance_id,
+                upn,
+            )
+            raise Exception(
+                f"Failed to acquire instance token or agent token for agent_app_instance_id {agent_app_instance_id} and upn {upn}"
+            )
+
+        authority = (
+            f"https://login.microsoftonline.com/{self._msal_configuration.TENANT_ID}"
+        )
+
+        instance_app = ConfidentialClientApplication(
+            client_id=agent_app_instance_id,
+            authority=authority,
+            client_credential={"client_assertion": agent_token},
+        )
+
+        logger.info(
+            "Acquiring agentic user token for agent_app_instance_id %s and upn %s",
+            agent_app_instance_id,
+            upn,
+        )
+        auth_result_payload = instance_app.acquire_token_for_client(
+            scopes,
+            data={
+                "username": upn,
+                "user_federated_identity_credential": instance_token,
+                "grant_type": "user_fic",
+            },
+        )
+
+        if not auth_result_payload:
+            logger.error(
+                "Failed to acquire agentic user token for agent_app_instance_id %s and upn %s, %s",
+                agent_app_instance_id,
+                upn,
+                auth_result_payload,
+            )
+            return None
+
+        access_token = auth_result_payload.get("access_token")
+        if not access_token:
+            logger.error(
+                "Failed to acquire agentic user token for agent_app_instance_id %s and upn %s, %s",
+                agent_app_instance_id,
+                upn,
+                auth_result_payload,
+            )
+            return None
+
+        logger.info("Acquired agentic user token response.")
+        return access_token

microsoft_agents_authentication_msal-0.4.0/microsoft_agents/authentication/msal/msal_connection_manager.py

@@ -0,0 +1,134 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+import re
+from typing import Dict, List, Optional
+from microsoft_agents.hosting.core import (
+    AgentAuthConfiguration,
+    AccessTokenProviderBase,
+    ClaimsIdentity,
+    Connections,
+)
+
+from .msal_auth import MsalAuth
+
+
+class MsalConnectionManager(Connections):
+    _connections: Dict[str, MsalAuth]
+    _connections_map: List[Dict[str, str]]
+    _service_connection_configuration: AgentAuthConfiguration
+
+    def __init__(
+        self,
+        connections_configurations: Optional[Dict[str, AgentAuthConfiguration]] = None,
+        connections_map: Optional[List[Dict[str, str]]] = None,
+        **kwargs,
+    ):
+        """
+        Initialize the MSAL connection manager.
+
+        :arg connections_configurations: A dictionary of connection configurations.
+        :type connections_configurations: Dict[str, AgentAuthConfiguration]
+        :arg connections_map: A list of connection mappings.
+        :type connections_map: List[Dict[str, str]]
+        :raises ValueError: If no service connection configuration is provided.
+        """
+
+        self._connections: Dict[str, MsalAuth] = {}
+        self._connections_map = connections_map or kwargs.get("CONNECTIONSMAP", {})
+        self._service_connection_configuration: AgentAuthConfiguration = None
+
+        if connections_configurations:
+            for (
+                connection_name,
+                connection_settings,
+            ) in connections_configurations.items():
+                self._connections[connection_name] = MsalAuth(
+                    AgentAuthConfiguration(**connection_settings)
+                )
+        else:
+            raw_configurations: Dict[str, Dict] = kwargs.get("CONNECTIONS", {})
+            for connection_name, connection_settings in raw_configurations.items():
+                parsed_configuration = AgentAuthConfiguration(
+                    **connection_settings.get("SETTINGS", {})
+                )
+                self._connections[connection_name] = MsalAuth(parsed_configuration)
+                if connection_name == "SERVICE_CONNECTION":
+                    self._service_connection_configuration = parsed_configuration
+
+        if not self._connections.get("SERVICE_CONNECTION", None):
+            raise ValueError("No service connection configuration provided.")
+
+    def get_connection(self, connection_name: Optional[str]) -> AccessTokenProviderBase:
+        """
+        Get the OAuth connection for the agent.
+
+        :arg connection_name: The name of the connection.
+        :type connection_name: str
+        :return: The OAuth connection for the agent.
+        :rtype: AccessTokenProviderBase
+        """
+        # should never be None
+        return self._connections.get(connection_name, None)
+
+    def get_default_connection(self) -> AccessTokenProviderBase:
+        """
+        Get the default OAuth connection for the agent.
+        """
+        # should never be None
+        return self._connections.get("SERVICE_CONNECTION", None)
+
+    def get_token_provider(
+        self, claims_identity: ClaimsIdentity, service_url: str
+    ) -> AccessTokenProviderBase:
+        """
+        Get the OAuth token provider for the agent.
+
+        :arg claims_identity: The claims identity of the bot.
+        :type claims_identity: ClaimsIdentity
+        :arg service_url: The service URL of the bot.
+        :type service_url: str
+        :return: The OAuth token provider for the agent.
+        :rtype: AccessTokenProviderBase
+        :raises ValueError: If no connection is found for the given audience and service URL.
+        """
+        if not claims_identity or not service_url:
+            raise ValueError(
+                "Claims identity and Service URL are required to get the token provider."
+            )
+
+        if not self._connections_map:
+            return self.get_default_connection()
+
+        aud = claims_identity.get_app_id() or ""
+        for item in self._connections_map:
+            audience_match = True
+            item_aud = item.get("AUDIENCE", "")
+            if item_aud:
+                audience_match = item_aud.lower() == aud.lower()
+
+            if audience_match:
+                item_service_url = item.get("SERVICEURL", "")
+                if item_service_url == "*" or item_service_url == "":
+                    connection_name = item.get("CONNECTION")
+                    connection = self.get_connection(connection_name)
+                    if connection:
+                        return connection
+
+                else:
+                    res = re.match(item_service_url, service_url, re.IGNORECASE)
+                    if res:
+                        connection_name = item.get("CONNECTION")
+                        connection = self.get_connection(connection_name)
+                        if connection:
+                            return connection
+
+        raise ValueError(
+            f"No connection found for audience '{aud}' and serviceUrl '{service_url}'."
+        )
+
+    def get_default_connection_configuration(self) -> AgentAuthConfiguration:
+        """
+        Get the default connection configuration for the agent.
+        """
+        return self._service_connection_configuration

{microsoft_agents_authentication_msal-0.3.2 → microsoft_agents_authentication_msal-0.4.0}/microsoft_agents_authentication_msal.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: microsoft-agents-authentication-msal
-Version: 0.3.2
+Version: 0.4.0
 Summary: A msal-based authentication library for Microsoft Agents
 Author: Microsoft Corporation
 Project-URL: Homepage, https://github.com/microsoft/Agents
@@ -8,7 +8,7 @@ Classifier: Programming Language :: Python :: 3
 Classifier: License :: OSI Approved :: MIT License
 Classifier: Operating System :: OS Independent
 Requires-Python: >=3.9
-Requires-Dist: microsoft-agents-hosting-core==0.3.2
+Requires-Dist: microsoft-agents-hosting-core==0.4.0
 Requires-Dist: msal>=1.31.1
 Requires-Dist: requests>=2.32.3
 Requires-Dist: cryptography>=44.0.0

{microsoft_agents_authentication_msal-0.3.2 → microsoft_agents_authentication_msal-0.4.0}/microsoft_agents_authentication_msal.egg-info/SOURCES.txt

@@ -7,6 +7,4 @@ microsoft_agents_authentication_msal.egg-info/PKG-INFO
 microsoft_agents_authentication_msal.egg-info/SOURCES.txt
 microsoft_agents_authentication_msal.egg-info/dependency_links.txt
 microsoft_agents_authentication_msal.egg-info/requires.txt
-microsoft_agents_authentication_msal.egg-info/top_level.txt
-tests/test_msal_auth.py
-tests/test_msal_connection_manager.py
+microsoft_agents_authentication_msal.egg-info/top_level.txt

{microsoft_agents_authentication_msal-0.3.2 → microsoft_agents_authentication_msal-0.4.0}/microsoft_agents_authentication_msal.egg-info/requires.txt

@@ -1,4 +1,4 @@
-microsoft-agents-hosting-core==0.3.2
+microsoft-agents-hosting-core==0.4.0
 msal>=1.31.1
 requests>=2.32.3
 cryptography>=44.0.0

microsoft_agents_authentication_msal-0.3.2/microsoft_agents/authentication/msal/msal_auth.py

@@ -1,188 +0,0 @@
-from __future__ import annotations
-
-import logging
-from typing import Optional
-from urllib.parse import urlparse, ParseResult as URI
-from msal import (
-    ConfidentialClientApplication,
-    ManagedIdentityClient,
-    UserAssignedManagedIdentity,
-    SystemAssignedManagedIdentity,
-)
-from requests import Session
-from cryptography.x509 import load_pem_x509_certificate
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import hashes
-
-from microsoft_agents.hosting.core import (
-    AuthTypes,
-    AccessTokenProviderBase,
-    AgentAuthConfiguration,
-)
-
-logger = logging.getLogger(__name__)
-
-
-class MsalAuth(AccessTokenProviderBase):
-
-    _client_credential_cache = None
-
-    def __init__(self, msal_configuration: AgentAuthConfiguration):
-        self._msal_configuration = msal_configuration
-        logger.debug(
-            f"Initializing MsalAuth with configuration: {self._msal_configuration}"
-        )
-
-    async def get_access_token(
-        self, resource_url: str, scopes: list[str], force_refresh: bool = False
-    ) -> str:
-        logger.debug(
-            f"Requesting access token for resource: {resource_url}, scopes: {scopes}"
-        )
-        valid_uri, instance_uri = self._uri_validator(resource_url)
-        if not valid_uri:
-            raise ValueError("Invalid instance URL")
-
-        local_scopes = self._resolve_scopes_list(instance_uri, scopes)
-        msal_auth_client = self._create_client_application()
-
-        if isinstance(msal_auth_client, ManagedIdentityClient):
-            logger.info("Acquiring token using Managed Identity Client.")
-            auth_result_payload = msal_auth_client.acquire_token_for_client(
-                resource=resource_url
-            )
-        elif isinstance(msal_auth_client, ConfidentialClientApplication):
-            logger.info("Acquiring token using Confidential Client Application.")
-            auth_result_payload = msal_auth_client.acquire_token_for_client(
-                scopes=local_scopes
-            )
-
-        # TODO: Handling token error / acquisition failed
-        return auth_result_payload["access_token"]
-
-    async def aquire_token_on_behalf_of(
-        self, scopes: list[str], user_assertion: str
-    ) -> str:
-        """
-        Acquire a token on behalf of a user.
-        :param scopes: The scopes for which to get the token.
-        :param user_assertion: The user assertion token.
-        :return: The access token as a string.
-        """
-
-        msal_auth_client = self._create_client_application()
-        if isinstance(msal_auth_client, ManagedIdentityClient):
-            logger.error(
-                "Attempted on-behalf-of flow with Managed Identity authentication."
-            )
-            raise NotImplementedError(
-                "On-behalf-of flow is not supported with Managed Identity authentication."
-            )
-        elif isinstance(msal_auth_client, ConfidentialClientApplication):
-            # TODO: Handling token error / acquisition failed
-
-            token = msal_auth_client.acquire_token_on_behalf_of(
-                user_assertion=user_assertion, scopes=scopes
-            )
-
-            if "access_token" not in token:
-                logger.error(
-                    f"Failed to acquire token on behalf of user: {user_assertion}"
-                )
-                raise ValueError(f"Failed to acquire token. {str(token)}")
-
-            return token["access_token"]
-
-        logger.error(
-            f"On-behalf-of flow is not supported with the current authentication type: {msal_auth_client.__class__.__name__}"
-        )
-        raise NotImplementedError(
-            f"On-behalf-of flow is not supported with the current authentication type: {msal_auth_client.__class__.__name__}"
-        )
-
-    def _create_client_application(
-        self,
-    ) -> ManagedIdentityClient | ConfidentialClientApplication:
-        msal_auth_client = None
-
-        if self._msal_configuration.AUTH_TYPE == AuthTypes.user_managed_identity:
-            msal_auth_client = ManagedIdentityClient(
-                UserAssignedManagedIdentity(
-                    client_id=self._msal_configuration.CLIENT_ID
-                ),
-                http_client=Session(),
-            )
-
-        elif self._msal_configuration.AUTH_TYPE == AuthTypes.system_managed_identity:
-            msal_auth_client = ManagedIdentityClient(
-                SystemAssignedManagedIdentity(),
-                http_client=Session(),
-            )
-        else:
-            authority_path = self._msal_configuration.TENANT_ID or "botframework.com"
-            authority = f"https://login.microsoftonline.com/{authority_path}"
-
-            if self._client_credential_cache:
-                logger.info("Using cached client credentials for MSAL authentication.")
-                pass
-            elif self._msal_configuration.AUTH_TYPE == AuthTypes.client_secret:
-                self._client_credential_cache = self._msal_configuration.CLIENT_SECRET
-            elif self._msal_configuration.AUTH_TYPE == AuthTypes.certificate:
-                with open(self._msal_configuration.CERT_KEY_FILE) as file:
-                    logger.info(
-                        "Loading certificate private key for MSAL authentication."
-                    )
-                    private_key = file.read()
-
-                with open(self._msal_configuration.CERT_PEM_FILE) as file:
-                    logger.info("Loading public certificate for MSAL authentication.")
-                    public_certificate = file.read()
-
-                # Create an X509 object and calculate the thumbprint
-                logger.info("Calculating thumbprint for the public certificate.")
-                cert = load_pem_x509_certificate(
-                    data=bytes(public_certificate, "UTF-8"), backend=default_backend()
-                )
-                thumbprint = cert.fingerprint(hashes.SHA1()).hex()
-
-                self._client_credential_cache = {
-                    "thumbprint": thumbprint,
-                    "private_key": private_key,
-                }
-            else:
-                logger.error(
-                    f"Unsupported authentication type: {self._msal_configuration.AUTH_TYPE}"
-                )
-                raise NotImplementedError("Authentication type not supported")
-
-            msal_auth_client = ConfidentialClientApplication(
-                client_id=self._msal_configuration.CLIENT_ID,
-                authority=authority,
-                client_credential=self._client_credential_cache,
-            )
-
-        return msal_auth_client
-
-    @staticmethod
-    def _uri_validator(url_str: str) -> tuple[bool, Optional[URI]]:
-        try:
-            result = urlparse(url_str)
-            return all([result.scheme, result.netloc]), result
-        except AttributeError:
-            logger.error(f"URI parsing error for {url_str}")
-            return False, None
-
-    def _resolve_scopes_list(self, instance_url: URI, scopes=None) -> list[str]:
-        if scopes:
-            return scopes
-
-        temp_list: list[str] = []
-        for scope in self._msal_configuration.SCOPES:
-            scope_placeholder = scope
-            if "{instance}" in scope_placeholder.lower():
-                scope_placeholder = scope_placeholder.replace(
-                    "{instance}", f"{instance_url.scheme}://{instance_url.hostname}"
-                )
-            temp_list.append(scope_placeholder)
-        logger.debug(f"Resolved scopes: {temp_list}")
-        return temp_list

microsoft_agents_authentication_msal-0.3.2/microsoft_agents/authentication/msal/msal_connection_manager.py

@@ -1,72 +0,0 @@
-from typing import Dict, List, Optional
-from microsoft_agents.hosting.core import (
-    AgentAuthConfiguration,
-    AccessTokenProviderBase,
-    ClaimsIdentity,
-    Connections,
-)
-
-from .msal_auth import MsalAuth
-
-
-class MsalConnectionManager(Connections):
-
-    def __init__(
-        self,
-        connections_configurations: Dict[str, AgentAuthConfiguration] = None,
-        connections_map: List[Dict[str, str]] = None,
-        **kwargs
-    ):
-        self._connections: Dict[str, MsalAuth] = {}
-        self._connections_map = connections_map or kwargs.get("CONNECTIONS_MAP", {})
-        self._service_connection_configuration: AgentAuthConfiguration = None
-
-        if connections_configurations:
-            for (
-                connection_name,
-                connection_settings,
-            ) in connections_configurations.items():
-                self._connections[connection_name] = MsalAuth(
-                    AgentAuthConfiguration(**connection_settings)
-                )
-        else:
-            raw_configurations: Dict[str, Dict] = kwargs.get("CONNECTIONS", {})
-            for connection_name, connection_settings in raw_configurations.items():
-                parsed_configuration = AgentAuthConfiguration(
-                    **connection_settings.get("SETTINGS", {})
-                )
-                self._connections[connection_name] = MsalAuth(parsed_configuration)
-                if connection_name == "SERVICE_CONNECTION":
-                    self._service_connection_configuration = parsed_configuration
-
-        if not self._connections.get("SERVICE_CONNECTION", None):
-            raise ValueError("No service connection configuration provided.")
-
-    def get_connection(self, connection_name: Optional[str]) -> AccessTokenProviderBase:
-        """
-        Get the OAuth connection for the agent.
-        """
-        return self._connections.get(connection_name, None)
-
-    def get_default_connection(self) -> AccessTokenProviderBase:
-        """
-        Get the default OAuth connection for the agent.
-        """
-        return self._connections.get("SERVICE_CONNECTION", None)
-
-    def get_token_provider(
-        self, claims_identity: ClaimsIdentity, service_url: str
-    ) -> AccessTokenProviderBase:
-        """
-        Get the OAuth token provider for the agent.
-        """
-        if not self._connections_map:
-            return self.get_default_connection()
-
-        # TODO: Implement logic to select the appropriate connection based on the connection map
-
-    def get_default_connection_configuration(self) -> AgentAuthConfiguration:
-        """
-        Get the default connection configuration for the agent.
-        """
-        return self._service_connection_configuration

microsoft_agents_authentication_msal-0.3.2/tests/test_msal_auth.py

@@ -1,83 +0,0 @@
-import unittest
-from unittest.mock import Mock
-import pytest
-from msal import ManagedIdentityClient, ConfidentialClientApplication
-from microsoft_agents.authentication.msal import MsalAuth
-from microsoft_agents.hosting.core.authorization import AgentAuthConfiguration
-
-
-class TestingMsalAuth(MsalAuth):
-    """
-    Mock object for MsalAuth
-    """
-
-    def __init__(self, client_type):
-        super().__init__(AgentAuthConfiguration())
-        mock_client = Mock(spec=client_type)
-
-        mock_client.acquire_token_for_client = Mock(
-            return_value={"access_token": "token"}
-        )
-        mock_client.acquire_token_on_behalf_of = Mock(
-            return_value={"access_token": "token"}
-        )
-        self.mock_client = mock_client
-
-        self._create_client_application = Mock(return_value=self.mock_client)
-
-
-class TestMsalAuth:
-    """
-    Test suite for testing MsalAuth functionality
-    """
-
-    @pytest.mark.asyncio
-    async def test_get_access_token_managed_identity(self):
-        mock_auth = TestingMsalAuth(ManagedIdentityClient)
-        token = await mock_auth.get_access_token(
-            "https://test.api.botframework.com", scopes=["test-scope"]
-        )
-
-        assert token == "token"
-        mock_auth.mock_client.acquire_token_for_client.assert_called_with(
-            resource="https://test.api.botframework.com"
-        )
-
-    @pytest.mark.asyncio
-    async def test_get_access_token_confidential(self):
-        mock_auth = TestingMsalAuth(ConfidentialClientApplication)
-        token = await mock_auth.get_access_token(
-            "https://test.api.botframework.com", scopes=["test-scope"]
-        )
-
-        assert token == "token"
-        mock_auth.mock_client.acquire_token_for_client.assert_called_with(
-            scopes=["test-scope"]
-        )
-
-    @pytest.mark.asyncio
-    async def test_aquire_token_on_behalf_of_managed_identity(self):
-        mock_auth = TestingMsalAuth(ManagedIdentityClient)
-
-        try:
-            await mock_auth.aquire_token_on_behalf_of(
-                scopes=["test-scope"], user_assertion="test-assertion"
-            )
-        except NotImplementedError:
-            assert True
-        else:
-            assert False
-
-    @pytest.mark.asyncio
-    async def test_aquire_token_on_behalf_of_confidential(self):
-        mock_auth = TestingMsalAuth(ConfidentialClientApplication)
-        mock_auth._create_client_application = Mock(return_value=mock_auth.mock_client)
-
-        token = await mock_auth.aquire_token_on_behalf_of(
-            scopes=["test-scope"], user_assertion="test-assertion"
-        )
-
-        assert token == "token"
-        mock_auth.mock_client.acquire_token_on_behalf_of.assert_called_with(
-            scopes=["test-scope"], user_assertion="test-assertion"
-        )

microsoft_agents_authentication_msal-0.3.2/tests/test_msal_connection_manager.py

@@ -1,35 +0,0 @@
-from os import environ
-from microsoft_agents.activity import load_configuration_from_env
-from microsoft_agents.hosting.core import AuthTypes
-from microsoft_agents.authentication.msal import MsalConnectionManager
-
-
-class TestMsalConnectionManager:
-    """
-    Test suite for the Msal Connection Manager
-    """
-
-    def test_msal_connection_manager(self):
-        mock_environ = {
-            **environ,
-            "CONNECTIONS__SERVICE_CONNECTION__SETTINGS__TENANTID": "test-tenant-id-SERVICE_CONNECTION",
-            "CONNECTIONS__SERVICE_CONNECTION__SETTINGS__CLIENTID": "test-client-id-SERVICE_CONNECTION",
-            "CONNECTIONS__SERVICE_CONNECTION__SETTINGS__CLIENTSECRET": "test-client-secret-SERVICE_CONNECTION",
-            "CONNECTIONS__MCS__SETTINGS__TENANTID": "test-tenant-id-MCS",
-            "CONNECTIONS__MCS__SETTINGS__CLIENTID": "test-client-id-MCS",
-            "CONNECTIONS__MCS__SETTINGS__CLIENTSECRET": "test-client-secret-MCS",
-        }
-
-        config = load_configuration_from_env(mock_environ)
-        connection_manager = MsalConnectionManager(**config)
-        for key in connection_manager._connections:
-            auth = connection_manager.get_connection(key)._msal_configuration
-            assert auth.AUTH_TYPE == AuthTypes.client_secret
-            assert auth.CLIENT_ID == f"test-client-id-{key}"
-            assert auth.TENANT_ID == f"test-tenant-id-{key}"
-            assert auth.CLIENT_SECRET == f"test-client-secret-{key}"
-            assert auth.ISSUERS == [
-                "https://api.botframework.com",
-                f"https://sts.windows.net/test-tenant-id-{key}/",
-                f"https://login.microsoftonline.com/test-tenant-id-{key}/v2.0",
-            ]