microsoft-agents-authentication-msal 0.4.0.dev7__py3-none-any.whl → 0.4.0.dev14__py3-none-any.whl

microsoft_agents/authentication/msal/msal_auth.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 import logging
+import jwt
 from typing import Optional
 from urllib.parse import urlparse, ParseResult as URI
 from msal import (
@@ -23,6 +24,18 @@ from microsoft_agents.hosting.core import (
 logger = logging.getLogger(__name__)
 
 
+# this is deferred because jwt.decode is expensive and we don't want to do it unless we
+# have logging.DEBUG enabled
+class _DeferredLogOfBlueprintId:
+    def __init__(self, jwt_token: str):
+        self.jwt_token = jwt_token
+
+    def __str__(self):
+        payload = jwt.decode(self.jwt_token, options={"verify_signature": False})
+        agentic_blueprint_id = payload.get("xms_par_app_azp")
+        return f"Agentic blueprint id: {agentic_blueprint_id}"
+
+
 class MsalAuth(AccessTokenProviderBase):
 
     _client_credential_cache = None
@@ -56,11 +69,16 @@ class MsalAuth(AccessTokenProviderBase):
             auth_result_payload = msal_auth_client.acquire_token_for_client(
                 scopes=local_scopes
             )
+        else:
+            auth_result_payload = None
 
-        # TODO: Handling token error / acquisition failed
-        return auth_result_payload["access_token"]
+        res = auth_result_payload.get("access_token") if auth_result_payload else None
+        if not res:
+            logger.error("Failed to acquire token for resource %s", auth_result_payload)
+            raise ValueError(f"Failed to acquire token. {str(auth_result_payload)}")
+        return res
 
-    async def aquire_token_on_behalf_of(
+    async def acquire_token_on_behalf_of(
         self, scopes: list[str], user_assertion: str
     ) -> str:
         """
@@ -186,3 +204,189 @@ class MsalAuth(AccessTokenProviderBase):
             temp_list.append(scope_placeholder)
         logger.debug(f"Resolved scopes: {temp_list}")
         return temp_list
+
+    # the call to MSAL is blocking, but in the future we want to create an asyncio task
+    # to avoid this
+    async def get_agentic_application_token(
+        self, agent_app_instance_id: str
+    ) -> Optional[str]:
+        """Gets the agentic application token for the given agent application instance ID.
+
+        :param agent_app_instance_id: The agent application instance ID.
+        :type agent_app_instance_id: str
+        :return: The agentic application token, or None if not found.
+        :rtype: Optional[str]
+        """
+
+        if not agent_app_instance_id:
+            raise ValueError("Agent application instance Id must be provided.")
+
+        logger.info(
+            "Attempting to get agentic application token from agent_app_instance_id %s",
+            agent_app_instance_id,
+        )
+        msal_auth_client = self._create_client_application()
+
+        if isinstance(msal_auth_client, ConfidentialClientApplication):
+
+            # https://github.dev/AzureAD/microsoft-authentication-library-for-dotnet
+            auth_result_payload = msal_auth_client.acquire_token_for_client(
+                ["api://AzureAdTokenExchange/.default"],
+                data={"fmi_path": agent_app_instance_id},
+            )
+
+            if auth_result_payload:
+                return auth_result_payload.get("access_token")
+
+        return None
+
+    async def get_agentic_instance_token(
+        self, agent_app_instance_id: str
+    ) -> tuple[str, str]:
+        """Gets the agentic instance token for the given agent application instance ID.
+
+        :param agent_app_instance_id: The agent application instance ID.
+        :type agent_app_instance_id: str
+        :return: A tuple containing the agentic instance token and the agent application token.
+        :rtype: tuple[str, str]
+        """
+
+        if not agent_app_instance_id:
+            raise ValueError("Agent application instance Id must be provided.")
+
+        logger.info(
+            "Attempting to get agentic instance token from agent_app_instance_id %s",
+            agent_app_instance_id,
+        )
+        agent_token_result = await self.get_agentic_application_token(
+            agent_app_instance_id
+        )
+
+        if not agent_token_result:
+            logger.error(
+                "Failed to acquire agentic instance token or agent token for agent_app_instance_id %s",
+                agent_app_instance_id,
+            )
+            raise Exception(
+                f"Failed to acquire agentic instance token or agent token for agent_app_instance_id {agent_app_instance_id}"
+            )
+
+        authority = (
+            f"https://login.microsoftonline.com/{self._msal_configuration.TENANT_ID}"
+        )
+
+        instance_app = ConfidentialClientApplication(
+            client_id=agent_app_instance_id,
+            authority=authority,
+            client_credential={"client_assertion": agent_token_result},
+        )
+
+        agentic_instance_token = instance_app.acquire_token_for_client(
+            ["api://AzureAdTokenExchange/.default"]
+        )
+
+        if not agentic_instance_token:
+            logger.error(
+                "Failed to acquire agentic instance token or agent token for agent_app_instance_id %s",
+                agent_app_instance_id,
+            )
+            raise Exception(
+                f"Failed to acquire agentic instance token or agent token for agent_app_instance_id {agent_app_instance_id}"
+            )
+
+        # future scenario where we don't know the blueprint id upfront
+
+        token = agentic_instance_token.get("access_token")
+        if not token:
+            logger.error(
+                "Failed to acquire agentic instance token, %s", agentic_instance_token
+            )
+            raise ValueError(f"Failed to acquire token. {str(agentic_instance_token)}")
+
+        logger.debug(_DeferredLogOfBlueprintId(token))
+
+        return agentic_instance_token["access_token"], agent_token_result
+
+    async def get_agentic_user_token(
+        self, agent_app_instance_id: str, upn: str, scopes: list[str]
+    ) -> Optional[str]:
+        """Gets the agentic user token for the given agent application instance ID and user principal name and the scopes.
+
+        :param agent_app_instance_id: The agent application instance ID.
+        :type agent_app_instance_id: str
+        :param upn: The user principal name.
+        :type upn: str
+        :param scopes: The scopes to request for the token.
+        :type scopes: list[str]
+        :return: The agentic user token, or None if not found.
+        :rtype: Optional[str]
+        """
+        if not agent_app_instance_id or not upn:
+            raise ValueError(
+                "Agent application instance Id and user principal name must be provided."
+            )
+
+        logger.info(
+            "Attempting to get agentic user token from agent_app_instance_id %s and upn %s",
+            agent_app_instance_id,
+            upn,
+        )
+        instance_token, agent_token = await self.get_agentic_instance_token(
+            agent_app_instance_id
+        )
+
+        if not instance_token or not agent_token:
+            logger.error(
+                "Failed to acquire instance token or agent token for agent_app_instance_id %s and upn %s",
+                agent_app_instance_id,
+                upn,
+            )
+            raise Exception(
+                f"Failed to acquire instance token or agent token for agent_app_instance_id {agent_app_instance_id} and upn {upn}"
+            )
+
+        authority = (
+            f"https://login.microsoftonline.com/{self._msal_configuration.TENANT_ID}"
+        )
+
+        instance_app = ConfidentialClientApplication(
+            client_id=agent_app_instance_id,
+            authority=authority,
+            client_credential={"client_assertion": agent_token},
+        )
+
+        logger.info(
+            "Acquiring agentic user token for agent_app_instance_id %s and upn %s",
+            agent_app_instance_id,
+            upn,
+        )
+        auth_result_payload = instance_app.acquire_token_for_client(
+            scopes,
+            data={
+                "username": upn,
+                "user_federated_identity_credential": instance_token,
+                "grant_type": "user_fic",
+            },
+        )
+
+        if not auth_result_payload:
+            logger.error(
+                "Failed to acquire agentic user token for agent_app_instance_id %s and upn %s, %s",
+                agent_app_instance_id,
+                upn,
+                auth_result_payload,
+            )
+            return None
+
+        access_token = auth_result_payload.get("access_token")
+        if not access_token:
+            logger.error(
+                "Failed to acquire agentic user token for agent_app_instance_id %s and upn %s, %s",
+                agent_app_instance_id,
+                upn,
+                auth_result_payload,
+            )
+            return None
+
+        logger.info("Acquired agentic user token response.")
+        return access_token

microsoft_agents/authentication/msal/msal_connection_manager.py

@@ -1,3 +1,4 @@
+import re
 from typing import Dict, List, Optional
 from microsoft_agents.hosting.core import (
     AgentAuthConfiguration,
@@ -10,15 +11,28 @@ from .msal_auth import MsalAuth
 
 
 class MsalConnectionManager(Connections):
+    _connections: Dict[str, MsalAuth]
+    _connections_map: List[Dict[str, str]]
+    _service_connection_configuration: AgentAuthConfiguration
 
     def __init__(
         self,
-        connections_configurations: Dict[str, AgentAuthConfiguration] = None,
-        connections_map: List[Dict[str, str]] = None,
-        **kwargs
+        connections_configurations: Optional[Dict[str, AgentAuthConfiguration]] = None,
+        connections_map: Optional[List[Dict[str, str]]] = None,
+        **kwargs,
     ):
+        """
+        Initialize the MSAL connection manager.
+
+        :arg connections_configurations: A dictionary of connection configurations.
+        :type connections_configurations: Dict[str, AgentAuthConfiguration]
+        :arg connections_map: A list of connection mappings.
+        :type connections_map: List[Dict[str, str]]
+        :raises ValueError: If no service connection configuration is provided.
+        """
+
         self._connections: Dict[str, MsalAuth] = {}
-        self._connections_map = connections_map or kwargs.get("CONNECTIONS_MAP", {})
+        self._connections_map = connections_map or kwargs.get("CONNECTIONSMAP", {})
         self._service_connection_configuration: AgentAuthConfiguration = None
 
         if connections_configurations:
@@ -45,13 +59,20 @@ class MsalConnectionManager(Connections):
     def get_connection(self, connection_name: Optional[str]) -> AccessTokenProviderBase:
         """
         Get the OAuth connection for the agent.
+
+        :arg connection_name: The name of the connection.
+        :type connection_name: str
+        :return: The OAuth connection for the agent.
+        :rtype: AccessTokenProviderBase
         """
+        # should never be None
         return self._connections.get(connection_name, None)
 
     def get_default_connection(self) -> AccessTokenProviderBase:
         """
         Get the default OAuth connection for the agent.
         """
+        # should never be None
         return self._connections.get("SERVICE_CONNECTION", None)
 
     def get_token_provider(
@@ -59,11 +80,49 @@ class MsalConnectionManager(Connections):
     ) -> AccessTokenProviderBase:
         """
         Get the OAuth token provider for the agent.
+
+        :arg claims_identity: The claims identity of the bot.
+        :type claims_identity: ClaimsIdentity
+        :arg service_url: The service URL of the bot.
+        :type service_url: str
+        :return: The OAuth token provider for the agent.
+        :rtype: AccessTokenProviderBase
+        :raises ValueError: If no connection is found for the given audience and service URL.
         """
+        if not claims_identity or not service_url:
+            raise ValueError(
+                "Claims identity and Service URL are required to get the token provider."
+            )
+
         if not self._connections_map:
             return self.get_default_connection()
 
-        # TODO: Implement logic to select the appropriate connection based on the connection map
+        aud = claims_identity.get_app_id() or ""
+        for item in self._connections_map:
+            audience_match = True
+            item_aud = item.get("AUDIENCE", "")
+            if item_aud:
+                audience_match = item_aud.lower() == aud.lower()
+
+            if audience_match:
+                item_service_url = item.get("SERVICEURL", "")
+                if item_service_url == "*" or item_service_url == "":
+                    connection_name = item.get("CONNECTION")
+                    connection = self.get_connection(connection_name)
+                    if connection:
+                        return connection
+
+                else:
+                    res = re.match(item_service_url, service_url, re.IGNORECASE)
+                    if res:
+                        connection_name = item.get("CONNECTION")
+                        connection = self.get_connection(connection_name)
+                        if connection:
+                            return connection
+
+        raise ValueError(
+            f"No connection found for audience '{aud}' and serviceUrl '{service_url}'."
+        )
 
     def get_default_connection_configuration(self) -> AgentAuthConfiguration:
         """

{microsoft_agents_authentication_msal-0.4.0.dev7.dist-info → microsoft_agents_authentication_msal-0.4.0.dev14.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: microsoft-agents-authentication-msal
-Version: 0.4.0.dev7
+Version: 0.4.0.dev14
 Summary: A msal-based authentication library for Microsoft Agents
 Author: Microsoft Corporation
 Project-URL: Homepage, https://github.com/microsoft/Agents
@@ -8,7 +8,7 @@ Classifier: Programming Language :: Python :: 3
 Classifier: License :: OSI Approved :: MIT License
 Classifier: Operating System :: OS Independent
 Requires-Python: >=3.9
-Requires-Dist: microsoft-agents-hosting-core==0.4.0.dev7
+Requires-Dist: microsoft-agents-hosting-core==0.4.0.dev14
 Requires-Dist: msal>=1.31.1
 Requires-Dist: requests>=2.32.3
 Requires-Dist: cryptography>=44.0.0

microsoft_agents_authentication_msal-0.4.0.dev14.dist-info/RECORD

@@ -0,0 +1,7 @@
+microsoft_agents/authentication/msal/__init__.py,sha256=hjPpakL4zyqeCTEBOUCcHaRnSpG80q-L0csG5HMalYI,151
+microsoft_agents/authentication/msal/msal_auth.py,sha256=ThWUDRkAbUN5QSCiYdBnAvTFJ2idGJ9bHRse7xLCTrI,15242
+microsoft_agents/authentication/msal/msal_connection_manager.py,sha256=yuVdhaSs0SoplX_TFxnC1C85j-OT8k7ZrnG5v8CcfvM,5163
+microsoft_agents_authentication_msal-0.4.0.dev14.dist-info/METADATA,sha256=waZl-fvRdqKky14xtne8_8DRMhXL2IJHJeBt9vBwmIw,587
+microsoft_agents_authentication_msal-0.4.0.dev14.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+microsoft_agents_authentication_msal-0.4.0.dev14.dist-info/top_level.txt,sha256=lWKcT4v6fTA_NgsuHdNvuMjSrkiBMXohn64ApY7Xi8A,17
+microsoft_agents_authentication_msal-0.4.0.dev14.dist-info/RECORD,,

microsoft_agents_authentication_msal-0.4.0.dev7.dist-info/RECORD

@@ -1,7 +0,0 @@
-microsoft_agents/authentication/msal/__init__.py,sha256=hjPpakL4zyqeCTEBOUCcHaRnSpG80q-L0csG5HMalYI,151
-microsoft_agents/authentication/msal/msal_auth.py,sha256=FNqMr7cFELTbYnboXjqBRRU2uKitS1VYx-NWv0afK6o,7518
-microsoft_agents/authentication/msal/msal_connection_manager.py,sha256=XBgtG-9WhVXfkKKvGEAaVZjGwuqWGDKJPr-dFHOCfC0,2723
-microsoft_agents_authentication_msal-0.4.0.dev7.dist-info/METADATA,sha256=LSe4k-CD7g_KMERX2lK0J8VnGpDhdVFjnDuEwPA3PJg,585
-microsoft_agents_authentication_msal-0.4.0.dev7.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-microsoft_agents_authentication_msal-0.4.0.dev7.dist-info/top_level.txt,sha256=lWKcT4v6fTA_NgsuHdNvuMjSrkiBMXohn64ApY7Xi8A,17
-microsoft_agents_authentication_msal-0.4.0.dev7.dist-info/RECORD,,