Support for FederatedCredentials auth type#353
Merged
Conversation
This was
linked to
issues
Apr 2, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Adds support for a new federated-credentials authentication mode backed by Managed Identity in the MSAL-based auth provider, and extends the hosting-core auth configuration model to carry the additional client id needed for that flow.
Changes:
- Added
federated_credentialstoAuthTypes. - Extended
AgentAuthConfigurationwithFEDERATED_CLIENT_ID(and updated typing tostr | Noneunions). - Updated
MsalAuth._create_client_applicationto build a confidential client using a managed-identity-derived client assertion.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| tests/hosting_core/test_auth_configuration.py | Adds assertion that FEDERATED_CLIENT_ID defaults to None. |
| libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/authorization/auth_types.py | Introduces the federated_credentials auth type enum value. |
| libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/authorization/agent_auth_configuration.py | Adds FEDERATED_CLIENT_ID config field and updates type annotations. |
| libraries/microsoft-agents-authentication-msal/microsoft_agents/authentication/msal/msal_auth.py | Implements federated-credentials client creation via Managed Identity client assertion; removes unused credential cache. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
rodrigobr-msft
changed the title
axelsrz
approved these changes
Apr 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request adds support for federated credentials authentication in the Microsoft Agents authentication system, updates the configuration model to handle the new authentication type, and cleans up related code. The most important changes are summarized below.
Federated Credentials Authentication Support
federated_credentialsauthentication type to theAuthTypesenum, enabling the use of federated credentials for authentication._create_client_applicationmethod inmsal_auth.pyto handle the newfederated_credentialstype by acquiring a client assertion using a managed identity client and passing it to MSAL.Configuration Model Updates
FEDERATED_CLIENT_IDfield toAgentAuthConfiguration, updated its constructor to accept and initialize this new field, and ensured it is set toNoneby default when not provided. [1] [2] [3]AgentAuthConfigurationto usestr | Noneinstead ofOptional[str]for consistency and clarity.Testing
test_empty_settingstest to verify thatFEDERATED_CLIENT_IDisNonewhen not set, ensuring coverage for the new configuration field.Code Cleanup
_client_credential_cacheattribute fromMsalAuthand refactored credential handling to use local variables, simplifying credential management logic. [1] [2]