Add get_token_scope method to ClaimsIdentity and update token handling in ChannelServiceAdapter and RestChannelServiceClientFactory

libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/__init__.py

@@ -101,7 +101,6 @@
 # Error Resources
 from .errors import error_resources, ErrorMessage, ErrorResources
 
-
 # Define the package's public interface
 __all__ = [
     "ActivityHandler",

libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/app/agent_application.py

@@ -120,11 +120,9 @@ def __init__(
                 "ApplicationOptions.storage is required and was not configured.",
                 stack_info=True,
             )
-            raise ApplicationError(
-                """
+            raise ApplicationError("""
                 The `ApplicationOptions.storage` property is required and was not configured.
-                """
-            )
+                """)
 
         if options.long_running_messages and (
             not options.adapter or not options.bot_app_id
@@ -133,12 +131,10 @@ def __init__(
                 "ApplicationOptions.long_running_messages requires an adapter and bot_app_id.",
                 stack_info=True,
             )
-            raise ApplicationError(
-                """
+            raise ApplicationError("""
                 The `ApplicationOptions.long_running_messages` property is unavailable because 
                 no adapter or `bot_app_id` was configured.
-                """
-            )
+                """)
 
         if options.adapter:
             self._adapter = options.adapter
@@ -180,12 +176,10 @@ def adapter(self) -> ChannelServiceAdapter:
                 "AgentApplication.adapter(): self._adapter is not configured.",
                 stack_info=True,
             )
-            raise ApplicationError(
-                """
+            raise ApplicationError("""
                 The AgentApplication.adapter property is unavailable because it was 
                 not configured when creating the AgentApplication.
-                """
-            )
+                """)
 
         return self._adapter
 
@@ -203,12 +197,10 @@ def auth(self) -> Authorization:
                 "AgentApplication.auth(): self._auth is not configured.",
                 stack_info=True,
             )
-            raise ApplicationError(
-                """
+            raise ApplicationError("""
                 The `AgentApplication.auth` property is unavailable because
                 no Auth options were configured.
-                """
-            )
+                """)
 
         return self._auth
 
@@ -592,12 +584,10 @@ async def sign_in_success(context: TurnContext, state: TurnState, connection_id:
                 f"Failed to register sign-in success handler for route handler {func.__name__}",
                 stack_info=True,
             )
-            raise ApplicationError(
-                """
+            raise ApplicationError("""
                 The `AgentApplication.on_sign_in_success` method is unavailable because
                 no Auth options were configured.
-                """
-            )
+                """)
         return func
 
     def on_sign_in_failure(
@@ -628,12 +618,10 @@ async def sign_in_failure(context: TurnContext, state: TurnState, connection_id:
                 f"Failed to register sign-in failure handler for route handler {func.__name__}",
                 stack_info=True,
             )
-            raise ApplicationError(
-                """
+            raise ApplicationError("""
                 The `AgentApplication.on_sign_in_failure` method is unavailable because
                 no Auth options were configured.
-                """
-            )
+                """)
         return func
 
     def error(

libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/authorization/claims_identity.py

@@ -83,3 +83,17 @@ def get_token_audience(self) -> str:
             if self.is_agent_claim()
             else AuthenticationConstants.AGENTS_SDK_SCOPE
         )
+
+    def get_token_scope(self) -> list[str]:
+        """
+        Gets the token scope from current claims.
+
+        :return: The token scope.
+        """
+        return [
+            (
+                f"{self.get_outgoing_app_id()}/.default"
+                if self.is_agent_claim()
+                else AuthenticationConstants.AGENTS_SDK_SCOPE + "/.default"
+            )
+        ]

libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/channel_service_adapter.py

@@ -381,16 +381,14 @@ async def process_activity(
             If the task completes successfully, then an :class:`microsoft_agents.activity.InvokeResponse` is returned;
             otherwise, `None` is returned.
         """
-        scopes: list[str] = None
+        scopes: list[str] = claims_identity.get_token_scope()
         outgoing_audience: str = None
 
         if claims_identity.is_agent_claim():
             outgoing_audience = claims_identity.get_token_audience()
-            scopes = [f"{claims_identity.get_outgoing_app_id()}/.default"]
             activity.caller_id = f"{CallerIdConstants.agent_to_agent_prefix}{claims_identity.get_outgoing_app_id()}"
         else:
             outgoing_audience = AuthenticationConstants.AGENTS_SDK_SCOPE
-            scopes = [f"{AuthenticationConstants.AGENTS_SDK_SCOPE}/.default"]
 
         use_anonymous_auth_callback = False
         if (

libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/connector/client/connector_client.py

@@ -22,7 +22,6 @@
 from ..conversations_base import ConversationsBase
 from ..get_product_info import get_product_info
 
-
 logger = logging.getLogger(__name__)
 
 

libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/connector/client/user_token_client.py

@@ -18,7 +18,6 @@
 from ..user_token_base import UserTokenBase
 from ..agent_sign_in_base import AgentSignInBase
 
-
 logger = logging.getLogger(__name__)
 
 

libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/rest_channel_service_client_factory.py

@@ -113,7 +113,7 @@ async def create_connector_client(
             )
 
             token = await token_provider.get_access_token(
-                audience, scopes or [f"{audience}/.default"]
+                audience, scopes or claims_identity.get_token_scope()
             )
 
         return TeamsConnectorClient(
@@ -142,7 +142,7 @@ async def create_user_token_client(
         if context.activity.is_agentic_request():
             token = await self._get_agentic_token(context, self._token_service_endpoint)
         else:
-            scopes = [f"{self._token_service_audience}/.default"]
+            scopes = claims_identity.get_token_scope()
 
             token_provider = self._connection_manager.get_token_provider(
                 claims_identity, self._token_service_endpoint

libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/storage/memory_storage.py

@@ -8,7 +8,6 @@
 from .storage import Storage
 from .store_item import StoreItem
 
-
 StoreItemT = TypeVar("StoreItemT", bound=StoreItem)
 
 

libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/storage/storage.py

@@ -8,7 +8,6 @@
 from ._type_aliases import JSON
 from .store_item import StoreItem
 
-
 StoreItemT = TypeVar("StoreItemT", bound=StoreItem)
 
 

libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/storage/transcript_logger.py

@@ -19,7 +19,6 @@
 from microsoft_agents.hosting.core.middleware_set import Middleware, TurnContext
 from typing import Generic, TypeVar
 
-
 T = TypeVar("T")
 
 

libraries/microsoft-agents-hosting-fastapi/microsoft_agents/hosting/fastapi/jwt_authorization_middleware.py

@@ -7,7 +7,6 @@
     JwtTokenValidator,
 )
 
-
 logger = logging.getLogger(__name__)
 
 

test_samples/app_style/echo_proactive_agent.py

@@ -18,7 +18,11 @@
     EndOfConversationCodes,
 )
 from microsoft_agents.authentication.msal import MsalConnectionManager
-from microsoft_agents.hosting.aiohttp import CloudAdapter, start_agent_process
+from microsoft_agents.hosting.aiohttp import (
+    CloudAdapter,
+    start_agent_process,
+    jwt_authorization_middleware,
+)
 from microsoft_agents.hosting.core import (
     AgentApplication,
     Authorization,
@@ -207,7 +211,7 @@ def create_app() -> web.Application:
     global SERVICE_INSTANCE
     SERVICE_INSTANCE = echo_service
 
-    app = web.Application()
+    app = web.Application(middlewares=[jwt_authorization_middleware])
     app["adapter"] = adapter
     app["agent_app"] = AGENT_APP
     app["echo_service"] = echo_service

tests/hosting_core/test_rest_channel_service_client_factory.py

@@ -173,6 +173,9 @@ async def test_create_connector_client_normal_no_scopes(
         claims_identity = mocker.Mock(spec=ClaimsIdentity)
         service_url = DEFAULTS.service_url
         audience = "https://service.audience/"
+        claims_identity.get_token_scope = mocker.Mock(
+            return_value=[f"{audience}/.default"]
+        )
 
         context = mocker.Mock(spec=TurnContext)
         context.activity = activity