Adding support for IMDS auth

[axelsrz]

Fixes #393

This pull request adds support for a new authentication type, Identity Proxy Manager (IDPM), to the Microsoft Agents authentication system. It introduces the ability to configure and resolve a resource URL for IDPM token acquisition, updates the configuration and authentication logic to handle the new type, and provides comprehensive tests to ensure correct behavior. The changes are grouped below by theme.

Authentication and Configuration Enhancements:

• Added a new authentication type, identity_proxy_manager, to the AuthTypes enum, enabling the use of Identity Proxy Manager for token acquisition.
• Updated the AgentAuthConfiguration class to support an optional IDPM_RESOURCE parameter, which specifies the resource URL for IDPM token acquisition. This value can be set via constructor parameter or keyword argument, and defaults to None if not provided. [1] [2] [3] [4]
• Implemented the _resolve_idpm_resource static method in MsalAuth to determine the correct resource URL for IDPM, defaulting to "api://AzureAdTokenExchange/.default" if not explicitly set, and validating that custom values are absolute URIs.

Authentication Logic Updates:

• Modified the _create_client_application method in MsalAuth to return a ManagedIdentityClient when the authentication type is identity_proxy_manager, aligning it with the behavior for user-managed identities.
• Enhanced the get_agentic_application_token method in MsalAuth to support acquiring tokens using IDPM, including resource resolution and error handling for unsupported authentication types.

Testing Improvements:

• Added a comprehensive test suite (TestMsalAuthIdentityProxyManager) to verify correct handling of the IDPM authentication type, including default and custom resource resolution, client application creation, and token acquisition logic.
• Expanded test_auth_configuration.py to test defaulting and parameter/kwargs assignment for the new IDPM_RESOURCE property in AgentAuthConfiguration.

[Copilot]

Pull request overview

Adds a new AuthTypes.identity_proxy_manager authentication mode and wires it into MsalAuth so agentic application tokens can be acquired via a managed-identity-style client, with configuration support and accompanying tests.

Changes:

• Introduces identity_proxy_manager as a new AuthTypes enum value.
• Extends AgentAuthConfiguration with an optional IDPM_RESOURCE setting and adds IDPM resource resolution logic in MsalAuth.
• Adds/extends unit tests for IDPM configuration and token acquisition behavior.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
tests/hosting_core/test_auth_configuration.py	Adds tests for the new IDPM_RESOURCE configuration field behavior.
tests/authentication_msal/test_msal_auth.py	Adds a new test suite covering IDPM resource resolution, client creation, and agentic token acquisition.
libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/authorization/auth_types.py	Adds the identity_proxy_manager enum value.
libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/authorization/agent_auth_configuration.py	Adds IDPM_RESOURCE to the auth configuration and wiring for kwargs/parameter assignment.
libraries/microsoft-agents-authentication-msal/microsoft_agents/authentication/msal/msal_auth.py	Implements IDPM resource resolution, creates MI client for IDPM, and adds IDPM support in get_agentic_application_token.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.