Skip to content

Add User Managed Identity support in MSAL #192

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: aamirj/msal
Choose a base branch
from
Open

Add User Managed Identity support in MSAL #192

wants to merge 12 commits into from
+341 −34

Conversation

@heyitsaamir
Copy link
Collaborator

@heyitsaamir heyitsaamir commented Oct 29, 2025
edited
Loading

Adds native support for User Managed Identity via MSAL.

Tested with UMI.

It's enabled when CLIENT_ID is set and CLIENT_SECRET is not.

CLIENT_ID CLIENT_SECRET MANAGED_IDENTITY_CLIENT_ID Output
not_set No-Auth
set set SecretsAuth
set not_set User Managed Identity Auth
set not_set set (same as CLIENT_ID) User Managed Identity Auth
set not_set set (diff from CLIENT_ID) FIC (user managed identity)
set not_set "system" FIC (system identity)

PR Dependency Tree

This tree was auto-generated by Charcoal

This was referenced Oct 29, 2025
Merged
Open
@heyitsaamir heyitsaamir mentioned this pull request Oct 30, 2025
Closed
heyitsaamir added a commit that referenced this pull request Oct 30, 2025
@heyitsaamir
Use refreshable app tokens (#187)
92e0449 
## Context

This fixes #184 which stated that the token wasn't being refreshed after
an hour. This was because we weren't refreshing it on use.
In typescript, we refresh the token on every
[app.process](https://github.com/microsoft/teams.ts/blob/1f2d735ce02d0add1dc308f9e9df28f0c3fb6985/packages/apps/src/app.process.ts#L31).
But this actually still leaves _proactive scenarios_ to used an cached,
potentially expired, tokens. To remediate this, the token that gets
passed to the API is a factory which refreshes the token if the cached
token is expired.
For the record C# sets the token value to be
[refreshable](https://github.com/microsoft/teams.net/blob/19e4df96dac1524ae99d6c06bd4891fa5535ca67/Libraries/Microsoft.Teams.Apps/App.cs#L67C1-L67C46)
(just as this PR is attempting to do).

## Changes

This PR includes several changes
1. No more graph token manager. Instead we now have a TokenManager which
manages all tokens. Soon, this might change to msal doing the changes
2. The app no longer refreshes token on start. But it does it the first
time the token is being used. Because of this, the id field is now from
the credentials, and the "name" field had to be removed. I don't think
this should cause a big deal because name is honestly, not a very well
used (or documented) field. **This is a breaking change though**.
3. The token that's being passed around now is an async function that
either gets the token from the cache, or refreshes it if it's expired.

## Testing

1. Unit tests
2. Sanity tests to make sure we can send messages etc normally.
3. Tested to make sure app token refreshes automatically after an hour
4. Tested user graph tokens
5. Tested app graph tokens









#### PR Dependency Tree


* **PR #187** 👈
  * **PR #191**
    * **PR #192**
      * **PR #193**

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
@heyitsaamir heyitsaamir mentioned this pull request Nov 5, 2025
Open
@heyitsaamir heyitsaamir changed the title Add UMI support in MSAL Add User Managed Identity support in MSAL Nov 5, 2025
@heyitsaamir heyitsaamir force-pushed the aamirj/UMI branch 2 times, most recently from e855432 to 0943c05 Compare November 6, 2025 02:25
lilyydu
lilyydu reviewed Nov 6, 2025
View reviewed changes
packages/api/src/microsoft/teams/api/clients/bot/token_client.py
)

assert isinstance(credentials, ClientCredentials), (
"Bot token client currently only supports Credentials with secrets."
Copy link
Collaborator

@lilyydu lilyydu Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what happens if this returns false?

stubs/msal/__init__.pyi

def __init__(
self,
managed_identity: SystemAssignedManagedIdentity | UserAssignedManagedIdentity | dict[str, Any],
Copy link
Collaborator

@lilyydu lilyydu Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what case would dict[str, Any] handle?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lilyydu lilyydu lilyydu left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@heyitsaamir @lilyydu