Skip to content

fix(MCP): Fix ManagedServiceIdentity auth for MCP connections (v5.961)#9209

Merged
rllyy97 merged 3 commits into
hotfix/v5.961from
rileyevans/cherry-pick/9205-to-hotfix-v5.961
May 27, 2026
Merged

fix(MCP): Fix ManagedServiceIdentity auth for MCP connections (v5.961)#9209
rllyy97 merged 3 commits into
hotfix/v5.961from
rileyevans/cherry-pick/9205-to-hotfix-v5.961

Conversation

@rllyy97
Copy link
Copy Markdown
Contributor

@rllyy97 rllyy97 commented May 22, 2026
edited
Loading

Commit Type

  • feature - New functionality
  • fix - Bug fix
  • refactor - Code restructuring without behavior change
  • perf - Performance improvement
  • docs - Documentation update
  • test - Test-related changes
  • chore - Maintenance/tooling

Risk Level

  • Low - Minor changes, limited scope
  • Medium - Moderate changes, some user impact
  • High - Major changes, significant user/system impact

What & Why

Completes fix for #9205 — MCP connections using ManagedServiceIdentity auth in Consumption SKU. This PR adds identity threading to ensure the user-selected managed identity is correctly passed through all dynamic values requests.

Original Issue (#9205): Consumption MCP connections were missing the identity field in the listMcpTools API request, causing failures for user-assigned managed identity scenarios.

This PR Adds: Identity threading through the dynamic values pipeline to ensure consistency with Standard SKU:

  1. Designer-v2 getListDynamicValues extracts the selected identity from connectionReference.connectionProperties.authentication.identity
  2. Identity is threaded through queries/connector.ts to the ConnectorService layer
  3. Both Consumption and Standard connector implementations use the passed identity (if provided) instead of always picking the first user-assigned identity from WorkflowService
  4. This ensures the user-selected identity is used for all MCP operations, not just initial connection setup

Impact of Change

  • Users: Consumption workflows using MCP connectors with user-assigned managed identity will now correctly send the user-selected identity in all listMcpTools and dynamic values requests, ensuring consistent tool discovery and parameters.
  • Developers:
    • ConnectorService interface now accepts optional identity parameter in getListDynamicValues
    • Designer-v2 correctly threads identity through the dynamic values pipeline
    • Designer-v1 remains unchanged to minimize risk
  • System: No architectural changes. Identity threading uses existing Redux state (connectionReference) and ConnectorService infrastructure.

Test Plan

  • Unit tests added/updated
  • E2E tests added/updated
  • Manual testing completed

Updated connector tests with InitWorkflowService mock for managed identity scenarios. All existing tests pass:

  • connector.spec.ts: 68 tests pass (38 Consumption + 30 Standard)
  • dynamicdata.spec.ts (designer-v2): 8 tests pass
  • dynamicdata.spec.ts (designer-v1): 8 tests pass

Contributors

Screenshots/Videos

N/A — no visual changes.

@rllyy97
fix: add ManagedServiceIdentity auth to Consumption MCP connections (#…
8957c61 
…9205)

Align Consumption connector with Standard for MCP connections:

- Managed MCP path: build connectionProperties with MSI auth and user-assigned identity from WorkflowService().getAppIdentity()

- Built-in MCP _buildMcpAuthentication: add WorkflowService fallback for identity when not in parameterValues

- Remove debug console.log statements

- Update tests with WorkflowService mock initialization
Copilot AI review requested due to automatic review settings May 22, 2026 02:39
@rllyy97 rllyy97 changed the base branch from main to hotfix/v5.961 May 22, 2026 02:41
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 22, 2026
edited
Loading

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

PR Title

  • Current: fix(MCP): Fix ManagedServiceIdentity auth for MCP connections (v5.961)
  • Issue: No blocking issue. The title is specific, uses a conventional prefix, and clearly describes the change.
  • Recommendation: None required.

Commit Type

  • Properly selected (fix).
  • Only one commit type is checked, which is correct.

⚠️ Risk Level

  • The selected risk level is Medium, but the code change is a targeted auth/identity threading fix across shared connector services and both designer paths. That makes the impact closer to Medium than Low, so the submitter’s selection is acceptable.
  • Label check: I did not find a matching risk:low, risk:medium, or risk:high label in the PR labels returned by the API, so please add the appropriate risk label and ensure it matches the body selection.

What & Why

  • Current: Clear and sufficiently detailed explanation of the MCP identity bug, the affected SKU, and the threaded identity fix.
  • Issue: None blocking.
  • Recommendation: None required.

Impact of Change

  • The impact section is well scoped and explains user, developer, and system impact clearly.
  • Recommendation:
    • Users: Good as written.
    • Developers: Good as written.
    • System: Good as written.

Test Plan

  • Unit tests are updated in the diff, which satisfies the test-plan requirement.
  • Manual testing is also checked and the explanation is reasonable.
  • No E2E tests are required since unit tests are present.

⚠️ Contributors

  • This section is blank.
  • Assessment: Optional, but if there were PMs, designers, or other engineers involved, please add them for credit.
  • Recommendation: Add contributor tags/names if applicable; otherwise this can remain empty.

Screenshots/Videos

  • Marked N/A and there are no visual/UI changes.
  • No action needed.

Summary Table

Section Status Recommendation
Title
Commit Type
Risk Level ⚠️ Add a matching risk:medium label to align with the PR body
What & Why
Impact of Change
Test Plan
Contributors ⚠️ Add contributors if applicable
Screenshots/Videos

Overall: this PR passes review of the title/body template, with the only notable follow-up being the missing risk label.

Last updated: Tue, 26 May 2026 17:31:51 GMT

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 22, 2026

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

PR Title

  • Current: fix(MCP): Fix ManagedServiceIdentity auth for Consumption MCP connections (v5.961)
  • Issue: No blocking issue. The title is specific and describes the affected area and behavior.
  • Recommendation: Consider shortening slightly if you want to match a more concise conventional style, but it is already high quality.

Commit Type

  • Properly selected (fix).
  • Only one commit type is checked, which is correct.

⚠️ Risk Level

  • The PR body marks Medium, which is reasonable for a targeted auth flow fix with user impact.
  • Advised risk from the diff: still medium. I do not see evidence that this should be escalated to high.

What & Why

  • Current: Clear explanation of the bug, affected SKU, and why the fix is needed.
  • Issue: None blocking.
  • Recommendation: You could make the opening sentence even shorter, but the current detail is strong and actionable.

Impact of Change

  • Impact is described clearly and maps to the code change.
  • Recommendation:
    • Users: Correctly calls out Consumption workflows using user-assigned managed identity.
    • Developers: Good note that there are no API changes.
    • System: Good note that the change is localized and uses an existing service call.

Test Plan

  • Unit tests are added/updated in the diff, which satisfies the test-plan requirement.
  • The absence of E2E tests is acceptable because unit tests are present.
  • Recommendation: If you want to make this even stronger, you could mention the specific behavior verified by the updated tests (managed MCP payload and _buildMcpAuthentication identity fallback).

⚠️ Contributors

  • Blank, but this is not required.
  • Recommendation: Add contributors only if there were PM/design/peer contributors worth crediting.

Screenshots/Videos

  • N/A is appropriate because this is a non-visual change.

Summary Table

Section Status Recommendation
Title
Commit Type
Risk Level
What & Why
Impact of Change
Test Plan Mention the specific unit-test coverage if desired
Contributors ⚠️ Optional; add only if you want to credit collaborators
Screenshots/Videos

Overall: this PR passes. The body is compliant, the selected risk level matches the scope of the diff, and the unit test updates back the test-plan checkbox. The advised risk level remains medium, which matches the submitter's estimate.

Last updated: Fri, 22 May 2026 02:42:43 GMT

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 22, 2026
edited
Loading

📊 Coverage Check

The following changed files need attention:

⚠️ libs/designer-v2/src/lib/core/queries/connector.ts - 53% covered (needs improvement)
⚠️ libs/designer-v2/src/lib/core/utils/parameters/dynamicdata.ts - 51% covered (needs improvement)
⚠️ libs/logic-apps-shared/src/designer-client-services/lib/consumption/connector.ts - 70% covered (needs improvement)
⚠️ libs/logic-apps-shared/src/designer-client-services/lib/standard/connector.ts - 63% covered (needs improvement)

Please add tests for the uncovered files before merging.

Copilot AI reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes Consumption-SKU MCP listMcpTools requests for Managed Service Identity (MSI) authentication by ensuring the user-assigned managed identity (UAMI) resource ID is included when required (aligning behavior with the Standard connector’s approach of deriving identity from WorkflowService().getAppIdentity()).

Changes:

  • Consumption MCP listMcpTools request building now derives UAMI from WorkflowService().getAppIdentity() and includes it in MSI authentication payloads.
  • Managed MCP connection path now adds connectionProperties.authentication in the request (previously only referenced { connection: { id } }).
  • Consumption connector unit tests updated to initialize WorkflowService to support the new identity-derivation behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
libs/logic-apps-shared/src/designer-client-services/lib/consumption/connector.ts Adds workflow-identity-derived UAMI support for MSI in Consumption MCP listMcpTools payload construction.
libs/logic-apps-shared/src/designer-client-services/lib/consumption/tests/connector.spec.ts Updates Consumption connector tests to initialize WorkflowService for MCP scenarios and validates managed MCP request shape.

Comment thread libs/logic-apps-shared/src/designer-client-services/lib/consumption/connector.ts
Comment thread libs/logic-apps-shared/src/designer-client-services/lib/consumption/__tests__/connector.spec.ts
Comment thread libs/logic-apps-shared/src/designer-client-services/lib/consumption/__tests__/connector.spec.ts
@github-actions github-actions Bot mentioned this pull request May 22, 2026
Closed
@rllyy97
fix(MCP): Thread selected identity through dynamic values for MCP con…
3ad7e21 
…nections

- Update designer-v2 dynamicdata.ts to extract identity from connectionReference
- Update designer-v2 queries/connector.ts to accept and pass identity parameter
- Update ConnectorService interface to accept optional identity parameter
- Update consumption/standard connector implementations to use passed identity for MCP connections
- When identity is provided, use it instead of picking first identity from WorkflowService
- This ensures user-selected managed identity is correctly threaded through all MCP calls
@rllyy97 rllyy97 changed the title fix(MCP): Fix ManagedServiceIdentity auth for Consumption MCP connections (v5.961) fix(MCP): Fix ManagedServiceIdentity auth for MCP connections (v5.961) May 26, 2026
@rllyy97
fix(MCP): Restore WorkflowService identity fallback in standard conne…
9fce1a6 
…ctor

When no identity is explicitly threaded from the connection reference,
fall back to WorkflowService().getAppIdentity() to resolve user-assigned
identity. This preserves backward compatibility for callers that don't
pass identity (e.g., designer-v1).
@rllyy97 rllyy97 merged commit 14f8f77 into hotfix/v5.961 May 27, 2026
13 of 15 checks passed
@rllyy97 rllyy97 deleted the rileyevans/cherry-pick/9205-to-hotfix-v5.961 branch May 27, 2026 16:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@anthony0t anthony0t anthony0t approved these changes

@takyyon takyyon takyyon approved these changes

Assignees

No one assigned

Labels

pr-validated

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

user managed identity didn't send part of the list mcp tool API in new designer

4 participants

@rllyy97 @anthony0t @takyyon