feat(azure.ai.agents): add full OAuth2 fields and connector-name support#8358
Merged
Conversation
Fixes #8355 Move OAuth2 from typed ARM SDK path to raw REST to support fields not modeled in the ARM Go SDK: authorizationUrl, tokenUrl, refreshUrl, scopes, and connectorName. New flags for connection create: --authorization-url OAuth2 authorization endpoint --token-url OAuth2 token endpoint --refresh-url OAuth2 refresh endpoint --scopes OAuth2 scopes (space-separated) --connector-name Managed connector name OAuth2 credentials (--client-id/--client-secret) now sent as nested credentials object in the raw REST body. Update path also routes oauth2 through raw REST for consistency. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
OAuth2 auth now supports two mutually exclusive modes: - --connector-name alone (managed connector flow) - All of --authorization-url, --token-url, --refresh-url, --scopes, --client-id, --client-secret together (BYO OAuth2) Partial combinations are rejected with a clear error listing missing flags. Added test for connector-name-only body serialization. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions
Bot
added
the
ext-agents
lindazqli
reviewed
May 25, 2026
lindazqli
reviewed
May 25, 2026
…separated Address Linda's review comments: - --audience now also valid with --auth-type project-managed-identity - --scopes help text updated to comma-separated (was space-separated) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Nathandrake229
requested review from
JeffreyCA,
therealjohn,
trangevi and
trrwilson
as code owners
📋 Prioritization NoteThanks for the contribution! The linked issue isn't in the current milestone yet. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends the azure.ai.agents extension’s connection create support for OAuth2 by adding missing OAuth2 fields (authorization/token/refresh URLs, scopes, connector name) and routing OAuth2 connection creation through the raw ARM REST path to bypass ARM SDK struct limitations.
Changes:
- Added new OAuth2 CLI flags (
--authorization-url,--token-url,--refresh-url,--scopes,--connector-name) and implemented either/or validation for managed connector vs BYO OAuth2. - Moved OAuth2 connection creation to the raw REST pipeline (shared with identity-based auth types) and made the typed SDK path reject OAuth2.
- Added/updated tests around raw OAuth2 body marshaling and auth-type normalization.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| cli/azd/extensions/azure.ai.agents/internal/connections/cmd/raw_connection.go | Extends raw ARM connection body to include OAuth2 fields and credentials. |
| cli/azd/extensions/azure.ai.agents/internal/connections/cmd/connection.go | Adds new OAuth2 flags, validation, and routes OAuth2 through raw REST for create/update. |
| cli/azd/extensions/azure.ai.agents/internal/connections/cmd/connection_test.go | Updates tests for OAuth2 handling (typed path rejection + raw body marshal assertions). |
Comments suppressed due to low confidence (1)
cli/azd/extensions/azure.ai.agents/internal/connections/cmd/connection.go:570
connection updatenow routes OAuth2 (and identity auth types) throughrawCreateConnection, but the body built here only includesauthType,category,target, andmetadata. SincerawCreateConnectiondoes an ARM PUT, omitting OAuth2/identity-specific properties (e.g.,connectorName,authorizationUrl/tokenUrl/scopes,audience, credentials) will likely clear them or cause the service to reject the request. Consider either (1) fetching the full current resource via raw REST and merging preserved fields into the PUT body, or (2) explicitly disallowingconnection updatefor these auth types until preservation is implemented.
// Route to raw REST or typed SDK based on auth type
switch normalizedAuth {
case "oauth2", "user-entra-token", "project-managed-identity", "agentic-identity":
// Auth types that lack full ARM SDK support — update via raw REST
err = rawCreateConnection(
ctx, connCtx,
a.flags.name,
rawConnectionProperties{
AuthType: normalizeAuthTypeToARM(normalizedAuth),
Category: kindStr,
Target: newTarget,
Metadata: parseKVMap(metaPairs),
},
)
…lidation tests - Change Scopes from string to []string to match schema wire format - Switch --scopes flag to StringSliceVar (repeatable/comma-separated) - Make --refresh-url and --scopes optional in BYO OAuth2 validation - Fix test: remove ConnectorName from BYO test (mutually exclusive) - Add TestOAuth2Validation with 7 subtests covering all branches Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ions Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
trangevi
approved these changes
May 26, 2026
Member
|
/check-enforcer override |
hund030
added a commit
that referenced
this pull request
May 27, 2026
Address PR #8357 review feedback from trangevi: - Move internal/connections/cmd/ -> internal/cmd/ so commands live at the same depth as every other extension. Connection-context glue renamed connection_context.go to avoid colliding with the existing generic context.go verb. The RegisterCommands helper is inlined into internal/cmd/root.go (5 AddCommand calls; no helper package needed now that everything is in the same package). - Move internal/connections/pkg/connections/ -> internal/pkg/connections/ to match the convention used by other extensions. Also ports the connection-side changes from PR #8358 (OAuth2 fields and connector-name support) into the migrated copy. The plain `git merge origin/main` dropped them because rename-detection didn't follow our cross-directory migration; replayed by taking main's connection.go / connection_test.go / raw_connection.go from the agents copy and rewriting imports + example strings for the connections extension. Updates: - internal/cmd/root.go: drop the connectioncmd helper-package import; inline the 5 CRUD AddCommand calls. - internal/cmd/connection.go: imports azure.ai.connections/internal/exterrors (was the now-removed nested exterrors path); example strings use `azd ai connection` (was `azd ai agent connection`). - AGENTS.md: package-layout description and one-way import contract updated to reference internal/cmd/ + internal/pkg/ (was internal/connections/cmd/ + internal/connections/pkg/). - cspell.yaml: drop unused `connectioncmd` (the helper-package alias no longer exists). Verified by running the local e2e smoke test (Test_CLI_Connection_Smoke) end-to-end against a live Foundry project: build, pack, publish, install, create, list, show, show --show-credentials, update, post-update show, delete, post-delete show (expected 404) all pass.
trangevi
added a commit
that referenced
this pull request
May 27, 2026
….agents (#8357) * feat(azure.ai.connections): migrate connection commands from azure.ai.agents Move the connection CRUD commands (list / show / create / update / delete) from azure.ai.agents into the new azure.ai.connections extension so users invoke them as `azd ai connection <verb>` instead of `azd ai agent connection <verb>`. Key adjustments vs source: - Module path `azure.ai.connections`. - Project endpoint resolution moved into `internal/foundry/projectctx`, mirroring the `azure.ai.toolboxes` package layout (same one-way import contract documented in AGENTS.md). The cascade and `Validate` rules are inherited unchanged. - `internal/exterrors` promoted to the extension top level so `internal/foundry/` does not depend on connection-cmd-specific code. - Update examples and persistent `-p / --project-endpoint` flag rewired to the new extension root. Agents extension is cleaned up in the same change: - Drops the `azd ai agent connection` command tree (`internal/connections/cmd` and `internal/connections/exterrors`). - Retains `internal/connections/pkg/connections` because `connection_credentials.go` still needs the data-plane client to resolve `${{connections.<name>.credentials.<key>}}` placeholders at agent-run time. Tests: - All migrated tests pass under the new module path. - 18 new unit tests added for the `projectctx` package (validator, resolver cascade with stubbed hosted-sources seam, persisted config-key constant). - `.golangci.yaml` added to match sibling extensions; lint clean. * chore(azure.ai.connections): add cspell words for projectctx/exterrors/connectioncmd/tavily/tvly * fix(azure.ai.connections): derive data-plane user-agent from build-injected version The data-plane client hard-coded its user-agent as `azd-ext-azure-ai-connection/0.1.0` (singular, frozen literal). Every release would have shipped that same string regardless of the extension version, defeating the point of having a user-agent in the first place. Mirror the azure.ai.agents wiring so the user-agent comes from a `-ldflags`-injected constant: - Add `internal/version` package (Version / Commit / BuildDate), matching `azure.ai.agents/internal/version`. - Point `build.sh` and `build.ps1` at the new package (was `internal/cmd`, which only `version.go` read). - Have `data_client.go` build the user-agent from `version.Version` and fix the name to plural `azd-ext-azure-ai-connections`. Pipeline label likewise pluralized for consistency. - Drop the redundant `Version/Commit/BuildDate` vars from `internal/cmd/version.go`; the `version` command now reads from the new package too, keeping a single source of truth. Resolves Copilot review feedback on PR #8357. * refactor(azure.ai.connections): flatten package layout + port #8358 Address PR #8357 review feedback from trangevi: - Move internal/connections/cmd/ -> internal/cmd/ so commands live at the same depth as every other extension. Connection-context glue renamed connection_context.go to avoid colliding with the existing generic context.go verb. The RegisterCommands helper is inlined into internal/cmd/root.go (5 AddCommand calls; no helper package needed now that everything is in the same package). - Move internal/connections/pkg/connections/ -> internal/pkg/connections/ to match the convention used by other extensions. Also ports the connection-side changes from PR #8358 (OAuth2 fields and connector-name support) into the migrated copy. The plain `git merge origin/main` dropped them because rename-detection didn't follow our cross-directory migration; replayed by taking main's connection.go / connection_test.go / raw_connection.go from the agents copy and rewriting imports + example strings for the connections extension. Updates: - internal/cmd/root.go: drop the connectioncmd helper-package import; inline the 5 CRUD AddCommand calls. - internal/cmd/connection.go: imports azure.ai.connections/internal/exterrors (was the now-removed nested exterrors path); example strings use `azd ai connection` (was `azd ai agent connection`). - AGENTS.md: package-layout description and one-way import contract updated to reference internal/cmd/ + internal/pkg/ (was internal/connections/cmd/ + internal/connections/pkg/). - cspell.yaml: drop unused `connectioncmd` (the helper-package alias no longer exists). Verified by running the local e2e smoke test (Test_CLI_Connection_Smoke) end-to-end against a live Foundry project: build, pack, publish, install, create, list, show, show --show-credentials, update, post-update show, delete, post-delete show (expected 404) all pass. * fix(connections): use build-time version in data client pipeline Co-authored-by: trangevi <26490000+trangevi@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: trangevi <26490000+trangevi@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #8355
Adds missing OAuth2 connection fields (
--authorization-url,--token-url,--refresh-url,--scopes,--connector-name) and implements either/or validation for managed connector vs BYO OAuth2 flows.Problem
The ARM Go SDK
ConnectionOAuth2struct only exposesAuthURL,ClientID, andClientSecret. It does not modeltokenUrl,refreshUrl,scopes, orconnectorName— all top-level ARM connection properties required for full OAuth2 support.Changes
OAuth2 moved to raw REST path
buildConnectionBodyrejects OAuth2 with a clear error if accidentally calledNew flags
--authorization-url--token-url--refresh-url--scopes--connector-nameEither/or validation
Two mutually exclusive modes for
--auth-type oauth2:--connector-namealone--authorization-url,--token-url,--refresh-url,--scopes,--client-id,--client-secretPartial combinations are rejected with a clear error listing exactly which flags are missing.
Tests
Files changed
connection.go— moved OAuth2 to raw REST switch, added flags, either/or validationraw_connection.go— added OAuth2 fields,rawCredentialsstructconnection_test.go— updated/added OAuth2 tests