Skip to content

fix(apps): support AAD v1 issuers in token validation#556

Merged
heyitsaamir merged 6 commits into
microsoft:mainfrom
heyitsaamir:feat/token-audience-v1-issuer
May 6, 2026
Merged

fix(apps): support AAD v1 issuers in token validation#556
heyitsaamir merged 6 commits into
microsoft:mainfrom
heyitsaamir:feat/token-audience-v1-issuer

Conversation

@heyitsaamir
Copy link
Copy Markdown
Collaborator

@heyitsaamir heyitsaamir commented May 4, 2026
edited
Loading

Summary

Adds Azure AD v1 issuer support to inbound Entra token validation in @microsoft/teams.apps.

Specifically, tenant-based issuer validation now accepts both:

  • https://login.microsoftonline.com/{tenantId}/...
  • https://sts.windows.net/{tenantId}/

Motivation

Some valid Microsoft Entra tokens are issued with the Azure AD v1 issuer format (sts.windows.net) instead of the v2-style login.microsoftonline.com/.../v2.0 issuer.

Related external issue:

This PR keeps the change narrowly scoped to issuer validation only.

Changes

  • Extend tenant-based issuer validation in JwtValidator to also accept:
    • https://sts.windows.net/{tenantId}/
  • Add tests covering v1 issuer acceptance for:
    • single-tenant apps
    • multi-tenant apps

Tests

Added/updated tests for:

  • v1 sts.windows.net issuer acceptance
  • existing tenant-based issuer validation behavior
  • end-to-end validation of Microsoft Entra v1 and v2 access tokens, modeled on the published sample tokens at https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens (same iss, aud, tid, azp/appid, scp, ver shape) — both pass through the full JwtValidator.validateAccessToken pipeline (signature + expiry + audience + issuer + scope)

Copilot AI review requested due to automatic review settings May 4, 2026 23:16
Copilot AI reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds configurable inbound JWT validation relaxations in @microsoft/teams.apps to better support single-tenant Teams/Bot scenarios that receive Azure AD v1-style issuers and/or need extra accepted audiences, while keeping the default validation behavior unchanged unless opted into.

Changes:

  • Extend tenant-based issuer validation in JwtValidator to also accept AAD v1 issuers of the form https://sts.windows.net/{tenantId}/.
  • Add tokenOptions.additionalAudience plumbing from AppOptions through both the Entra validator factory and the /api/messages service-token validation path.
  • Normalize audience input to accept either a single string or an array, and compose Entra validator audiences from applicationIdUri plus any additional audience values.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file
File Description
packages/apps/src/middleware/auth/service-token-validator.ts Adds an optional audience parameter and forwards it into JwtValidator construction for /api/messages token validation.
packages/apps/src/middleware/auth/service-token-validator.spec.ts Adds a unit test verifying custom audience values are passed through to JwtValidator.
packages/apps/src/middleware/auth/jwt-validator.ts Adds audience normalization, composes Entra validator audiences, and extends tenant issuer validation to accept sts.windows.net v1 issuers.
packages/apps/src/middleware/auth/jwt-validator.spec.ts Adds tests for v1 issuer acceptance and Entra validator audience composition with custom audiences.
packages/apps/src/http/http-server.ts Introduces tokenOptions on HttpServerOptions and forwards additionalAudience to ServiceTokenValidator.
packages/apps/src/http/http-server.spec.ts Adds a test verifying HttpServer passes audience options into ServiceTokenValidator.
packages/apps/src/app.ts Adds AppOptions.tokenOptions and threads additionalAudience into both Entra token validation and HttpServer construction.
packages/apps/src/app.spec.ts Adds a test verifying App config propagates additional audience into the Entra validator audience list.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@heyitsaamir heyitsaamir changed the title feat(apps): support AAD v1 issuers and additional audience fix(apps): support AAD v1 issuers in token validation May 6, 2026
@heyitsaamir heyitsaamir mentioned this pull request May 6, 2026
Open
4 tasks
rido-min
rido-min previously approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@rido-min rido-min left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (not tested though)

@heyitsaamir heyitsaamir force-pushed the feat/token-audience-v1-issuer branch from bb54e71 to 34d8b38 Compare May 6, 2026 17:48
@heyitsaamir heyitsaamir merged commit 7147cd8 into microsoft:main May 6, 2026
3 checks passed
This was referenced May 6, 2026
Merged
Open
heyitsaamir added a commit to microsoft/teams.py that referenced this pull request May 6, 2026
@heyitsaamir
fix(apps): support AAD v1 issuers in Entra token validation (#422)
662c119 
## Summary

Mirrors
[microsoft/teams.ts#556](microsoft/teams.ts#556)
in this codebase.

Some valid Microsoft Entra access tokens are issued with the Azure AD v1
issuer format (`https://sts.windows.net/{tenantId}/`) instead of the v2
issuer (`https://login.microsoftonline.com/{tenantId}/v2.0`). Today
`TokenValidator.for_entra` only accepts the v2 form, causing valid v1
tokens to be rejected.

## Changes

- `packages/apps/src/microsoft_teams/apps/auth/token_validator.py`: when
a `tenant_id` is provided, `TokenValidator.for_entra` now adds both the
v2 (`{login_endpoint}/{tenant_id}/v2.0`) and v1
(`https://sts.windows.net/{tenant_id}/`) issuers to `valid_issuers`.
- `packages/apps/tests/test_token_validator.py`:
- Updated `test_for_entra_initialization` to assert both issuers are
present.
- Added `test_validate_entra_token_v1_sts_issuer` covering acceptance of
a v1 `sts.windows.net` issuer through the full validation pipeline.

Note: Unlike the TS PR, this change does not introduce multi-tenant
`allowedTenantIds` semantics, since the Python `TokenValidator` doesn't
currently expose multi-tenant configuration. The fix is kept narrowly
scoped to issuer format acceptance.

Reference:
https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens

## Test plan

- `uv run pytest packages/apps/tests/test_token_validator.py -q` — all
27 tests pass, including the new v1 issuer test.
@heyitsaamir heyitsaamir mentioned this pull request May 6, 2026
Merged
heyitsaamir added a commit that referenced this pull request May 6, 2026
@heyitsaamir
Release 2.0.10 (#557)
1686b7e 
Merges main into release and sets version to 2.0.10.

## Commits since last release

- 7147cd8 fix(apps): support AAD v1 issuers in token validation (#556)
- eb8037e address model gaps (#525)
- ac21af6 fix(http-stream): resolve race condition in close() and
streamType override in final message (#553)
- 6b0da8a MCP Server Example on MCP SDK (#534)
- a749172 chore: bump version to 2.0.10-preview (#555)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rido-min rido-min rido-min approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@heyitsaamir @rido-min