Skip to content

Commit 02fb2fc

Browse files
Simplify BYOK bearer-token contract: drop scope and expiry
Mirror the runtime contract simplification: the runtime no longer caches provider tokens, it calls getBearerToken once per outbound request. Drop the vestigial `scope`/`bearerTokenScope` (the callback closes over its own scope/ audience) and stop forwarding `expiresOnTimestamp` over the wire. The field is retained on `ProviderBearerToken` so an Azure Identity `AccessToken` can be returned verbatim, but it is now documented as ignored — caching and refresh are the callback's responsibility (e.g. `@azure/identity` caches internally). Rewrite the e2e suite to drive a local capturing HTTP server as the BYOK endpoint instead of CAPI record/replay snapshots, so the tests assert on the outbound Authorization header directly and pass identically in record and replay mode. Delete the obsolete snapshots. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent d759fcf commit 02fb2fc

8 files changed

Lines changed: 187 additions & 256 deletions

nodejs/src/client.ts

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -171,9 +171,9 @@ type WireNamedProviderConfig = Omit<NamedProviderConfig, "getBearerToken"> & {
171171
/**
172172
* Strips the non-serializable {@link GetBearerToken} callbacks from the singular
173173
* and named provider configs before they cross the RPC boundary, replacing each
174-
* with a `hasBearerTokenProvider: true` wire flag. Any configured
175-
* {@link ProviderConfig.bearerTokenScope} is forwarded verbatim (the bearer-token
176-
* surface is provider-agnostic, so the SDK never substitutes a default scope).
174+
* with a `hasBearerTokenProvider: true` wire flag. The callback closes over its
175+
* own token scope/audience, so nothing scope-related crosses the wire — the
176+
* runtime only forwards the provider name back when it needs a token.
177177
* Returns wire-safe provider configs alongside a map of provider name → callback
178178
* for session-side registration.
179179
*/

nodejs/src/generated/rpc.ts

Lines changed: 5 additions & 21 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

nodejs/src/session.ts

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -832,14 +832,12 @@ export class CopilotSession {
832832
}
833833
const result = await callback({
834834
providerName: params.providerName,
835-
scope: params.scope,
836835
});
837836
if (typeof result === "string") {
838837
return { token: result };
839838
}
840839
return {
841840
token: result.token,
842-
expiresOnTimestamp: result.expiresOnTimestamp,
843841
};
844842
},
845843
};

nodejs/src/types.ts

Lines changed: 18 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -2204,17 +2204,11 @@ export interface ProviderTokenArgs {
22042204
* Name of the BYOK provider needing a token. For the singular, whole-session
22052205
* {@link ProviderConfig} this is the implicit provider name (`"default"`); for
22062206
* {@link NamedProviderConfig} entries it is {@link NamedProviderConfig.name}.
2207+
*
2208+
* The callback closes over its own token scope/audience; the runtime is
2209+
* provider-agnostic and forwards only the provider name.
22072210
*/
22082211
providerName: string;
2209-
2210-
/**
2211-
* Token scope to request, exactly as configured in the provider's
2212-
* {@link ProviderConfig.bearerTokenScope}. Empty when the provider did not
2213-
* configure a scope — in that case the callback is responsible for supplying
2214-
* the correct scope to its identity library. The bearer-token surface is
2215-
* provider-agnostic; no scope default is assumed.
2216-
*/
2217-
scope: string;
22182212
}
22192213

22202214
/**
@@ -2232,10 +2226,11 @@ export interface ProviderBearerToken {
22322226
token: string;
22332227

22342228
/**
2235-
* Unix epoch time in milliseconds at which the token expires. When provided,
2236-
* the runtime caches the token and only re-invokes the callback shortly
2237-
* before expiry. When omitted, the runtime re-invokes the callback on every
2238-
* request.
2229+
* Unix epoch time in milliseconds at which the token expires. Accepted so an
2230+
* Azure Identity `AccessToken` can be returned verbatim, but currently
2231+
* **ignored**: the runtime performs no token caching and invokes the callback
2232+
* once per outbound request, so token caching and refresh are the callback's
2233+
* responsibility (e.g. `@azure/identity` caches internally).
22392234
*/
22402235
expiresOnTimestamp?: number;
22412236
}
@@ -2244,12 +2239,11 @@ export interface ProviderBearerToken {
22442239
* Per-provider callback that resolves a bearer token on demand. The Copilot SDK
22452240
* itself takes no Azure dependency: the consumer supplies this callback backed by
22462241
* their own identity library (for example `@azure/identity`'s
2247-
* `DefaultAzureCredential.getToken(scope)`), and the runtime calls it before
2248-
* outbound model requests, caching and refreshing automatically based on the
2249-
* returned {@link ProviderBearerToken.expiresOnTimestamp}.
2242+
* `DefaultAzureCredential.getToken(scope)`), and the runtime calls it once before
2243+
* each outbound model request. The runtime does no caching of its own, so the
2244+
* callback (or the identity library it wraps) owns token caching and refresh.
22502245
*
2251-
* Returning a bare string is equivalent to returning `{ token }` with no expiry
2252-
* (re-invoked every request).
2246+
* Returning a bare string is equivalent to returning `{ token }`.
22532247
*
22542248
* @experimental Part of the experimental managed-identity / bearer-token-provider
22552249
* surface and may change or be removed in future SDK or CLI releases.
@@ -2302,23 +2296,14 @@ export interface ProviderConfig {
23022296
* Per-request bearer-token provider for managed-identity / on-demand auth.
23032297
* When set, the SDK keeps this function client-side (it is never serialized)
23042298
* and the runtime calls back into this client to acquire a token before each
2305-
* outbound request, caching and refreshing automatically. Mutually exclusive
2306-
* with {@link apiKey} / {@link bearerToken}.
2299+
* outbound request. The runtime does no caching of its own, so the callback
2300+
* owns token caching and refresh. Mutually exclusive with {@link apiKey} /
2301+
* {@link bearerToken}.
23072302
*
23082303
* @experimental
23092304
*/
23102305
getBearerToken?: GetBearerToken;
23112306

2312-
/**
2313-
* Token scope forwarded to {@link getBearerToken} as
2314-
* {@link ProviderTokenArgs.scope}. Optional and provider-agnostic: when
2315-
* omitted, the callback receives an empty scope and is responsible for
2316-
* supplying the correct scope to its identity library.
2317-
*
2318-
* @experimental
2319-
*/
2320-
bearerTokenScope?: string;
2321-
23222307
/**
23232308
* Azure-specific options
23242309
*/
@@ -2414,23 +2399,14 @@ export interface NamedProviderConfig {
24142399
* Per-request bearer-token provider for managed-identity / on-demand auth.
24152400
* When set, the SDK keeps this function client-side (it is never serialized)
24162401
* and the runtime calls back into this client to acquire a token before each
2417-
* outbound request, caching and refreshing automatically. Mutually exclusive
2418-
* with {@link apiKey} / {@link bearerToken}.
2402+
* outbound request. The runtime does no caching of its own, so the callback
2403+
* owns token caching and refresh. Mutually exclusive with {@link apiKey} /
2404+
* {@link bearerToken}.
24192405
*
24202406
* @experimental
24212407
*/
24222408
getBearerToken?: GetBearerToken;
24232409

2424-
/**
2425-
* Token scope forwarded to {@link getBearerToken} as
2426-
* {@link ProviderTokenArgs.scope}. Optional and provider-agnostic: when
2427-
* omitted, the callback receives an empty scope and is responsible for
2428-
* supplying the correct scope to its identity library.
2429-
*
2430-
* @experimental
2431-
*/
2432-
bearerTokenScope?: string;
2433-
24342410
/**
24352411
* Azure-specific options.
24362412
*/

0 commit comments

Comments
 (0)