Skip to content

Commit 13fd1d7

Browse files
Simplify BYOK bearer-token contract: drop scope and expiry
Mirror the runtime contract simplification: the runtime no longer caches provider tokens, it calls getBearerToken once per outbound request. Drop the vestigial `scope`/`bearerTokenScope` (the callback closes over its own scope/ audience) and stop forwarding `expiresOnTimestamp` over the wire. The field is retained on `ProviderBearerToken` so an Azure Identity `AccessToken` can be returned verbatim, but it is now documented as ignored — caching and refresh are the callback's responsibility (e.g. `@azure/identity` caches internally). Rewrite the e2e suite to drive a local capturing HTTP server as the BYOK endpoint instead of CAPI record/replay snapshots, so the tests assert on the outbound Authorization header directly and pass identically in record and replay mode. Delete the obsolete snapshots. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent d321d4a commit 13fd1d7

8 files changed

Lines changed: 187 additions & 256 deletions

nodejs/src/client.ts

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -167,9 +167,9 @@ type WireNamedProviderConfig = Omit<NamedProviderConfig, "getBearerToken"> & {
167167
/**
168168
* Strips the non-serializable {@link GetBearerToken} callbacks from the singular
169169
* and named provider configs before they cross the RPC boundary, replacing each
170-
* with a `hasBearerTokenProvider: true` wire flag. Any configured
171-
* {@link ProviderConfig.bearerTokenScope} is forwarded verbatim (the bearer-token
172-
* surface is provider-agnostic, so the SDK never substitutes a default scope).
170+
* with a `hasBearerTokenProvider: true` wire flag. The callback closes over its
171+
* own token scope/audience, so nothing scope-related crosses the wire — the
172+
* runtime only forwards the provider name back when it needs a token.
173173
* Returns wire-safe provider configs alongside a map of provider name → callback
174174
* for session-side registration.
175175
*/

nodejs/src/generated/rpc.ts

Lines changed: 5 additions & 21 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

nodejs/src/session.ts

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -794,14 +794,12 @@ export class CopilotSession {
794794
}
795795
const result = await callback({
796796
providerName: params.providerName,
797-
scope: params.scope,
798797
});
799798
if (typeof result === "string") {
800799
return { token: result };
801800
}
802801
return {
803802
token: result.token,
804-
expiresOnTimestamp: result.expiresOnTimestamp,
805803
};
806804
},
807805
};

nodejs/src/types.ts

Lines changed: 18 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -2139,17 +2139,11 @@ export interface ProviderTokenArgs {
21392139
* Name of the BYOK provider needing a token. For the singular, whole-session
21402140
* {@link ProviderConfig} this is the implicit provider name (`"default"`); for
21412141
* {@link NamedProviderConfig} entries it is {@link NamedProviderConfig.name}.
2142+
*
2143+
* The callback closes over its own token scope/audience; the runtime is
2144+
* provider-agnostic and forwards only the provider name.
21422145
*/
21432146
providerName: string;
2144-
2145-
/**
2146-
* Token scope to request, exactly as configured in the provider's
2147-
* {@link ProviderConfig.bearerTokenScope}. Empty when the provider did not
2148-
* configure a scope — in that case the callback is responsible for supplying
2149-
* the correct scope to its identity library. The bearer-token surface is
2150-
* provider-agnostic; no scope default is assumed.
2151-
*/
2152-
scope: string;
21532147
}
21542148

21552149
/**
@@ -2167,10 +2161,11 @@ export interface ProviderBearerToken {
21672161
token: string;
21682162

21692163
/**
2170-
* Unix epoch time in milliseconds at which the token expires. When provided,
2171-
* the runtime caches the token and only re-invokes the callback shortly
2172-
* before expiry. When omitted, the runtime re-invokes the callback on every
2173-
* request.
2164+
* Unix epoch time in milliseconds at which the token expires. Accepted so an
2165+
* Azure Identity `AccessToken` can be returned verbatim, but currently
2166+
* **ignored**: the runtime performs no token caching and invokes the callback
2167+
* once per outbound request, so token caching and refresh are the callback's
2168+
* responsibility (e.g. `@azure/identity` caches internally).
21742169
*/
21752170
expiresOnTimestamp?: number;
21762171
}
@@ -2179,12 +2174,11 @@ export interface ProviderBearerToken {
21792174
* Per-provider callback that resolves a bearer token on demand. The Copilot SDK
21802175
* itself takes no Azure dependency: the consumer supplies this callback backed by
21812176
* their own identity library (for example `@azure/identity`'s
2182-
* `DefaultAzureCredential.getToken(scope)`), and the runtime calls it before
2183-
* outbound model requests, caching and refreshing automatically based on the
2184-
* returned {@link ProviderBearerToken.expiresOnTimestamp}.
2177+
* `DefaultAzureCredential.getToken(scope)`), and the runtime calls it once before
2178+
* each outbound model request. The runtime does no caching of its own, so the
2179+
* callback (or the identity library it wraps) owns token caching and refresh.
21852180
*
2186-
* Returning a bare string is equivalent to returning `{ token }` with no expiry
2187-
* (re-invoked every request).
2181+
* Returning a bare string is equivalent to returning `{ token }`.
21882182
*
21892183
* @experimental Part of the experimental managed-identity / bearer-token-provider
21902184
* surface and may change or be removed in future SDK or CLI releases.
@@ -2226,23 +2220,14 @@ export interface ProviderConfig {
22262220
* Per-request bearer-token provider for managed-identity / on-demand auth.
22272221
* When set, the SDK keeps this function client-side (it is never serialized)
22282222
* and the runtime calls back into this client to acquire a token before each
2229-
* outbound request, caching and refreshing automatically. Mutually exclusive
2230-
* with {@link apiKey} / {@link bearerToken}.
2223+
* outbound request. The runtime does no caching of its own, so the callback
2224+
* owns token caching and refresh. Mutually exclusive with {@link apiKey} /
2225+
* {@link bearerToken}.
22312226
*
22322227
* @experimental
22332228
*/
22342229
getBearerToken?: GetBearerToken;
22352230

2236-
/**
2237-
* Token scope forwarded to {@link getBearerToken} as
2238-
* {@link ProviderTokenArgs.scope}. Optional and provider-agnostic: when
2239-
* omitted, the callback receives an empty scope and is responsible for
2240-
* supplying the correct scope to its identity library.
2241-
*
2242-
* @experimental
2243-
*/
2244-
bearerTokenScope?: string;
2245-
22462231
/**
22472232
* Azure-specific options
22482233
*/
@@ -2338,23 +2323,14 @@ export interface NamedProviderConfig {
23382323
* Per-request bearer-token provider for managed-identity / on-demand auth.
23392324
* When set, the SDK keeps this function client-side (it is never serialized)
23402325
* and the runtime calls back into this client to acquire a token before each
2341-
* outbound request, caching and refreshing automatically. Mutually exclusive
2342-
* with {@link apiKey} / {@link bearerToken}.
2326+
* outbound request. The runtime does no caching of its own, so the callback
2327+
* owns token caching and refresh. Mutually exclusive with {@link apiKey} /
2328+
* {@link bearerToken}.
23432329
*
23442330
* @experimental
23452331
*/
23462332
getBearerToken?: GetBearerToken;
23472333

2348-
/**
2349-
* Token scope forwarded to {@link getBearerToken} as
2350-
* {@link ProviderTokenArgs.scope}. Optional and provider-agnostic: when
2351-
* omitted, the callback receives an empty scope and is responsible for
2352-
* supplying the correct scope to its identity library.
2353-
*
2354-
* @experimental
2355-
*/
2356-
bearerTokenScope?: string;
2357-
23582334
/**
23592335
* Azure-specific options.
23602336
*/

0 commit comments

Comments
 (0)