Skip to content

Add AsyncContextualTokenResolver for agentic user ID support in token resolution#255

Merged
nikhilNava merged 2 commits into
mainfrom
nikhilc/contextual-token-resolver
Jun 3, 2026
Merged

Add AsyncContextualTokenResolver for agentic user ID support in token resolution#255
nikhilNava merged 2 commits into
mainfrom
nikhilc/contextual-token-resolver

Conversation

@nikhilNava

Copy link
Copy Markdown
Contributor

Summary

Introduces a non-breaking \AsyncContextualTokenResolver\ delegate and supporting types that allow the agentic user ID (AUID) to be passed alongside agent and tenant IDs during token resolution for the Agent365 exporter.

Ported from microsoft/opentelemetry-distro-dotnet#101.

Changes

  • *\AgentIdentity* — New class with \AgentId\ and optional \AgenticUserId\ (null in S2S scenarios)
  • *\TokenResolverContext* — Context object providing \Identity\ + \TenantId\ for cache keys
  • *\AsyncContextualTokenResolver* — New delegate on \Agent365ExporterOptions\ that takes precedence over the legacy \TokenResolver\ when set
  • *\Agent365ExporterCore* — Updated to prefer \ContextualTokenResolver; extracts AUID from the first activity in each group
  • *\Agent365Exporter\ / \Agent365ExporterAsync* — Relaxed constructor validation to accept either resolver
  • *\ApplyGuardrailOperationName* — Added to the exported genAI operation names set
  • 14 unit tests covering types, constructor validation, and resolver precedence

Non-breaking

Existing code using \TokenResolver\ continues to work unchanged. \ContextualTokenResolver\ is opt-in and takes precedence only when explicitly set.

Testing

  • All 331 observability runtime tests pass
  • Full solution (713 tests) passes with zero warnings

… resolution

Introduce a non-breaking AsyncContextualTokenResolver delegate and supporting
types that allow the agentic user ID to be passed alongside agent and tenant IDs
during token resolution for the Agent365 exporter.

- Add AgentIdentity class with AgentId and optional AgenticUserId
- Add TokenResolverContext with Identity and TenantId
- Add AsyncContextualTokenResolver delegate on Agent365ExporterOptions
- Update Agent365ExporterCore to prefer ContextualTokenResolver when set
- Relax exporter constructors to accept either resolver
- Add ApplyGuardrailOperationName to exported operation names set
- Add 14 unit tests covering new types, constructor validation, and resolver precedence

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 28, 2026 16:05
@nikhilNava nikhilNava requested a review from a team as a code owner May 28, 2026 16:05
@github-actions

github-actions Bot commented May 28, 2026

Copy link
Copy Markdown

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds contextual token resolution for the Agent365 trace exporter so token resolvers can receive tenant, agent, and optional agentic user identity while preserving the legacy resolver path.

Changes:

  • Added AgentIdentity, TokenResolverContext, and AsyncContextualTokenResolver.
  • Updated exporter core and constructors to prefer contextual token resolution when configured.
  • Added contextual resolver tests and included apply_guardrail in genAI operation partitioning.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/Observability/Runtime/Tracing/Exporters/AgentIdentity.cs Adds exporter-facing agent identity model with optional agentic user ID.
src/Observability/Runtime/Tracing/Exporters/TokenResolverContext.cs Adds token resolver context containing identity and tenant ID.
src/Observability/Runtime/Tracing/Exporters/Agent365ExporterOptions.cs Adds contextual resolver delegate and option.
src/Observability/Runtime/Tracing/Exporters/Agent365ExporterCore.cs Prefers contextual resolver and recognizes apply-guardrail spans.
src/Observability/Runtime/Tracing/Exporters/Agent365Exporter.cs Allows either legacy or contextual resolver in sync exporter.
src/Observability/Runtime/Tracing/Exporters/Agent365ExporterAsync.cs Allows either legacy or contextual resolver in async exporter.
src/Tests/Microsoft.Agents.A365.Observability.Runtime.Tests/Tracing/Exporters/ContextualTokenResolverTests.cs Adds tests for new types, validation, precedence, and failure cases.

Comment thread src/Observability/Runtime/Tracing/Exporters/Agent365ExporterOptions.cs Outdated
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 28, 2026 20:11

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@nikhilNava nikhilNava merged commit b3c6bdf into main Jun 3, 2026
7 of 9 checks passed
@nikhilNava nikhilNava deleted the nikhilc/contextual-token-resolver branch June 3, 2026 16:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants