Add AppConfig object with full integration into App class to make constants user-configurable

[Copilot]

AppConfig Integration - Single Source of Truth for Defaults

Latest Changes

Made TokenValidator.for_service() and TokenValidator.for_entra() the single source of truth for all JWT validation defaults per @heyitsaamir feedback.

How Defaults Work Now

Config defines None as default:

@dataclass
class AuthConfig:
    jwt_leeway_seconds: Optional[int] = None
    bot_framework_issuer: Optional[str] = None
    bot_framework_jwks_uri: Optional[str] = None
    # ...

HttpPlugin passes config values directly (no defaults applied):

jwt_middleware = create_jwt_validation_middleware(
    app_id=app_id,
    logger=self.logger,
    paths=[self.config.endpoints.activity_path],
    clock_tolerance=self.config.auth.jwt_leeway_seconds,  # Pass None if not set
    issuer=self.config.auth.bot_framework_issuer,  # Pass None if not set
    jwks_uri=self.config.auth.bot_framework_jwks_uri,  # Pass None if not set
)

create_jwt_validation_middleware only passes non-None values:

def create_jwt_validation_middleware(
    app_id: str,
    logger: Logger,
    paths: list[str],
    clock_tolerance: Optional[int] = None,
    issuer: Optional[str] = None,
    jwks_uri: Optional[str] = None,
):
    # Only pass non-None values to TokenValidator
    kwargs = {"logger": logger}
    if clock_tolerance is not None:
        kwargs["clock_tolerance"] = clock_tolerance
    if issuer is not None:
        kwargs["issuer"] = issuer
    if jwks_uri is not None:
        kwargs["jwks_uri"] = jwks_uri
    
    token_validator = TokenValidator.for_service(app_id, **kwargs)

TokenValidator.for_service has the defaults:

@classmethod
def for_service(
    cls,
    app_id: str,
    logger: Optional[Logger] = None,
    service_url: Optional[str] = None,
    clock_tolerance: int = JWT_LEEWAY_SECONDS,  # Default: 300
    issuer: str = "https://api.botframework.com",  # Default
    jwks_uri: str = "https://login.botframework.com/v1/.well-known/keys",  # Default
) -> "TokenValidator":

Same for TokenValidator.for_entra:

@classmethod
def for_entra(
    cls,
    app_id: str,
    tenant_id: Optional[str],
    scope: Optional[str] = None,
    logger: Optional[Logger] = None,
    clock_tolerance: int = JWT_LEEWAY_SECONDS,  # Default: 300
    issuer_template: str = "https://login.microsoftonline.com/{tenant_id}/v2.0",  # Default
    jwks_uri_template: str = "https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys",  # Default
) -> "TokenValidator":

Benefits

• Single source of truth: All defaults in TokenValidator factory methods only
• No duplication: Defaults not repeated anywhere else
• Cleaner code: Config values flow cleanly through the chain
• Easier maintenance: Change defaults in one place only

Test Results

✅ 38 config and integration tests - ALL PASSING
✅ 0 linting errors (ruff)

Summary

Config values flow cleanly:

1. AuthConfig fields default to None
2. HttpPlugin passes config values (or None) to create_jwt_validation_middleware
3. create_jwt_validation_middleware only passes non-None values to TokenValidator.for_service
4. TokenValidator.for_service applies its defaults for any missing parameters

No defaults duplicated anywhere!

Original prompt

We should do an audit of all the constants in microsoft-teams-apps. Ideally, we want to put all these in a Config object that should be changeable by the user.
signin
can you:

1. Take account of all the various constants that exist in microsoft-teams-app in teams.PY
2. Then build a plan for what this Config object could look like?

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[heyitsaamir]

@copilot added some comments

[heyitsaamir]

Don't want this configurable.

[Copilot]

Removed the host field from NetworkConfig.

[heyitsaamir]

also remove user_agent

[Copilot]

Removed the user_agent field from NetworkConfig.

[heyitsaamir]

Don't want this configurable. This should be whatever base-level log_level there is.

[Copilot]

Removed the uvicorn_log_level field from NetworkConfig.

[heyitsaamir]

let's skip making this configurable for now.

[Copilot]

Removed the entire RetryConfig class and all references to it.

[heyitsaamir]

skip making this configurable

[Copilot]

Removed the entire SignInConfig class and all references to it.

[heyitsaamir]

Remove LoggerConfig

[Copilot]

Removed the entire LoggerConfig class and all references to it.

[heyitsaamir]

no need to make this configurable

[Copilot]

Removed the entire PluginConfig class and all references to it.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• login.microsoftonline.com
  • Triggering command: python -m pytest packages/apps/tests/test_app.py -v --tb=short (dns block)
• token.botframework.com
  • Triggering command: python -m pytest packages/apps/tests/test_app.py -v --tb=short (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[heyitsaamir]

@copilot feedback

[heyitsaamir]

Remove LoggerConfig

[heyitsaamir]

also remove user_agent

[heyitsaamir]

why did you remove SignInConfig?

[Copilot]

SignInConfig was removed because there was a comment on the original commit (9a62707, line 97) that said "skip making this configurable". If this was removed in error, I can restore it.

[heyitsaamir]

@copilot yes i think we want to keep that.

[Copilot]

Restored SignInConfig with environment variable support (OAUTH_CARD_TEXT, SIGN_IN_BUTTON_TEXT). Added 4 comprehensive tests. All 23 tests passing.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• login.microsoftonline.com
  • Triggering command: python -m pytest packages/apps/tests/test_app.py -v --tb=short (dns block)
• token.botframework.com
  • Triggering command: python -m pytest packages/apps/tests/test_app.py -v --tb=short (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[heyitsaamir]

@copilot Looks good.
If the value isn't provided, use environment variables to extract it. Look at how we get CLIENT_ID and CLIENT_SECRET variables as examples.

[Copilot]

@copilot Looks good.
If the value isn't provided, use environment variables to extract it. Look at how we get CLIENT_ID and CLIENT_SECRET variables as examples.

Added environment variable support. Config values now fall back to env vars (PORT, BOT_API_BASE_URL, JWT_LEEWAY_SECONDS, etc.) if not explicitly provided, matching the CLIENT_ID/CLIENT_SECRET pattern. Explicit values always override env vars. Commit 379f33c.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• login.microsoftonline.com
  • Triggering command: python -m pytest packages/apps/tests/test_app.py -v --tb=short (dns block)
• token.botframework.com
  • Triggering command: python -m pytest packages/apps/tests/test_app.py -v --tb=short (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[heyitsaamir]

@copilot added some comments

[heyitsaamir]

don't need these comments

[Copilot]

Removed the unnecessary comments from app.py init method. Commit 3a4e6b8.

[heyitsaamir]

rename this to api_base_url

[heyitsaamir]

and rename the env to API_BASE_URL

[Copilot]

Renamed to api_base_url with API_BASE_URL env var. Updated all references in app.py, http_plugin.py, and tests. Commit 3a4e6b8.

[heyitsaamir]

let's remove health_check_path for now

[Copilot]

Removed health_check_path from EndpointConfig. Health check endpoint is now hardcoded to "/" in HttpPlugin. Commit 3a4e6b8.

[heyitsaamir]

you don't seem to be using these, are you?

[Copilot]

Correct - removed all unused AuthConfig fields. AuthConfig is now an empty placeholder for future authentication configuration. Commit 3a4e6b8.

[heyitsaamir]

lol dude don't remove it. i want you to use it. Put this back and actually use it in the jwt configuration.

[Copilot]

Restored AuthConfig with all fields and integrated them into JWT validation. Auth config values are now used in:

• TokenValidator.for_service() for Bot Framework validation
• TokenValidator.for_entra() for Entra ID validation
• create_jwt_validation_middleware() for activity endpoint auth
• All JWT validation now uses config.auth.jwt_leeway_seconds, bot_framework_issuer, bot_framework_jwks_uri, entra_id_issuer_template, and entra_id_jwks_uri_template

Added 4 comprehensive AuthConfig tests. All 38 tests passing. Commit cd15173.

[heyitsaamir]

For the values here, just default them to None. So the default is closer to the place that uses them.

[Copilot]

Changed AuthConfig fields to default to None. Default values are now applied at usage sites (http_plugin.py line 117-119 for Bot Framework validation, app.py line 165-169 for Entra ID validation). Commit 867711e.

[Copilot]

Changed AuthConfig defaults to None. Actual defaults are now at usage sites (http_plugin.py and app.py). Commit 867711e.

[heyitsaamir]

@copilot added some comments

[heyitsaamir]

@copilot put the auth config you had back and actually use it.

[heyitsaamir]

lol dude don't remove it. i want you to use it. Put this back and actually use it in the jwt configuration.

[heyitsaamir]

@copilot fix pls

[heyitsaamir]

Now you've got default in two different places. Not sure if I like that.

[Copilot]

Fixed - removed defaults from jwt_middleware.py. All defaults now only exist in AuthConfig. Commit in progress.

[heyitsaamir]

Since these are defined here, it might makes sense to remove the defaults from jwt_middleware.py, so there aren't two places where this exists.

[Copilot]

Done - removed all defaults from jwt_middleware.py parameters. Single source of truth is now config.py. Commit in progress.

[heyitsaamir]

make these key'd params.

[Copilot]

Already using keyword arguments - clock_tolerance=, issuer=, jwks_uri= are all keyed params at line 117-119 of http_plugin.py. No changes needed.

[heyitsaamir]

I mean i want it to be like init(self, *, app_id...

[Copilot]

Made HttpPlugin.init use keyword-only parameters with *. Updated App to call it with keyword arguments. Commit 867711e.

[Copilot]

Done - HttpPlugin now uses def __init__(self, *, app_id, ...) with keyword-only parameters. Commit 867711e.

[heyitsaamir]

Replace with:

# A number of internal defaults can be configured by overriding values in this option

[Copilot]

Updated docstring as requested. Commit in progress.

[heyitsaamir]

@copilot updated a few more comments

[heyitsaamir]

I mean i want it to be like init(self, *, app_id...

[heyitsaamir]

For the values here, just default them to None. So the default is closer to the place that uses them.

[heyitsaamir]

@copilot update

[heyitsaamir]

defaults ALREADY exist in TokenValidator.forEntra

[Copilot]

Correct - removed the redundant defaults. Now only passing config values if they're not None, letting TokenValidator.for_entra's own defaults apply. Commit 9105458.

[heyitsaamir]

defaults ALREADY exist for create_jwt_validation_middleware don't they?

[Copilot]

No - create_jwt_validation_middleware has no defaults (we removed them earlier to have single source of truth). The defaults must be applied here when calling it. TokenValidator.for_service/for_entra have defaults, but create_jwt_validation_middleware doesn't. Commit 9105458.

[heyitsaamir]

@copilot Well I would like the source of truth to be for_service and for_entra.

[Copilot]

Done! TokenValidator.for_service and TokenValidator.for_entra are now the single source of truth for all defaults.

http_plugin.py no longer applies any defaults - it passes config values directly (or None). create_jwt_validation_middleware only passes non-None values to TokenValidator.for_service, which then applies its own defaults.

Commit 2a78ea4.