Add V2 per-audience MCP token support to .NET samples#272
Add V2 per-audience MCP token support to .NET samples#272
Conversation
biswapm
commented
Apr 12, 2026
biswapm
commented
- Remove explicit bearer token pass-through in SK Agent365Agent.cs and AF MyAgent.cs; SDK now selects DevMcpTokenProvider (reads BEARER_TOKEN_<SERVER_NAME> for V2, BEARER_TOKEN fallback for V1) or AgenticMcpTokenProvider automatically
- Add V2 bearer token dev profile to SK launchSettings.json
- Create Properties/launchSettings.json for agent-framework sample with V1/V2 profiles
- Document BEARER_TOKEN_<SERVER_NAME> convention in both appsettings.json
- Remove explicit bearer token pass-through in SK Agent365Agent.cs and AF MyAgent.cs; SDK now selects DevMcpTokenProvider (reads BEARER_TOKEN_<SERVER_NAME> for V2, BEARER_TOKEN fallback for V1) or AgenticMcpTokenProvider automatically - Add V2 bearer token dev profile to SK launchSettings.json - Create Properties/launchSettings.json for agent-framework sample with V1/V2 profiles - Document BEARER_TOKEN_<SERVER_NAME> convention in both appsettings.json
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
There was a problem hiding this comment.
Pull request overview
Updates the .NET sample agents to rely on the SDK’s MCP token providers (dev + production) rather than explicitly passing bearer tokens, and documents/bootstraps the new per-server (V2) bearer token convention for local development.
Changes:
- Remove explicit bearer-token override pass-through when registering/loading MCP tools in both SK and Agent Framework samples.
- Add/update launch profiles intended to support bearer-token-based local development (including a “V2” profile).
- Document the
BEARER_TOKEN_<SERVER_NAME>convention in both sampleappsettings.jsonfiles.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| dotnet/semantic-kernel/sample-agent/appsettings.json | Adds comments documenting V2 per-server bearer token env-var convention. |
| dotnet/semantic-kernel/sample-agent/Properties/launchSettings.json | Adds a new “V2 Bearer Token Support” launch profile. |
| dotnet/semantic-kernel/sample-agent/Agents/Agent365Agent.cs | Removes explicit bearer-token override and relies on SDK token provider selection. |
| dotnet/agent-framework/sample-agent/appsettings.json | Adds comments documenting V2 per-server bearer token env-var convention. |
| dotnet/agent-framework/sample-agent/Properties/launchSettings.json | Introduces new launchSettings.json with multiple dev profiles (incl. bearer token / “V2”). |
| dotnet/agent-framework/sample-agent/Agent/MyAgent.cs | Removes tokenOverride usage when calling GetMcpToolsAsync(...) and relies on SDK token resolution. |
|
|
||
| // V2 MCP per-server dev tokens: set BEARER_TOKEN_<UPPERCASE_SERVER_NAME> environment variables. | ||
| // Run: a365 develop get-token (writes these automatically for all configured servers) | ||
| // The SDK reads BEARER_TOKEN_<SERVER_NAME> for each V2 server and falls back to BEARER_TOKEN for V1. |
There was a problem hiding this comment.
The new guidance mixes BEARER_TOKEN_<UPPERCASE_SERVER_NAME> (line 17) with BEARER_TOKEN_<SERVER_NAME> (line 19). Please make the env-var naming rule explicit and consistent (including whether the SDK normalizes case), since env var names are case-sensitive on Linux and a mismatch can make dev tokens appear to “not work.”
| // The SDK reads BEARER_TOKEN_<SERVER_NAME> for each V2 server and falls back to BEARER_TOKEN for V1. | |
| // For each V2 server, the SDK uppercases the configured server name and reads BEARER_TOKEN_<UPPERCASE_SERVER_NAME>; it falls back to BEARER_TOKEN for V1. |
| { | ||
| // V2 MCP per-server dev tokens: set BEARER_TOKEN_<UPPERCASE_SERVER_NAME> environment variables. | ||
| // Run: a365 develop get-token (writes these automatically for all configured servers) | ||
| // The SDK reads BEARER_TOKEN_<SERVER_NAME> for each V2 server and falls back to BEARER_TOKEN for V1. |
There was a problem hiding this comment.
The comments reference BEARER_TOKEN_<UPPERCASE_SERVER_NAME> but also say the SDK reads BEARER_TOKEN_<SERVER_NAME>. Please align these (and clarify case-normalization), otherwise users may set the wrong env var (especially on case-sensitive environments).
| // The SDK reads BEARER_TOKEN_<SERVER_NAME> for each V2 server and falls back to BEARER_TOKEN for V1. | |
| // The SDK reads BEARER_TOKEN_<UPPERCASE_SERVER_NAME> for each V2 server, using the server name normalized to uppercase, and falls back to BEARER_TOKEN for V1. |
| "launchBrowser": true, | ||
| "environmentVariables": { | ||
| "ASPNETCORE_ENVIRONMENT": "Development", | ||
| "BEARER_TOKEN": "", |
There was a problem hiding this comment.
The new profile is named “V2 Bearer Token Support” but it only sets BEARER_TOKEN (V1 fallback) and doesn’t show any BEARER_TOKEN_<SERVER_NAME> variables. Consider either renaming this profile or adding representative BEARER_TOKEN_<SERVER> placeholders so the profile actually exercises the V2 per-server convention being documented.
| "BEARER_TOKEN": "", | |
| "BEARER_TOKEN": "", | |
| "BEARER_TOKEN_GITHUB": "", | |
| "BEARER_TOKEN_AZURE": "", |
| "launchBrowser": false, | ||
| "environmentVariables": { | ||
| "ASPNETCORE_ENVIRONMENT": "Development", | ||
| "BEARER_TOKEN": "", |
There was a problem hiding this comment.
The “Sample Agent with Bearer Token Support” and “Sample Agent with V2 Bearer Token Support” profiles currently set the same env vars (BEARER_TOKEN + SKIP_TOOLING_ON_ERRORS). This makes the V2 profile misleading/redundant; either remove one, or update the V2 profile to include BEARER_TOKEN_<SERVER_NAME> placeholders (and optionally omit BEARER_TOKEN to avoid masking V2 issues).
| "BEARER_TOKEN": "", | |
| "BEARER_TOKEN_YOUR_SERVER_NAME": "", |
| var handlerForMcp = !string.IsNullOrEmpty(authHandlerName) | ||
| ? authHandlerName | ||
| : OboAuthHandlerName ?? AgenticAuthHandlerName ?? string.Empty; | ||
| var tokenOverride = string.IsNullOrEmpty(authHandlerName) ? accessToken : null; | ||
|
|
||
| var a365Tools = await toolService.GetMcpToolsAsync(agentId, UserAuthorization, handlerForMcp, context, tokenOverride).ConfigureAwait(false); | ||
| var a365Tools = await toolService.GetMcpToolsAsync(agentId, UserAuthorization, handlerForMcp, context).ConfigureAwait(false); |
There was a problem hiding this comment.
Now that tokenOverride was removed from GetMcpToolsAsync(...), MCP tool loading depends on agentId being non-null. But agentId is still only resolved via authHandlerName or BEARER_TOKEN, so a dev setup that only provides V2 BEARER_TOKEN_<SERVER_NAME> values will never reach this call. Consider resolving agentId from agentic context when available (e.g., IsAgenticRequest()/GetAgenticInstanceId()), or otherwise handle/document the token requirement for agentId.
