Reduce repeated Graph sign-in prompts (#139)

Author: mengyimicro

src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupHelpers.cs

@@ -195,15 +195,32 @@ public static async Task EnsureResourcePermissionsAsync(
         if (string.IsNullOrWhiteSpace(config.AgentBlueprintId))
             throw new SetupValidationException("AgentBlueprintId (appId) is required.");
 
-        var blueprintSpObjectId = await graph.LookupServicePrincipalByAppIdAsync(config.TenantId, config.AgentBlueprintId, ct);
+        // Use delegated token provider for *all* permission operations to avoid bouncing between Azure CLI auth and Microsoft Graph PowerShell auth.
+        var permissionGrantScopes = AuthenticationConstants.RequiredPermissionGrantScopes;
+
+        // Pre-warm the delegated token once
+        var user = await graph.GraphGetAsync(
+            config.TenantId,
+            "/v1.0/me?$select=id",
+            ct,
+            scopes: permissionGrantScopes);
+        
+        if (user == null)
+        {
+            throw new SetupValidationException(
+                "Failed to authenticate to Microsoft Graph with delegated permissions. " +
+                "Please sign in when prompted and ensure your account has the required roles and permission scopes.");
+        }
+
+        var blueprintSpObjectId = await graph.LookupServicePrincipalByAppIdAsync(config.TenantId, config.AgentBlueprintId, ct, permissionGrantScopes);
         if (string.IsNullOrWhiteSpace(blueprintSpObjectId))
         {
             throw new SetupValidationException($"Blueprint Service Principal not found for appId {config.AgentBlueprintId}. " +
                 "The service principal may not have propagated yet. Wait a few minutes and retry.");
         }
 
         // Ensure resource service principal exists
-        var resourceSpObjectId = await graph.EnsureServicePrincipalForAppIdAsync(config.TenantId, resourceAppId, ct);
+        var resourceSpObjectId = await graph.EnsureServicePrincipalForAppIdAsync(config.TenantId, resourceAppId, ct, permissionGrantScopes);
         if (string.IsNullOrWhiteSpace(resourceSpObjectId))
         {
             throw new SetupValidationException($"{resourceName} Service Principal not found for appId {resourceAppId}. " +
@@ -233,7 +250,7 @@ public static async Task EnsureResourcePermissionsAsync(
             blueprintSpObjectId, resourceSpObjectId, string.Join(' ', scopes));
 
         var response = await graph.CreateOrUpdateOauth2PermissionGrantAsync(
-            config.TenantId, blueprintSpObjectId, resourceSpObjectId, scopes, ct);
+            config.TenantId, blueprintSpObjectId, resourceSpObjectId, scopes, ct, permissionGrantScopes);
 
         if (!response)
         {

src/Microsoft.Agents.A365.DevTools.Cli/Constants/AuthenticationConstants.cs

@@ -79,6 +79,17 @@ public static class AuthenticationConstants
         "Directory.Read.All"
     };
 
+    /// <summary>
+    /// Required scopes for oauth2 permission grants to service principals.
+    /// These scopes enable the service principals to operate correctly with the necessary permissions.
+    /// All scopes require admin consent.
+    /// </summary>
+    public static readonly string[] RequiredPermissionGrantScopes = new[]
+    {
+        "Application.ReadWrite.All",
+        "DelegatedPermissionGrant.ReadWrite.All"
+    };
+
     /// <summary>
     /// Environment variable name for bearer token used in local development.
     /// This token is stored in .env files (Python/Node.js) or launchSettings.json (.NET)

src/Microsoft.Agents.A365.DevTools.Cli/Services/GraphApiService.cs

@@ -325,9 +325,10 @@ public async Task<bool> GraphDeleteAsync(
     /// Looks up a service principal by its application (client) ID.
     /// Virtual to allow mocking in unit tests using Moq.
     /// </summary>
-    public virtual async Task<string?> LookupServicePrincipalByAppIdAsync(string tenantId, string appId, CancellationToken ct = default)
+    public virtual async Task<string?> LookupServicePrincipalByAppIdAsync(
+        string tenantId, string appId, CancellationToken ct = default, IEnumerable<string>? scopes = null)
     {
-        var doc = await GraphGetAsync(tenantId, $"/v1.0/servicePrincipals?$filter=appId eq '{appId}'&$select=id", ct);
+        var doc = await GraphGetAsync(tenantId, $"/v1.0/servicePrincipals?$filter=appId eq '{appId}'&$select=id", ct, scopes);
         if (doc == null) return null;
         if (!doc.RootElement.TryGetProperty("value", out var value) || value.GetArrayLength() == 0) return null;
         return value[0].GetProperty("id").GetString();
@@ -339,14 +340,14 @@ public async Task<bool> GraphDeleteAsync(
     /// Virtual to allow mocking in unit tests using Moq.
     /// </summary>
     public virtual async Task<string> EnsureServicePrincipalForAppIdAsync(
-        string tenantId, string appId, CancellationToken ct = default)
+        string tenantId, string appId, CancellationToken ct = default, IEnumerable<string>? scopes = null)
     {
         // Try existing
-        var spId = await LookupServicePrincipalByAppIdAsync(tenantId, appId, ct);
+        var spId = await LookupServicePrincipalByAppIdAsync(tenantId, appId, ct, scopes);
         if (!string.IsNullOrWhiteSpace(spId)) return spId!;
 
         // Create SP for this application
-        var created = await GraphPostAsync(tenantId, "/v1.0/servicePrincipals", new { appId }, ct);
+        var created = await GraphPostAsync(tenantId, "/v1.0/servicePrincipals", new { appId }, ct, scopes);
         if (created == null || !created.RootElement.TryGetProperty("id", out var idProp))
             throw new InvalidOperationException($"Failed to create servicePrincipal for appId {appId}");
 
@@ -358,15 +359,17 @@ public async Task<bool> CreateOrUpdateOauth2PermissionGrantAsync(
         string clientSpObjectId,
         string resourceSpObjectId,
         IEnumerable<string> scopes,
-        CancellationToken ct = default)
+        CancellationToken ct = default,
+        IEnumerable<string>? permissionGrantScopes = null)
     {
         var desiredScopeString = string.Join(' ', scopes);
 
         // Read existing
         var listDoc = await GraphGetAsync(
             tenantId,
             $"/v1.0/oauth2PermissionGrants?$filter=clientId eq '{clientSpObjectId}' and resourceId eq '{resourceSpObjectId}'",
-            ct);
+            ct,
+            permissionGrantScopes);
 
         var existing = listDoc?.RootElement.TryGetProperty("value", out var arr) == true && arr.GetArrayLength() > 0
             ? arr[0]
@@ -382,7 +385,7 @@ public async Task<bool> CreateOrUpdateOauth2PermissionGrantAsync(
                 resourceId = resourceSpObjectId,
                 scope = desiredScopeString
             };
-            var created = await GraphPostAsync(tenantId, "/v1.0/oauth2PermissionGrants", payload, ct);
+            var created = await GraphPostAsync(tenantId, "/v1.0/oauth2PermissionGrants", payload, ct, permissionGrantScopes);
             return created != null; // success if response parsed
         }
 
@@ -399,7 +402,7 @@ public async Task<bool> CreateOrUpdateOauth2PermissionGrantAsync(
         var id = existing.Value.GetProperty("id").GetString();
         if (string.IsNullOrWhiteSpace(id)) return false;
 
-        return await GraphPatchAsync(tenantId, $"/v1.0/oauth2PermissionGrants/{id}", new { scope = merged }, ct);
+        return await GraphPatchAsync(tenantId, $"/v1.0/oauth2PermissionGrants/{id}", new { scope = merged }, ct, permissionGrantScopes);
     }
 
     /// <summary>

src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/MicrosoftGraphTokenProvider.cs

@@ -1,8 +1,15 @@
-using System;
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Linq;
+using System.Text;
+using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.Agents.A365.DevTools.Cli.Constants;
 using Microsoft.Agents.A365.DevTools.Cli.Helpers;
 using Microsoft.Extensions.Logging;
 
@@ -11,11 +18,40 @@ namespace Microsoft.Agents.A365.DevTools.Cli.Services;
 /// <summary>
 /// Implements Microsoft Graph token acquisition via PowerShell Microsoft.Graph module.
 /// </summary>
-public sealed class MicrosoftGraphTokenProvider : IMicrosoftGraphTokenProvider
+public sealed class MicrosoftGraphTokenProvider : IMicrosoftGraphTokenProvider, IDisposable
 {
     private readonly CommandExecutor _executor;
     private readonly ILogger<MicrosoftGraphTokenProvider> _logger;
 
+    // Cache tokens per (tenant + clientId + scopes) for the lifetime of this CLI process.
+    // This reduces repeated Connect-MgGraph prompts in setup flows.
+    private readonly ConcurrentDictionary<string, CachedToken> _tokenCache = new();
+    private readonly ConcurrentDictionary<string, SemaphoreSlim> _locks = new();
+    
+    private sealed record CachedToken(string AccessToken, DateTimeOffset ExpiresOnUtc);
+
+    private bool _disposed;
+    public void Dispose()
+    {
+        if (_disposed) return;
+        _disposed = true;
+
+        foreach (var kvp in _locks)
+        {
+            try 
+            { 
+                kvp.Value.Dispose(); 
+            }
+            catch (Exception ex)
+            { 
+                _logger.LogDebug(ex, "Failed to dispose semaphore for key '{Key}' in MicrosoftGraphTokenProvider.", kvp.Key); 
+            }
+        }
+
+        _locks.Clear();
+        _tokenCache.Clear();
+    }
+
     public MicrosoftGraphTokenProvider(
         CommandExecutor executor,
         ILogger<MicrosoftGraphTokenProvider> logger)
@@ -31,10 +67,6 @@ public MicrosoftGraphTokenProvider(
         string? clientAppId = null,
         CancellationToken ct = default)
     {
-        _logger.LogInformation(
-            "Acquiring Microsoft Graph delegated access token via PowerShell (Device Code: {UseDeviceCode})",
-            useDeviceCode);
-
         var validatedScopes = ValidateAndPrepareScopes(scopes);
         ValidateTenantId(tenantId);
 
@@ -43,10 +75,61 @@ public MicrosoftGraphTokenProvider(
             ValidateClientAppId(clientAppId);
         }
 
-        var script = BuildPowerShellScript(tenantId, validatedScopes, useDeviceCode, clientAppId);
-        var result = await ExecuteWithFallbackAsync(script, useDeviceCode, ct);
+        var cacheKey = MakeCacheKey(tenantId, validatedScopes, clientAppId);
+        var tokenExpirationMinutes = AuthenticationConstants.TokenExpirationBufferMinutes;
 
-        return ProcessResult(result);
+        // Fast path: cached + not expiring soon
+        if (_tokenCache.TryGetValue(cacheKey, out var cached) &&
+            cached.ExpiresOnUtc > DateTimeOffset.UtcNow.AddMinutes(tokenExpirationMinutes) &&
+            !string.IsNullOrWhiteSpace(cached.AccessToken))
+        {
+            _logger.LogDebug("Reusing cached Graph token for key {Key} expiring at {Exp}",
+                cacheKey, cached.ExpiresOnUtc);
+            return cached.AccessToken;
+        }
+
+        // Single-flight: only one PowerShell auth per key at a time
+        var gate = _locks.GetOrAdd(cacheKey, _ => new SemaphoreSlim(1, 1));
+        await gate.WaitAsync(ct);
+        try
+        {
+            // Re-check inside lock
+            if (_tokenCache.TryGetValue(cacheKey, out cached) &&
+                cached.ExpiresOnUtc > DateTimeOffset.UtcNow.AddMinutes(tokenExpirationMinutes) &&
+                !string.IsNullOrWhiteSpace(cached.AccessToken))
+            {
+                _logger.LogDebug("Reusing cached Graph token (post-lock) for key {Key} expiring at {Exp}",
+                    cacheKey, cached.ExpiresOnUtc);
+                return cached.AccessToken;
+            }
+
+            _logger.LogInformation(
+                "Acquiring Microsoft Graph delegated access token via PowerShell (Device Code: {UseDeviceCode})",
+                useDeviceCode);
+
+            var script = BuildPowerShellScript(tenantId, validatedScopes, useDeviceCode, clientAppId);
+            var result = await ExecuteWithFallbackAsync(script, useDeviceCode, ct);
+            var token = ProcessResult(result);
+
+            if (string.IsNullOrWhiteSpace(token))
+            {
+                return null;
+            }
+
+            // Cache expiry from JWT exp; if parsing fails, cache short (10 min) to still reduce spam
+            if (!TryGetJwtExpiryUtc(token, out var expUtc))
+            {
+                expUtc = DateTimeOffset.UtcNow.AddMinutes(10);
+                _logger.LogDebug("Could not parse JWT exp; caching token for a short duration until {Exp}", expUtc);
+            }
+
+            _tokenCache[cacheKey] = new CachedToken(token, expUtc);
+            return token;
+        }
+        finally
+        {
+            gate.Release();
+        }
     }
 
     private string[] ValidateAndPrepareScopes(IEnumerable<string> scopes)
@@ -249,4 +332,56 @@ private static bool IsValidJwtFormat(string token)
         return token.StartsWith("eyJ", StringComparison.Ordinal) &&
                token.Count(c => c == '.') == 2;
     }
+
+    private static string MakeCacheKey(string tenantId, IEnumerable<string> scopes, string? clientAppId)
+    {
+        var scopeKey = string.Join(" ", scopes
+            .Where(s => !string.IsNullOrWhiteSpace(s))
+            .Select(s => s.Trim())
+            .Distinct(StringComparer.OrdinalIgnoreCase)
+            .OrderBy(s => s, StringComparer.OrdinalIgnoreCase));
+
+        return $"{tenantId}::{clientAppId ?? ""}::{scopeKey}";
+    }
+
+    private bool TryGetJwtExpiryUtc(string jwt, out DateTimeOffset expiresOnUtc)
+    {
+        expiresOnUtc = default;
+
+        if (string.IsNullOrWhiteSpace(jwt)) return false;
+
+        try
+        {
+            var parts = jwt.Split('.');
+            if (parts.Length < 2) return false;
+
+            var payloadJson = Encoding.UTF8.GetString(Base64UrlDecode(parts[1]));
+            using var doc = JsonDocument.Parse(payloadJson);
+
+            if (!doc.RootElement.TryGetProperty("exp", out var expEl)) return false;
+            if (expEl.ValueKind != JsonValueKind.Number) return false;
+
+            // exp is seconds since Unix epoch
+            var expSeconds = expEl.GetInt64();
+            expiresOnUtc = DateTimeOffset.FromUnixTimeSeconds(expSeconds);
+            return true;
+        }
+        catch (Exception ex)
+        {
+            _logger.LogDebug(ex, "Failed to parse JWT expiry (exp) from access token.");
+            return false;
+        }
+    }
+
+    private static byte[] Base64UrlDecode(string input)
+    {
+        // Base64Url decode with padding fix
+        var s = input.Replace('-', '+').Replace('_', '/');
+        switch (s.Length % 4)
+        {
+            case 2: s += "=="; break;
+            case 3: s += "="; break;
+        }
+        return Convert.FromBase64String(s);
+    }
 }