Add sovereign cloud support (GCCH, DoD, China)#354
Open
Conversation
lilyydu
reviewed
Apr 7, 2026
packages/api/src/microsoft_teams/api/clients/api_client_settings.py
Outdated
Show resolved
Hide resolved
corinagum
force-pushed
the
cg/sovereign-cloud
branch
from
3f52061 to
a0cb16d
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a first-class cloud environment abstraction to support sovereign clouds (GCCH, DoD, China) by centralizing cloud-specific endpoints and plumbing a CloudEnvironment option through key authentication/token-validation paths.
Changes:
- Introduces
CloudEnvironment(frozen dataclass) with presets (PUBLIC,US_GOV,US_GOV_DOD,CHINA) plus helpers (from_name,with_overrides). - Threads cloud configuration into apps auth/token flows (
App,TokenManager,TokenValidator,HttpServer, JWT middleware), includingCLOUDenv var resolution. - Updates API client pieces to accept cloud-aware defaults and adds unit coverage for cloud presets/helpers.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/api/src/microsoft_teams/api/auth/cloud_environment.py | New cloud endpoint bundle + presets + name/override helpers. |
| packages/api/tests/unit/test_cloud_environment.py | Unit tests for presets, name resolution, overrides, immutability. |
| packages/api/src/microsoft_teams/api/auth/init.py | Exposes CloudEnvironment and presets/helpers from the auth package. |
| packages/api/src/microsoft_teams/api/clients/api_client_settings.py | Adds cloud-aware defaulting behavior for token service (oauth_url). |
| packages/api/src/microsoft_teams/api/clients/init.py | Adjusts exports for client settings helpers. |
| packages/api/src/microsoft_teams/api/clients/bot/token_client.py | Adds optional cloud parameter and uses cloud endpoints/scope. |
| packages/apps/src/microsoft_teams/apps/options.py | Adds cloud option typing for app configuration. |
| packages/apps/src/microsoft_teams/apps/app.py | Resolves cloud from options/CLOUD env var and passes into auth components. |
| packages/apps/src/microsoft_teams/apps/token_manager.py | Uses cloud-specific authority, scope, and default tenant for bot tokens. |
| packages/apps/src/microsoft_teams/apps/auth/token_validator.py | Makes JWKS/issuer/login endpoints cloud-aware for service + Entra validation. |
| packages/apps/src/microsoft_teams/apps/auth/jwt_middleware.py | Adds cloud option and passes it through to service token validator. |
| packages/apps/src/microsoft_teams/apps/http/http_server.py | Passes cloud into service token validator for request auth. |
heyitsaamir
reviewed
Apr 8, 2026
Collaborator
heyitsaamir
left a comment
heyitsaamir
left a comment
There was a problem hiding this comment.
Hm, it looks like cloud simply overrides a number of application-level settings. Can we localize its spread to just app, and maybe the token-validator?? Basically if CLOUD is set, then we set many of those values up and log it?
corinagum
force-pushed
the
cg/sovereign-cloud
branch
from
e8688ad to
c8ddc09
Compare
rido-min
approved these changes
Apr 9, 2026
heyitsaamir
reviewed
Apr 9, 2026
Contributor
Review note: Graph token scope needs to vary per cloudGreat work on sovereign cloud support! One gap I noticed: GRAPH_TOKEN_SCOPE = 'https://graph.microsoft.com/.default'This will fail for sovereign clouds — the Graph API endpoint domain differs per cloud, and using the wrong audience returns Correct Graph scopes per cloud
Note: DoD uses Reference: Microsoft Graph national cloud deployments Suggested fix
Small change — one new field on the dataclass, one line update in |
corinagum
force-pushed
the
cg/sovereign-cloud
branch
from
c8ddc09 to
3da56ca
Compare
Introduce CloudEnvironment frozen dataclass with predefined presets (PUBLIC, US_GOV, US_GOV_DOD, CHINA) bundling all cloud-specific service endpoints. Thread cloud environment through App, TokenManager, BotTokenClient, TokenValidator, and ApiClientSettings so previously hardcoded endpoints are configurable per cloud. Supports programmatic configuration via AppOptions cloud parameter or CLOUD environment variable. Includes comprehensive tests for CloudEnvironment presets, from_name(), and with_overrides(). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Thread cloud param through ApiClient -> BotClient -> BotTokenClient so direct token acquisition via api.bots.token uses sovereign cloud endpoints. Add unit tests verifying cloud propagation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
corinagum
force-pushed
the
cg/sovereign-cloud
branch
from
9e5091b to
25b19ce
Compare
heyitsaamir
approved these changes
Apr 10, 2026
Collaborator
heyitsaamir
left a comment
heyitsaamir
left a comment
There was a problem hiding this comment.
Looks good. Some minor nits. Also, looks like not all the fields are actually used. Is that intentional?
packages/api/src/microsoft_teams/api/clients/api_client_settings.py
Outdated
Show resolved
Hide resolved
heyitsaamir
approved these changes
Apr 10, 2026
lilyydu
approved these changes
Apr 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CloudEnvironmentfrozen dataclass with predefined presets (PUBLIC,US_GOV,US_GOV_DOD,CHINA) bundling all cloud-specific service endpointsApp,TokenManager,BotTokenClient,TokenValidator,ApiClient, andApiClientSettingsCLOUDenvironment variable and programmaticAppOptions.cloudconfigurationgraph_scopetoCloudEnvironmentfor cloud-aware Microsoft Graph token acquisitionmerge_api_client_settingswithclouddefault toPUBLIC, removesDEFAULT_API_CLIENT_SETTINGSApiClient->BotClient->BotTokenClientNote
graph_base_url(Graph API endpoint per cloud) is intentionally deferred. This PR focuses on auth/token acquisition. Graph API routing is a separate concern.Sources
Test plan
pytest packages/api/tests/-- 168 tests passpytest packages/apps/tests/-- 389 tests pass (1 pre-existing failure unrelated)CLOUD=USGovagainst real GCCH tenant -- message received, echo reply sent🤖 Generated with Claude Code