Sidecar: gate agent identity parameters behind AllowOverrides#3871
Merged
Conversation
…s flag AgentIdentity, AgentUsername, and AgentUserId query parameters were applied unconditionally on all sidecar endpoints, regardless of the per-route AllowOverrides configuration. This meant that even on unauthenticated routes where optionsOverride parameters were correctly ignored, agent identity parameters were still honoured. Move the AgentOverrides.SetOverrides() call inside the existing allowOverrides check in both AuthorizationHeaderEndpoint and DownstreamApiEndpoint, so agent identity parameters follow the same per-route gating as all other caller- supplied overrides. No change in behaviour for authenticated routes (AllowOverrides defaults to true). Unauthenticated routes (AllowOverrides defaults to false) will now correctly ignore agent identity parameters unless the operator explicitly opts in. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…larity - Updated WithDescription strings on all four sidecar endpoints to clarify that agent identity parameters are subject to AllowOverrides gating. - Updated README to document agent identity parameter behavior under AllowOverrides and the runtime composition table. - Regenerated OpenAPI spec to reflect description changes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
When agent identity query parameters are provided on a route where AllowOverrides is disabled, emit a warning log that names the route and the configuration key needed to re-enable agent identity overrides. This avoids silent behaviour changes for existing deployments. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bgavrilMS
approved these changes
Jun 17, 2026
Contributor
|
LGTM! |
This was referenced Jun 24, 2026
Merged
Closed
Open
Open
Merged
This was referenced Jun 24, 2026
Merged
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens the Entra Identity sidecar by ensuring agent identity query parameters (
AgentIdentity,AgentUsername,AgentUserId) are only processed when the per-routeAllowOverridesflag is enabled. Previously these parameters were applied unconditionally, bypassing the override gating that was already in place for other option overrides.Changes
Security hardening (commit 1)
AgentOverrides.SetOverrides()inside theif (allowOverrides)block in bothAuthorizationHeaderEndpointandDownstreamApiEndpoint.AgentOverrideGatingTestscovering all four sidecar routes, verifying that agent identity parameters are ignored whenAllowOverridesisfalseand applied whentrue.Documentation (commit 2)
WithDescriptionstrings on all four endpoints to clarify that agent identity parameters are subject to theAllowOverridessetting.AllowOverrides.Diagnostics (commit 3)
AgentIdentityOverridesIgnored) that fires when agent identity parameters are provided on a route whereAllowOverridesis disabled. The warning names the route and the configuration key to set, so operators can diagnose and remediate without guessing.Testing
All 12 gating tests pass (6 existing
SidecarOverrideGatingTests+ 6 newAgentOverrideGatingTests).