8.0 KiB
status, contact, date, deciders, consulted, informed
| status | contact | date | deciders | consulted | informed |
|---|---|---|---|---|---|
| superseded by [ADR-0030](0030-hosted-platform-context-agentserver-2.0.md) | rogerbarreto | 2026-06-29 | rogerbarreto |
Hosted session identity context for Foundry Hosting
Superseded by ADR-0030.
Azure.AI.AgentServer.*2.0.0 (responses protocol2.0.0) replacedResponseContext.Isolation(UserIsolationKey/ChatIsolationKey, headersx-agent-user-isolation-key/x-agent-chat-isolation-key) withResponseContext.PlatformContext(UserIdKey/CallId, headersx-agent-user-id/x-agent-foundry-call-id). The chat isolation key was removed andHostedSessionContextis now user-only. This ADR is retained as the historical record of the original design.
Context and Problem Statement
Server-hosted Foundry agents need a way to scope per-user state (most notably FoundryMemoryProvider memories) by the end user that initiated the request. The Foundry platform already injects x-agent-user-isolation-key and x-agent-chat-isolation-key headers on every Responses request, but the agent-framework hosting layer did not surface those values to AIContextProvider instances. The provider's stateInitializer only received an AgentSession? with no identity attached, so per-user scoping was impossible without out-of-band plumbing.
Decision Drivers
- Memory and any future user-private context must be partitioned per end user without per-sample boilerplate.
- The identity must be read-only from the perspective of
AIContextProviders, so a buggy or hostile provider cannot escalate or leak across users. - The persisted session must validate against the live request on every resume to defend against session-id leak and in-process tampering.
- The change must work for every existing hosted-agent type (
ChatClientAgent,FoundryAgent, future ones) without per-type refactoring of cast-heavy code paths inMicrosoft.Agents.AI. - Local Docker debugging must remain possible when the platform headers are absent.
Considered Options
HostedSessionContextstored inAgentSessionStateBag, exposed via a public read accessor and aninternalsetter. Hosting writes once on session creation and validates on every resume.- Specialised
HostedAgentSession : AgentSessionwrapper that carriesUserId/ChatIdproperties, withGetService<ChatClientAgentSession>()as the unwrap escape hatch. - New property on
AgentSessionbase class (HostedSessionContext? HostedContext { get; internal set; }). - AsyncLocal middleware that reads the headers and stuffs them into a per-request
AsyncLocal<HostedSessionContext>consumed by the provider.
For the source of identity:
- A. The platform-injected
IsolationContextexposed byResponseContext.Isolation(typedUserIsolationKey/ChatIsolationKey). - B. The OpenAI Responses spec's top-level
request.Userfield. - C. A custom HTTP header
x-client-user.
Decision Outcome
Option 1 was chosen for the storage shape, sourced from Option A (ResponseContext.Isolation).
Rationale:
- Wrapper rejected (Option 2).
ChatClientAgentSessionissealedandChatClientAgentrejects any other session type via directis not ChatClientAgentSessionchecks at multiple call sites. Wrapping would force non-trivial refactors acrossMicrosoft.Agents.AIand a corresponding repeat for every other agent type. - Base-class property rejected (Option 3). Leaks "hosted" semantics into the universal
AgentSessionabstraction used by Durable, A2A, and CopilotStudio agents that have no notion of a hosted user. - AsyncLocal rejected (Option 4). Surfaces the concept only locally, requires every consumer to re-implement the bridge, and cannot be enforced as read-only.
request.Userrejected (Option B). Set by the caller, not the platform. Forging it client-side trivially defeats per-user partitioning.x-client-userrejected (Option C). Non-standard, requires custom HTTP plumbing, and duplicates the platform-provided isolation contract.
Implementation summary in Microsoft.Agents.AI.Foundry.Hosting:
| Type | Visibility | Purpose |
|---|---|---|
HostedSessionContext |
public sealed | Captures UserId and ChatId (both required, non-whitespace). |
HostedSessionContextExtensions.GetHostedContext |
public | Read accessor for AIContextProviders. |
HostedSessionContextExtensions.SetHostedContext |
internal | Writer reserved for the hosting assembly. Backed by AgentSessionStateBag under a well-known key for serialisation. |
HostedSessionIsolationKeyProvider (abstract) |
public | DI-resolvable factory. Async signature: ValueTask<HostedSessionContext?> GetKeysAsync(ResponseContext, CreateResponse, CancellationToken). |
PlatformHostedSessionIsolationKeyProvider |
internal sealed | Default implementation. Maps context.Isolation.UserIsolationKey and context.Isolation.ChatIsolationKey. Returns null when either is absent. |
Behaviour added to AgentFrameworkResponseHandler.CreateAsync:
- Resolve
HostedSessionIsolationKeyProviderfrom DI; fall back toPlatformHostedSessionIsolationKeyProvider. - Call
GetKeysAsync(context, request, cancellationToken). Anullresult throwsInvalidOperationException(becomes 500). A null/whitespaceUserIdorChatIdis rejected byHostedSessionContext's constructor. - Branch on the session's existing context, not on whether a
conversation_idwas supplied:- No session (
session is null): nothing to stamp; skip. - Session present but un-stamped (
GetHostedContext() is null): treat as fresh. This covers both newly-created sessions and pre-existing sessions whoseconversation_idwas provisioned externally (e.g. viaconversations.CreateProjectConversationAsync()) before the first hosted-agent request. Stamp the resolved identity now. - Session present with stamped context: strict resume. The persisted
UserIdandChatIdmust equal the resolved values exactly. Mismatch throwsResponsesApiExceptionwith status 403 and bodyHosted session identity context mismatch.
- No session (
Consequences
Positive:
- Per-user memory partitioning works out of the box for any agent that consumes a
Microsoft.Agents.AI.Foundry.FoundryMemoryProviderconfigured to readsession.GetHostedContext().UserId. - Cross-user session-id leak and in-process tampering of the persisted identity both surface as a 403 with a deliberately uninformative body.
- The identity is opaque to the framework, matching the platform's semantics. The framework never inspects user identity; the
IsolationContextkeys are pre-partitioned per agent.
Negative:
- Every existing hosted sample fails locally without a
HostedSessionIsolationKeyProviderregistered, because the platform headers are absent outside the platform. Mitigated by shippingHosted_Shared_Contributor_SetupwithDevTemporaryLocalSessionIsolationKeyProviderandAddDevTemporaryLocalContributorSetup, and migrating all 9 existing responses samples. - An attacker who can plant an un-stamped session under a victim's
conversation_idbefore the victim's first hosted-agent request would be stamped with the attacker's identity on that first request. This is not a regression vs. behaviour without this contract, and is mitigated in practice because theconversation_idnamespace is allocated by the platform per project. Once a session is stamped, the strict equality check fully defends the resume path.
Out of scope
- Per-request
Userfield onCreateResponseis intentionally not consumed; only the platformIsolationContextheaders carry trustworthy identity. - Generic (non-Foundry) hosting layers can re-define an equivalent type if needed; nothing in this ADR is moved into
Microsoft.Agents.AI.HostingbecauseMicrosoft.Agents.AI.Foundry.Hostingdoes not depend on it. - HMAC tamper signatures over the persisted context are not implemented; comparison against
ResponseContext.Isolationon every request is sufficient because the platform sets those headers at the trust boundary.