feat(iframe-app): Add Easy Auth detection and improve authentication flow

[ccastrotrejo]

Commit Type

• feature - New functionality
• fix - Bug fix
• refactor - Code restructuring without behavior change
• perf - Performance improvement
• docs - Documentation update
• test - Test-related changes
• chore - Maintenance/tooling

Risk Level

• Low - Minor changes, limited scope
• Medium - Moderate changes, some user impact
• High - Major changes, significant user/system impact

What & Why

Implements Azure App Service Easy Auth detection in the iframe-app chat UI to provide a smarter authentication flow. Previously, the app would always show a login prompt with hardcoded default identity providers (Microsoft, Google, Facebook, GitHub), even when Easy Auth was not configured on the Logic App.

Problem

• Users saw a broken login prompt when Easy Auth wasn't configured
• Hardcoded default identity providers were always injected regardless of configuration
• No distinction between "user not authenticated" and "Easy Auth not configured"

Solution

• Added isEasyAuthConfigured flag to AuthInformation interface to distinguish between authentication states
• Enhanced checkAuthStatus() to detect Easy Auth configuration by interpreting HTTP status codes from /.auth/me:
  • 404 → Easy Auth is NOT configured
  • 401, 403 → Easy Auth IS configured, user not authenticated
  • 302 (opaqueredirect) → Easy Auth IS configured, redirect to login
  • Network errors → Assume Easy Auth is not configured
• Added redirect: 'manual' to fetch options to detect 302 redirects without following them
• Removed hardcoded DEFAULT_IDENTITY_PROVIDERS fallback - identity providers must now be explicitly configured via window.IDENTITY_PROVIDERS
• Updated IframeWrapper to use the new detection logic and skip login UI when appropriate
• Fixed parseIdentityProviders() to reject arrays (not a valid Record<string, IdentityProvider> format)

Impact of Change

• Users: When Easy Auth is not configured on a Logic App, users will no longer see a broken login prompt. The chat UI will load directly and fail gracefully if an API key is missing.
• Developers: AuthInformation interface now includes isEasyAuthConfigured: boolean property. Identity providers are no longer injected by default.
• System: No default identity providers are injected - must be explicitly configured via window.IDENTITY_PROVIDERS server-side injection.

Test Plan

• Unit tests added/updated
• E2E tests added/updated
• Manual testing completed
• Tested in: Local development environment

Unit test scenarios covered:

• checkAuthStatus returns isEasyAuthConfigured: false when /.auth/me returns 404
• checkAuthStatus returns isEasyAuthConfigured: true for 401, 403, and 302 (opaqueredirect) responses
• checkAuthStatus returns isEasyAuthConfigured: true with error for 500/503 server errors
• IframeWrapper skips login when Easy Auth is not configured (404)
• IframeWrapper skips login when Easy Auth is configured but no identity providers defined
• Config parser returns undefined for identity providers when not explicitly set (no fallback)
• Config parser rejects arrays as invalid identity provider format

E2E test improvements:

• Updated authentication flow tests to inject identity providers via HTML modification
• Fixed flaky tests by waiting for UI elements to be visible and enabled before interaction
• Updated login prompt tests to use baseTest with proper mocking setup
• Added proper identity provider injection in SSE fixtures for consistent test behavior

Files Changed

File	Changes
apps/iframe-app/src/lib/authHandler.ts	Added isEasyAuthConfigured to AuthInformation interface, enhanced status code handling with redirect: 'manual'
apps/iframe-app/src/components/IframeWrapper.tsx	Updated auth logic to use new detection flow, added props.identityProviders to dependency array
apps/iframe-app/src/lib/utils/config-parser.ts	Removed DEFAULT_IDENTITY_PROVIDERS constant and fallback, added array rejection in parseIdentityProviders()
apps/iframe-app/src/lib/__tests__/authHandler.test.ts	Added comprehensive tests for Easy Auth detection (404, 401, 403, 302, 500, 503 status codes)
apps/iframe-app/src/components/__tests__/IframeWrapper.test.tsx	Added tests for skip login scenarios when Easy Auth not configured or no identity providers
apps/iframe-app/src/components/__tests__/IframeWrapper.contextId.test.tsx	Updated mock to include isEasyAuthConfigured flag
apps/iframe-app/src/lib/utils/__tests__/config-parser.test.ts	Updated expectations for undefined providers, added array rejection test
e2e/chatClient/fixtures/sse-fixtures.ts	Added identity provider injection via HTML modification
e2e/chatClient/tests/features/authentication/auth-flow.spec.ts	Fixed flaky tests with proper wait conditions
e2e/chatClient/tests/features/authentication/login-prompt.spec.ts	Refactored to use baseTest with proper identity provider injection

Contributors

Screenshots/Videos

N/A - Logic change only, no visual changes

[github-actions]

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

✅ PR Title

• Current: feat(iframe-app): Add Easy Auth detection and improve authentication flow
• Issue: None — title is descriptive, follows conventional commit style, and correctly scopes the change to iframe-app.
• Recommendation: Keep as-is. If you want, you can mention the specific behavior change (e.g., "skip login UI when Easy Auth not configured") but the current title is already high-quality.

---

✅ Commit Type

• Properly selected (feature).
• Only one commit type is checked which is correct. No action needed.

---

✅ Risk Level

• The PR body selects Medium and the repository labels include risk:medium — these match.
• Assessment: The code changes modify authentication behavior and tests, add fetch redirect handling, and remove default identity provider fallbacks. Given the scope (auth flows, tests, e2e updates) a Medium risk level is appropriate.

---

✅ What & Why

• Current: Implements Easy Auth detection and refines login flow; explains the problem and summarizes the solution (new flag, fetch redirect: manual, removed default providers, updated IframeWrapper and parser).
• Issue: None — the section is concise and explains motivation and changes.
• Recommendation: No change required. Well-written.

---

✅ Impact of Change

• Impact is described across Users, Developers, and System.
• Recommendation: Good. Consider adding a one-line note about any migration considerations (e.g., "If your server previously relied on default identity providers, you must now inject window.IDENTITY_PROVIDERS server-side") to make operational impact explicit.

---

✅ Test Plan

• The PR body marks Unit tests, E2E tests, and Manual testing as completed.
• I reviewed the code diff: unit tests and multiple e2e tests were added/updated and the authHandler tests were expanded to cover the new detection logic. The Test Plan claim is accurate.
• Recommendation: Ensure CI e2e jobs run successfully since many e2e fixtures and routes were modified — consider calling this out in the PR checklist if you haven't already.

---

⚠️ Contributors

• The Contributors section in the PR body is empty.
• Recommendation: Add any contributors (PMs, Designers, reviewers) who helped with design/requirements or testing. If there truly are none, adding a short note like "No additional contributors" is fine. It's optional but helps credit collaborators.

---

⚠️ Screenshots/Videos

• The PR states "N/A - Logic change only, no visual changes" which is fine.
• Recommendation: Keep the N/A note. If any small UX differences are possible (e.g., showing/hiding login prompt in certain cases), a short gif or screenshot of the login prompt state could help reviewers, but not required here.

---

Summary Table

Section	Status	Recommendation
Title	✅	Keep as-is.
Commit Type	✅	Correct selection (feature).
Risk Level	✅	Medium is appropriate.
What & Why	✅	Clear and concise.
Impact of Change	✅	Good; consider adding a migration note.
Test Plan	✅	Matches diff; ensure CI e2e pass.
Contributors	⚠️	Add contributors or a short "none" statement.
Screenshots/Videos	⚠️	N/A is acceptable; add visuals only if helpful.

---

Final note: This PR passes the PR title/body checklist. The change set touches authentication flows and tests and the advised risk level is risk:medium, which matches the label in the PR. No additional risk escalation is necessary.

Please update the Contributors section (optional) and add a short migration/operational note in Impact if any downstream servers or deployments must explicitly inject window.IDENTITY_PROVIDERS now (this will help operators and reviewers). Once CI (unit + e2e) completes successfully, this PR is ready for review/merge. Thanks for the thorough description and comprehensive tests!

---

Last updated: Mon, 02 Feb 2026 15:28:40 GMT

[github-actions]

📊 Coverage check completed. See workflow run for details.

[github-actions]

📊 Coverage check completed. See workflow run for details.

[Copilot]

Pull request overview

This PR implements Easy Auth detection in the iframe chat application to improve the authentication flow by distinguishing between Easy Auth not being configured versus Easy Auth being configured but the user not being authenticated.

Changes:

• Added isEasyAuthConfigured property to AuthInformation interface to track Easy Auth configuration status
• Updated checkAuthStatus to detect Easy Auth configuration by analyzing different status codes (404 = not configured, 401/403/302 = configured but not authenticated)
• Modified authentication flow in IframeWrapper to skip login prompts when Easy Auth is not configured or when no identity providers are defined
• Removed DEFAULT_IDENTITY_PROVIDERS fallback to avoid showing unnecessary sign-in UI

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
apps/iframe-app/src/lib/authHandler.ts	Added isEasyAuthConfigured property and detection logic based on status codes; added redirect: 'manual' to detect 302 redirects
apps/iframe-app/src/lib/tests/authHandler.test.ts	Added tests for different Easy Auth status codes (404, 401, 403, opaqueredirect); updated existing tests to include isEasyAuthConfigured
apps/iframe-app/src/components/IframeWrapper.tsx	Updated auth flow to check isEasyAuthConfigured and skip login when not configured or no providers defined; added dependency on props.identityProviders
apps/iframe-app/src/components/tests/IframeWrapper.test.tsx	Added tests for new auth flow scenarios and updated mock returns to include isEasyAuthConfigured
apps/iframe-app/src/components/tests/IframeWrapper.contextId.test.tsx	Updated mock to include isEasyAuthConfigured: true in the default return value
apps/iframe-app/src/lib/utils/config-parser.ts	Removed DEFAULT_IDENTITY_PROVIDERS constant and fallback logic; now returns undefined when not configured
apps/iframe-app/src/lib/utils/tests/config-parser.test.ts	Updated tests to expect undefined instead of default providers; updated test descriptions and comments

Comments suppressed due to low confidence (1)

apps/iframe-app/src/components/IframeWrapper.tsx:127

• The catch block in IframeWrapper assumes that any error during checkAuthStatus means login is needed (setNeedsLogin(true)). However, this is inconsistent with the checkAuthStatus implementation which returns isEasyAuthConfigured: false for network errors.

When checkAuthStatus throws an error (network failure), it means Easy Auth status is unknown. The current implementation will show the login UI even when identity providers are not configured, which defeats the purpose of the Easy Auth detection.

Consider checking if identity providers are configured before showing login on errors, similar to the successful response handling. For example:

• If identity providers are configured, show login (current behavior)
• If identity providers are NOT configured, skip login and let it fail naturally

      } catch (error) {
        console.error('[Auth] Failed to check authentication status:', error);
        setNeedsLogin(true);

[github-actions]

📊 Coverage check completed. See workflow run for details.

[github-actions]

📊 Coverage check completed. See workflow run for details.

[ccastrotrejo]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

🤖 Generated with Claude Code

[github-actions]

📊 Coverage check completed. See workflow run for details.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

apps/iframe-app/src/components/IframeWrapper.tsx:126

• The catch block unconditionally sets needsLogin to true, which contradicts the new Easy Auth detection logic. When checkAuthStatus throws an exception (which returns isEasyAuthConfigured: false), the catch block should respect whether identity providers are configured before deciding to show login.

Currently, if checkAuthStatus throws an error (network failure, CORS issue, etc.), the catch block will show the login UI even when no identity providers are configured, defeating the purpose of this PR.

Consider checking if identity providers are configured before setting needsLogin to true in the catch block, similar to the logic in the try block.

      } catch (error) {
        console.error('[Auth] Failed to check authentication status:', error);
        setNeedsLogin(true);

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[github-actions]

📊 Coverage check completed. See workflow run for details.

[github-actions]

📊 Coverage check completed. See workflow run for details.