{"id":48371359,"url":"https://github.com/curityio/azd-ai-autonomous-agent","last_synced_at":"2026-04-05T16:31:32.698Z","repository":{"id":343739681,"uuid":"1164575835","full_name":"curityio/azd-ai-autonomous-agent","owner":"curityio","description":"Azure AI integration of customer users with C# applications and enterprise data, using OAuth 2.0 token intelligence","archived":false,"fork":false,"pushed_at":"2026-04-02T18:05:21.000Z","size":4012,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-03T00:56:48.269Z","etag":null,"topics":["a2a","ai-azd-templates","azd-templates","csharp","mcp","oauth2","security-architecture","token-intelligence"],"latest_commit_sha":null,"homepage":"https://curity.io/resources/learn/backend-agent-a2a-authorization/","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/curityio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-23T08:42:33.000Z","updated_at":"2026-04-02T18:05:28.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/curityio/azd-ai-autonomous-agent","commit_stats":null,"previous_names":["curityio/azd-ai-autonomous-agent"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/curityio/azd-ai-autonomous-agent","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fazd-ai-autonomous-agent","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fazd-ai-autonomous-agent/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fazd-ai-autonomous-agent/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fazd-ai-autonomous-agent/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/curityio","download_url":"https://codeload.github.com/curityio/azd-ai-autonomous-agent/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fazd-ai-autonomous-agent/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31442922,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-05T15:22:31.103Z","status":"ssl_error","status_checked_at":"2026-04-05T15:22:00.205Z","response_time":75,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["a2a","ai-azd-templates","azd-templates","csharp","mcp","oauth2","security-architecture","token-intelligence"],"created_at":"2026-04-05T16:31:32.040Z","updated_at":"2026-04-05T16:31:32.690Z","avatar_url":"https://github.com/curityio.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Secured Autonomous Agent\n\n[![Quality](https://img.shields.io/badge/quality-demo-red)](https://curity.io/resources/code-examples/status/)\n[![Availability](https://img.shields.io/badge/availability-source-blue)](https://curity.io/resources/code-examples/status/)\n\nAn azd template to showcase an enterprise AI security architecture with OAuth 2.0 token intelligence.  \nAgents can act autonomously, and resource servers enforce administrator controls and human approvals.\n\nEnables customer users to run internet applications that integrate with Azure AI Foundry and enterprise data.  \nUsers can manipulate authorized data in flexible ways, with [rich responses](docs/AI-DATA-REPORTING.md) from the AI model.\n\n```text\nGive me a markdown report on the last 3 months of stock transactions and the value of my portfolio\n```\n\n## Features\n\nThe repository demonstrates the following main features:\n\n- C# application code to integrate a backend agent with Azure AI Foundry.\n- C# application code to use OpenID Connect to authenticate users and get initial access tokens.\n- C# A2A server and MCP server code to use OAuth 2.0 to validate and exchange access tokens.\n- Configuration and deployment of identity systems and API gateways.\n\n## Resources\n\nThe code provides 3 applications, developed with Microsoft SDKs:\n\n- A console client serves as a secured internet application that uses A2A to send customer support requests.\n- A secured backend agent processes customer support requests and integrates with Azure AI Foundry.\n- An MCP server uses optimal access tokens and claims-based authorization to protect enterprise resources.\n\nThe resources support multiple deployment scenarios:\n\n- Xunit test driven development to verify MCP server security as a standalone component.\n- A local end-to-end deployment with user authentication, to promote token understanding.\n- An Azure deployment that can be triggered from the local computer or a GitHub workflow.\n\n## Architecture\n\nEnterprises use productive programming languages to build applications that use Microsoft AI technology.  \nResource servers authorize using access token attributes and can apply dynamic runtime access controls.\n\n![Initial Technical Flow](docs/images/initial-technical-flow.png)\n\n## Getting Started\n\nUse an Azure development account with access to the Azure portal.  \nFollow the [Azure AI README](docs/AZURE-AI-SETUP.md) to get connected to Azure LLMs for development in a compliant Azure region.  \n\n### Create a Project\n\nCreate a project from the template, and set an initial environment name of `dev` when prompted.  \nCheck the new project into source control, so that you can configure a GitHub workflow later.\n\n```bash\nmkdir my-secure-ai-integration \u0026\u0026 cd my-secure-ai-integration\nazd init --template https://github.com/curityio/azd-ai-autonomous-agent\nazd env set AZURE_LOCATION='uksouth'\n```\n\n### Local Environment\n\nUse a Windows, macOS or Linux computer with a Linux-based shell (such as Git bash on Windows).  \nInstall the latest versions of the following local computer tools:\n\n- **Azure CLI** (`az`) - to connect to Azure AI Foundry with an Azure CLI credential\n- **Azure Developer CLI** (`azd`) to use higher level commands to manage projects and deploy to Azure\n- **.NET SDK 10+** (to build and run C# applications)\n- **Docker** and **Docker Compose** (to build custom Docker images for identity components)\n- **openssl** (to create runtime secrets)\n- **envsubst** (to configure dynamically generated parameter values)\n- **jq** (to read JSON in bash scripts)\n\n### Quick Start\n\nThe quick start enables you to integrate all C# applications locally, and run an end-to-end flow.  \nLog in to the Azure CLI so that the local agent can present a CLI identity to the Azure AI Foundry:\n\n```bash\naz login\n```\n\nRun a local deployment that runs the agent and MCP server, along with Docker identity infrastructure:\n\n```bash\n./tools/local/backend.sh\n```\n\nThe first time you run a deployment, a CLI uses the browser to sign you in at Curity.  \nThe CLI then uses an access token to download a trial license for the Curity Identity Server.\n\nThen, run a console application that connects to the local backend.  \nWhen prompted with a login form, enter any username to simulate real user authentication:\n\n```bash\n./src/ConsoleClient/run.sh\n```\n\nSee the [Development README](docs/DEVELOPMENT.md) to learn more about local development behaviors.\n\n## Deployment\n\nThis template includes an infrastructure-as-code (IaC) deployment to Azure.   \nContinue to use an Azure development account and ensure that you also have Entra ID resources:\n\n- A tenant to which the deployment can add an app registration.\n- At least one user account with which you can test Entra ID logins.\n\n\n### Run the Deployment\n\nLog in to the Azure Developer CLI, to use azd deployment commands:\n\n```bash\nazd auth login\n```\n\nThe deployment uses [layered provisioning](https://devblogs.microsoft.com/azure-sdk/azure-developer-cli-azd-november-2025/), so deploy to Azure in layers, starting with the base infrastructure:\n\n```bash\nazd provision base\n```\n\nNext, deploy identity infrastructure:\n\n```bash\nazd provision identity\n```\n\nFinally, deploy C# applications:\n\n```bash\nazd deploy\n```\n\n### Test the Deployment\n\nOnce the deployment completes, re-run the console application, pointing it the Azure backend.  \nSign in with an Entra ID user account and the configured Entra ID user authentication method:\n\n```bash\nexport A2A_EXTERNAL_URL=$(azd env get-value A2A_EXTERNAL_URL)\n./src/ConsoleClient/run.sh\n```\n\n### Create a GitHub Workflow Deployment\n\nOnce you have a working Azure deployment, create a GitHub workflow to deploy C# code changes.  \n\n```bash\nazd pipeline config\n```\n\nSelect the following options to configure your GitHub pipeline and commit changes:\n\n- Federated User Managed Identity (MSI + OIDC)\n- Create new User Managed Identity (MSI)\n- Select your preferred region\n- Use the existing `rg-dev` resource group\n\nYou can run `azd pipeline config` multiple times, in which case you may receive additional prompts.  \nChoose options like the following, to keep GitHub values in sync with the local Azure deployment:\n\n- Set ALL existing variables again.\n- Set ALL existing secrets again.\n- Delete ALL unused variables from the pipeline.\n- Delete ALL unused secrets from the pipeline.\n\nThe `azd pipeline config` command copies variable and secret values referenced in the `.env` file to GitHub.  \nBrowse to the following locations in your GitHub repository to view the details:\n\n```text\nhttps://github.com/\u003corganization\u003e/\u003crepository\u003e/settings/variables/actions\nhttps://github.com/\u003caccount\u003e/\u003crepository\u003e/actions/workflows/azure-\u003cstage\u003e.yml\n```\n\nAn Entra ID managed identity named `msi-ai-autonomous-agent` runs the deployment.  \nThe GitHub workflow runs when you trigger it manually, or if you commit C# code changes to the `main` branch.  \n\n### Tear Down the Deployment\n\nTo free resources after a local deployment, run the following command:\n\n```bash\nazd down --force --purge --no-prompt\n```\n\nTo free resources after a GitHub workflow deployment, edit the [GitHub workflow](.github/workflows/azure.yml).  \nSet the following jobs to `if: false`, set the `teardown` job to `if: true`.  \nThen re-run `azd pipeline config` and commit changes to trigger the teardown.\n\n- deploy-base-infra\n- deploy-identity-infra\n- applications\n\n### Further Information\n\n- The [Azure Deployment](docs/AZURE-DEPLOYMENT.md) document explains more about the deployed resources.\n- The [Azure Endpoints](docs/AZURE-ENDPOINTS.md) document explains more about how to locate and test connections.\n- The [azd Open Issues](OPEN-ISSUES.md) document explains more about troubleshooting azd technical issues.\n\n## Important Security Notice\n\nThis template, the application code, and configuration, showcase an architecture to protect business data.  \nHowever, further security work should be done to harden security for production systems.  \nThe [Security Document](SECURITY.md) summarizes the use of both managed identities and password credentials.\n\n## Guidance\n\nUse the following guidance to choose an Azure region and to plan costs.\n\n### Region Availability\n\nThis template uses **gpt-4.1-mini** which may not be available in all Azure regions.  \nCheck for [up-to-date region availability](https://learn.microsoft.com/azure/ai-services/openai/concepts/models#standard-deployment-model-availability) and select a region during deployment accordingly.  \nConsider using **East US 2**, **Sweden Central** or **UK South**.\n\n### Costs\n\nThe template uses a container apps private network to run a backend AI agent that uses token-based pricing.  \nYou can estimate the cost of this project's architecture with [Azure's pricing calculator](https://azure.microsoft.com/pricing/calculator/).\n\n* [Azure AI Services](https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/)\n* [Container Apps](https://azure.microsoft.com/en-us/pricing/details/container-apps/)\n* [Virtual Networks](https://azure.microsoft.com/pricing/details/virtual-network/)\n\n## Token Intelligence\n\nThe deeper behaviors are a future-proof backend AI deployment with security controls.\n\n### API Gateways\n\n- An external gateway delivers downscoped JWT access tokens to agents.\n- An internal gateway runs between agents and resource servers, as a pattern to govern agent access.\n\n### Curity Identity Server\n\n- Delivers least-privilege access tokens to agents and other clients, to restrict levels of access.\n- Enables resource servers and gateways to use any dynamic token claims, for flexible access control.\n- Exchanges tokens so that agents can federate to complete complex tasks.\n\n### Entra ID\n\nA specialist token issuer can integrate with existing identity systems.  \nIn the example deployment, Entra ID is used for all user account storage and user authentication.\n\n### Learn More\n\n- See the [Token Flow README](docs/TOKEN-FLOW.md) to understand the token details for the customer support use case.\n- See the [OAuth Configuration README](docs/OAUTH-CONFIGURATION.md) to understand OAuth security settings.\n- See the [Advanced Use Cases README](docs/ADVANCED-USE-CASES.md) for flows to meet other enterprise requirements.\n\n## License\n\nThis project is licensed under the [Apache License 2.0](LICENSE.md).\n \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Fazd-ai-autonomous-agent","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcurityio%2Fazd-ai-autonomous-agent","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Fazd-ai-autonomous-agent/lists"}