Add sovereign cloud validation and ActiveBotScope tests

- CloudEnvironmentTests: ClientCredentials cloud property defaults and assignment
- BotTokenClientTests: ActiveBotScope defaults, overrides, and usage in GetAsync
- TeamsValidationSettingsTests: sovereign cloud issuers, JWKS, login endpoints,
  tenant-specific URLs, and audience handling

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 2 people

Tests/Microsoft.Teams.Api.Tests/Auth/CloudEnvironmentTests.cs

@@ -176,4 +176,34 @@ public void WithOverrides_AllOverrides_ReplacesAllProperties()
         Assert.Equal("g", result.ChannelService);
         Assert.Equal("h", result.OAuthRedirectUrl);
     }
+
+    [Fact]
+    public void ClientCredentials_DefaultsToPublicCloud()
+    {
+        var creds = new ClientCredentials("id", "secret");
+        Assert.Same(CloudEnvironment.Public, creds.Cloud);
+    }
+
+    [Fact]
+    public void ClientCredentials_CloudCanBeSet()
+    {
+        var creds = new ClientCredentials("id", "secret")
+        {
+            Cloud = CloudEnvironment.USGov
+        };
+        Assert.Same(CloudEnvironment.USGov, creds.Cloud);
+    }
+
+    [Fact]
+    public void ClientCredentials_UsesCloudLoginTenantWhenTenantIdNull()
+    {
+        var creds = new ClientCredentials("id", "secret")
+        {
+            Cloud = CloudEnvironment.USGov
+        };
+
+        // TenantId is null, so Cloud.LoginTenant should be used
+        Assert.Null(creds.TenantId);
+        Assert.Equal("MicrosoftServices.onmicrosoft.us", creds.Cloud.LoginTenant);
+    }
 }

Tests/Microsoft.Teams.Api.Tests/Clients/BotTokenClientTests.cs

@@ -147,4 +147,49 @@ public async Task BotTokenClient_HttpClientOptions_Async()
         Assert.Equal(expectedTenantId, actualTenantId);
         Assert.Equal("https://api.botframework.com/.default", actualScope[0]);
     }
+
+    [Fact]
+    public void ActiveBotScope_DefaultsToPublicBotScope()
+    {
+        var client = new BotTokenClient();
+        Assert.Equal(BotTokenClient.BotScope, client.ActiveBotScope);
+        Assert.Equal("https://api.botframework.com/.default", client.ActiveBotScope);
+    }
+
+    [Fact]
+    public void ActiveBotScope_CanBeOverridden()
+    {
+        var client = new BotTokenClient();
+        client.ActiveBotScope = "https://api.botframework.us/.default";
+        Assert.Equal("https://api.botframework.us/.default", client.ActiveBotScope);
+    }
+
+    [Fact]
+    public void BotScope_StaticFieldUnchanged()
+    {
+        Assert.Equal("https://api.botframework.com/.default", BotTokenClient.BotScope);
+    }
+
+    [Fact]
+    public async Task BotTokenClient_ActiveBotScope_UsedInGetAsync()
+    {
+        var cancellationToken = new CancellationToken();
+        string[] actualScope = [""];
+        TokenFactory tokenFactory = new TokenFactory(async (tenantId, scope) =>
+        {
+            actualScope = scope;
+            return await Task.FromResult<ITokenResponse>(new TokenResponse
+            {
+                TokenType = "Bearer",
+                AccessToken = accessToken
+            });
+        });
+        var credentials = new TokenCredentials("clientId", tokenFactory);
+        var botTokenClient = new BotTokenClient(cancellationToken);
+        botTokenClient.ActiveBotScope = "https://api.botframework.us/.default";
+
+        await botTokenClient.GetAsync(credentials);
+
+        Assert.Equal("https://api.botframework.us/.default", actualScope[0]);
+    }
 }

Tests/Microsoft.Teams.Plugins.AspNetCore.Tests/Extensions/TeamsValidationSettingsTests.cs

@@ -0,0 +1,107 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.Teams.Api.Auth;
+using Microsoft.Teams.Plugins.AspNetCore.Extensions;
+
+namespace Microsoft.Teams.Plugins.AspNetCore.Tests.Extensions;
+
+public class TeamsValidationSettingsTests
+{
+    [Fact]
+    public void DefaultConstructor_UsesPublicCloud()
+    {
+        var settings = new TeamsValidationSettings();
+
+        Assert.Equal("https://login.botframework.com/v1/.well-known/openidconfiguration", settings.OpenIdMetadataUrl);
+        Assert.Equal("https://login.microsoftonline.com", settings.LoginEndpoint);
+        Assert.Contains("https://api.botframework.com", settings.Issuers);
+    }
+
+    [Fact]
+    public void USGovCloud_HasCorrectSettings()
+    {
+        var settings = new TeamsValidationSettings(CloudEnvironment.USGov);
+
+        Assert.Equal("https://login.botframework.azure.us/v1/.well-known/openidconfiguration", settings.OpenIdMetadataUrl);
+        Assert.Equal("https://login.microsoftonline.us", settings.LoginEndpoint);
+        Assert.Contains("https://api.botframework.us", settings.Issuers);
+    }
+
+    [Fact]
+    public void ChinaCloud_HasCorrectSettings()
+    {
+        var settings = new TeamsValidationSettings(CloudEnvironment.China);
+
+        Assert.Equal("https://login.botframework.azure.cn/v1/.well-known/openidconfiguration", settings.OpenIdMetadataUrl);
+        Assert.Equal("https://login.partner.microsoftonline.cn", settings.LoginEndpoint);
+        Assert.Contains("https://api.botframework.azure.cn", settings.Issuers);
+    }
+
+    [Fact]
+    public void AllClouds_IncludeEmulatorIssuers()
+    {
+        var clouds = new[] { CloudEnvironment.Public, CloudEnvironment.USGov, CloudEnvironment.USGovDoD, CloudEnvironment.China };
+
+        foreach (var cloud in clouds)
+        {
+            var settings = new TeamsValidationSettings(cloud);
+
+            // Emulator issuers should always be present
+            Assert.Contains(settings.Issuers, i => i.Contains("d6d49420-f39b-4df7-a1dc-d59a935871db"));
+            Assert.Contains(settings.Issuers, i => i.Contains("f8cdef31-a31e-4b4a-93e4-5f571e91255a"));
+        }
+    }
+
+    [Fact]
+    public void GetTenantSpecificOpenIdMetadataUrl_UsesCloudLoginEndpoint()
+    {
+        var settings = new TeamsValidationSettings(CloudEnvironment.USGov);
+
+        var url = settings.GetTenantSpecificOpenIdMetadataUrl("my-tenant");
+
+        Assert.Equal("https://login.microsoftonline.us/my-tenant/v2.0/.well-known/openid-configuration", url);
+    }
+
+    [Fact]
+    public void GetTenantSpecificOpenIdMetadataUrl_DefaultsToCommon()
+    {
+        var settings = new TeamsValidationSettings(CloudEnvironment.China);
+
+        var url = settings.GetTenantSpecificOpenIdMetadataUrl(null);
+
+        Assert.Equal("https://login.partner.microsoftonline.cn/common/v2.0/.well-known/openid-configuration", url);
+    }
+
+    [Fact]
+    public void GetValidIssuersForTenant_UsesCloudLoginEndpoint()
+    {
+        var settings = new TeamsValidationSettings(CloudEnvironment.USGov);
+
+        var issuers = settings.GetValidIssuersForTenant("my-tenant").ToList();
+
+        Assert.Single(issuers);
+        Assert.Equal("https://login.microsoftonline.us/my-tenant/", issuers[0]);
+    }
+
+    [Fact]
+    public void GetValidIssuersForTenant_ReturnsEmptyForNullTenant()
+    {
+        var settings = new TeamsValidationSettings(CloudEnvironment.USGov);
+
+        var issuers = settings.GetValidIssuersForTenant(null).ToList();
+
+        Assert.Empty(issuers);
+    }
+
+    [Fact]
+    public void AddDefaultAudiences_AddsClientIdAndApiPrefix()
+    {
+        var settings = new TeamsValidationSettings(CloudEnvironment.USGov);
+
+        settings.AddDefaultAudiences("my-client-id");
+
+        Assert.Contains("my-client-id", settings.Audiences);
+        Assert.Contains("api://my-client-id", settings.Audiences);
+    }
+}