Merge pull request #4 from BobGerman/BG-Repairs-local-auth-sample

Fixed README errors and clarifications

samples/da-repairs-oauth-validated/README.md

@@ -2,22 +2,29 @@
 
 ## Summary
 
-This sample demonstrates how to build a declarative agent for Microsoft 365 Copilot that answers questions about repairs. The agent uses an API plugin to connect to an API secured with Entra ID. 
+This sample demonstrates how to build a declarative agent for Microsoft 365 Copilot that answers questions about repairs. The agent uses an API plugin to connect to an API that is secured with Entra ID.
 
 ![picture of the app in action](./assets/screenshot.gif)
 
-The project contains an Azure Function, but unlike the [da-repairs-oauth sample](../da-repairs-oauth/) relies on Azure App Services authentication ("Easy Auth") for authentication, this sample validates access tokens in code. Teams Toolkit currently uses Easy Auth as shown in this sample. Here are some advantages of validating the token in your code instead:
+Key aspects of the sample:
 
- - Since Easy Auth doesn't work locally, local requests are not authenticated. In addition to a small security opening, this causes the app to have 2 plugin files, including an anonymous one for local debugging. In this sample, local requests are authenticated and the packaging source files are the same for all environments.
+ - Shows how to configure Teams Toolkit make a declarative agent with an API plugin that is secured with Entra ID with just F5 to run locally. This differs from the Teams Toolkit scaffolding, which doesn't authenticate users locally but instead relies on use of [Azure App Services authentication (EasyAuth)](https://learn.microsoft.com/azure/app-service/overview-authentication-authorization) for security in Azure only.
 
- - If the code is deployed outside of Azure app services, and if the included Bicep files aren't used, the code will appear to work but will do no token validation at all, thus wide open to anonymous requests.
+ - Shows how to validate an Entra ID access token in NodeJS (JavaScript/TypeScript) rather than rely on an external service.
+
+ Here are some advantages of validating the token in your code instead of using Easy Auth
+
+ - Since Easy Auth doesn't work locally, local requests are not authenticated. In addition to a small security opening, this causes the app to have 2 plugin files, including an anonymous one for local debugging. By handling in code, local requests are authenticated and the packaging source files are the same for all environments.
 
- - With the Easy Auth scenario, Copilot is sending the access token directly to Azure App Services authentication. If something goes wrong there is no way to inspect the access token and debugging options are limited. In this sample you can set a breakpoint to inspect the token and walk through the validation to see what went wrong.
+ - If the code is deployed outside of Azure app services, and if the included Bicep files aren't used, the code will appear to work but will do no token validation at all, thus wide open to anonymous requests.
 
- - Easy Auth does not check the scope, or if the token is an app token
+ - With the Easy Auth scenario, Copilot is sending the access token directly to Azure App Services authentication. If something goes wrong there is no way to inspect the OAuth token, and debugging options are limited. In this sample you can set a breakpoint to inspect the token and walk through the validation to see what went wrong.
 
- For these reasons, developers may choose to follow this approach, which is made possible by an open source library ([jwt-validate](https://www.npmjs.com/package/jwt-validate)) by [Waldek Mastykarz](https://github.com/waldekmastykarz). This library is not a Microsoft product, and is subject to an MIT license (i.e. use at your own risk). Many thanks to Waldek for creating this library since Microsoft does not currently provide a token validation library for NodeJS.
+ - Easy Auth does not check the scope, or check to see if the token is an app token
 
+ For these reasons, developers may choose to follow the approach used in this sample. 
+
+ Microsoft does not currently provide a library for validating OAuth tokens in NodeJS; the [official documentation is here](https://learn.microsoft.com/entra/identity-platform/claims-validation). So this sample uses an open source library ([jwt-validate](https://www.npmjs.com/package/jwt-validate)) by [Waldek Mastykarz](https://github.com/waldekmastykarz), which aims to follow the documented practices. This library is not a Microsoft product, and is subject to an MIT license (i.e. use at your own risk). Many thanks to Waldek for creating the library since Microsoft does not currently provide a token validation library for NodeJS.
 
 ## Prerequisites
 ![drop](https://img.shields.io/badge/Teams Toolkit for VS Code-5.10-green.svg)
@@ -27,8 +34,6 @@ The project contains an Azure Function, but unlike the [da-repairs-oauth sample]
  * [NodeJS v18](https://nodejs.org/en/download/package-manager)
  * [Azure Functions core tools](https://learn.microsoft.com/azure/azure-functions/functions-run-local#install-the-azure-functions-core-tools)
 
-_Please list any portions of the toolchain required to build and use the sample, along with download links_
-
 ## Version history
 
 Version|Date|Author|Comments
@@ -54,14 +59,14 @@ Version|Date|Author|Comments
 
 * Press F5 to run the application. A browser window should open offering to add your application to Microsoft Teams.
 
-
 ## Features
 
 This sample illustrates the following concepts:
 
-Building a declarative agent for Microsoft 365 Copilot with an API plugin
-Connecting an API plugin to an API secured with OAuth
-Using Azure Functions to build an API secured with Azure App Service authentication and authorization (Easy Auth)
-Using dev tunnels to test the API plugin locally
+- Building a declarative agent for Microsoft 365 Copilot with an API plugin
+- Connecting an API plugin to an API secured with OAuth
+- Using Azure Functions to build an API secured with Azure App
+- Service authentication and authorization without Easy Auth
+- Using dev tunnels to test the API plugin locally
 
 <img src="https://m365-visitor-stats.azurewebsites.net/copilot-pro-dev-samples/samples/da-repairs-oauth-validated" />