Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(msteams): remove .default suffix from graph scopes #1507

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
steipete merged 1 commit into from
Jan 24, 2026
Merged

fix(msteams): remove .default suffix from graph scopes #1507

steipete merged 1 commit into from
Jan 24, 2026

Conversation

@Evizero
Copy link
Contributor

@Evizero Evizero commented Jan 23, 2026

The @microsoft/agents-hosting SDK's MsalTokenProvider automatically appends /.default to all scope strings in its token acquisition methods (acquireAccessTokenViaSecret, acquireAccessTokenViaFIC, acquireAccessTokenViaWID, acquireTokenWithCertificate in msalTokenProvider.ts). This is consistent SDK behavior, not a recent change.

The current code is including .default in scope URLs, resulting in invalid double suffixes like https://graph.microsoft.com/.default/.default. I am not sure how the .default postfixed worked in the past for you if I am honest.

This was confirmed to cause Graph API authentication errors. Removing the .default suffix from our scope strings allows the SDK to append it correctly, resolving the issue. I confirmed it manually on my teams setup

Before: we pass .default -> SDK appends -> double .default (broken)
After: we pass base URL -> SDK appends -> single .default (works)

fix(msteams): remove .default suffix from graph scopes
0bcc938 
The @microsoft/agents-hosting SDK's MsalTokenProvider automatically
appends `/.default` to all scope strings in its token acquisition
methods (acquireAccessTokenViaSecret, acquireAccessTokenViaFIC,
acquireAccessTokenViaWID, acquireTokenWithCertificate in
msalTokenProvider.ts). This is consistent SDK behavior, not a recent
change.

Our code was including `.default` in scope URLs, resulting in invalid
double suffixes like `https://graph.microsoft.com/.default/.default`.

This was confirmed to cause Graph API authentication errors. Removing
the `.default` suffix from our scope strings allows the SDK to append
it correctly, resolving the issue.

Before: we pass `.default` -> SDK appends -> double `.default` (broken)
After:  we pass base URL  -> SDK appends -> single `.default` (works)
steipete added a commit that referenced this pull request Jan 24, 2026
@steipete
docs: changelog for MS Teams scopes (#1507) (thanks @Evizero)
ea25d9c
@steipete steipete merged commit ef777d6 into openclaw:main Jan 24, 2026
21 of 22 checks passed
steipete added a commit that referenced this pull request Jan 24, 2026
@steipete
docs: changelog for MS Teams scopes (#1507) (thanks @Evizero)
d354030
@steipete
Copy link
Contributor

steipete commented Jan 24, 2026

Landed via temp rebase onto main.

  • Gate: pnpm lint && pnpm build && pnpm test
  • Land commit: ea25d9c
  • Merge commit: ef777d6
  • Changelog follow-up: d35403097cb35f1b197f48046fc108db3bbdc377

Thanks @Evizero!

@Evizero Evizero deleted the cs/msteams_fixes branch January 24, 2026 07:27
@Evizero Evizero mentioned this pull request Jan 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Evizero @steipete