fix(msteams): remove .default suffix from graph scopes (#1507)

The @microsoft/agents-hosting SDK's MsalTokenProvider automatically appends `/.default` to all scope strings in its token acquisition methods (acquireAccessTokenViaSecret, acquireAccessTokenViaFIC, acquireAccessTokenViaWID, acquireTokenWithCertificate in msalTokenProvider.ts). This is consistent SDK behavior, not a recent change. Our code was including `.default` in scope URLs, resulting in invalid double suffixes like `https://graph.microsoft.com/.default/.default`. This was confirmed to cause Graph API authentication errors. Removing the `.default` suffix from our scope strings allows the SDK to append it correctly, resolving the issue. Before: we pass `.default` -> SDK appends -> double `.default` (broken) After: we pass base URL -> SDK appends -> single `.default` (works) Co-authored-by: Christof Salis <c.salis@vertifymed.com>
2026-01-24 01:07:22 +01:00
parent b9c35d9fdc
commit ef777d6bb6
5 changed files with 7 additions and 7 deletions
--- a/extensions/msteams/src/resolve-allowlist.ts
+++ b/extensions/msteams/src/resolve-allowlist.ts
@@ -143,7 +143,7 @@ async function resolveGraphToken(cfg: unknown): Promise<string> {
  if (!creds) throw new Error("MS Teams credentials missing");
  const { sdk, authConfig } = await loadMSTeamsSdkWithAuth(creds);
  const tokenProvider = new sdk.MsalTokenProvider(authConfig);
-  const token = await tokenProvider.getAccessToken("https://graph.microsoft.com/.default");
+  const token = await tokenProvider.getAccessToken("https://graph.microsoft.com");
  const accessToken = readAccessToken(token);
  if (!accessToken) throw new Error("MS Teams graph token unavailable");
  return accessToken;