feat(msteams): add defaultAzureCredential auth type

krrrke · krrrke · commit fc7960465dc3 · 2026-03-16T02:34:24.000-05:00
New authType "defaultAzureCredential" defers credential selection to
@azure/identity's DefaultAzureCredential, which tries environment
variables, workload identity, managed identity, az cli, and other
sources automatically. Enables passwordless Teams auth in AKS via
workload identity without explicit certificate or secret management.

Added DefaultAzureCredentialTokenProvider in sdk.ts as a drop-in
replacement for MsalTokenProvider. Added createTokenProvider() factory
that returns the appropriate provider based on authType. Updated all
4 call sites (probe, monitor, send-context, graph) to use the factory.

Added @azure/identity as a dependency of the msteams extension.
diff --git a/extensions/msteams/package.json b/extensions/msteams/package.json
@@ -4,6 +4,7 @@
   "description": "OpenClaw Microsoft Teams channel plugin",
   "type": "module",
   "dependencies": {
+    "@azure/identity": "^4.9.1",
     "@microsoft/agents-hosting": "^1.3.1",
     "express": "^5.2.1"
   },
@@ -31,6 +32,7 @@
     },
     "releaseChecks": {
       "rootDependencyMirrorAllowlist": [
+        "@azure/identity",
         "@microsoft/agents-hosting"
       ]
     }
diff --git a/extensions/msteams/src/graph.ts b/extensions/msteams/src/graph.ts
@@ -1,6 +1,6 @@
 import type { MSTeamsConfig } from "openclaw/plugin-sdk/msteams";
 import { GRAPH_ROOT } from "./attachments/shared.js";
-import { loadMSTeamsSdkWithAuth } from "./sdk.js";
+import { createTokenProvider, loadMSTeamsSdkWithAuth } from "./sdk.js";
 import { readAccessToken } from "./token-response.js";
 import { resolveMSTeamsCredentials } from "./token.js";
 
@@ -57,7 +57,7 @@ export async function resolveGraphToken(cfg: unknown): Promise<string> {
     throw new Error("MS Teams credentials missing");
   }
   const { sdk, authConfig } = await loadMSTeamsSdkWithAuth(creds);
-  const tokenProvider = new sdk.MsalTokenProvider(authConfig);
+  const tokenProvider = createTokenProvider(creds, authConfig, sdk);
   const token = await tokenProvider.getAccessToken("https://graph.microsoft.com");
   const accessToken = readAccessToken(token);
   if (!accessToken) {
diff --git a/extensions/msteams/src/monitor.lifecycle.test.ts b/extensions/msteams/src/monitor.lifecycle.test.ts
@@ -112,6 +112,7 @@ vi.mock("./resolve-allowlist.js", () => ({
 
 vi.mock("./sdk.js", () => ({
   createMSTeamsAdapter: () => createMSTeamsAdapter(),
+  createTokenProvider: () => ({ getAccessToken: vi.fn(async () => "mock-token") }),
   loadMSTeamsSdkWithAuth: () => loadMSTeamsSdkWithAuth(),
 }));
 
diff --git a/extensions/msteams/src/monitor.ts b/extensions/msteams/src/monitor.ts
@@ -19,7 +19,7 @@ import {
   resolveMSTeamsUserAllowlist,
 } from "./resolve-allowlist.js";
 import { getMSTeamsRuntime } from "./runtime.js";
-import { createMSTeamsAdapter, loadMSTeamsSdkWithAuth } from "./sdk.js";
+import { createMSTeamsAdapter, createTokenProvider, loadMSTeamsSdkWithAuth } from "./sdk.js";
 import { resolveMSTeamsCredentials } from "./token.js";
 
 export type MonitorMSTeamsOpts = {
@@ -248,10 +248,10 @@ export async function monitorMSTeamsProvider(
   const express = await import("express");
 
   const { sdk, authConfig } = await loadMSTeamsSdkWithAuth(creds);
-  const { ActivityHandler, MsalTokenProvider, authorizeJWT } = sdk;
+  const { ActivityHandler, authorizeJWT } = sdk;
 
   // Auth configuration - create early so adapter is available for deliverReplies
-  const tokenProvider = new MsalTokenProvider(authConfig);
+  const tokenProvider = createTokenProvider(creds, authConfig, sdk);
   const adapter = createMSTeamsAdapter(authConfig, sdk);
 
   const handler = registerMSTeamsHandlers(new ActivityHandler() as MSTeamsActivityHandler, {
diff --git a/extensions/msteams/src/probe.ts b/extensions/msteams/src/probe.ts
@@ -4,7 +4,7 @@ import {
   type MSTeamsConfig,
 } from "openclaw/plugin-sdk/msteams";
 import { formatUnknownError } from "./errors.js";
-import { loadMSTeamsSdkWithAuth } from "./sdk.js";
+import { createTokenProvider, loadMSTeamsSdkWithAuth } from "./sdk.js";
 import { readAccessToken } from "./token-response.js";
 import { resolveMSTeamsCredentials } from "./token.js";
 
@@ -66,7 +66,7 @@ export async function probeMSTeams(cfg?: MSTeamsConfig): Promise<ProbeMSTeamsRes
 
   try {
     const { sdk, authConfig } = await loadMSTeamsSdkWithAuth(creds);
-    const tokenProvider = new sdk.MsalTokenProvider(authConfig);
+    const tokenProvider = createTokenProvider(creds, authConfig, sdk);
     await tokenProvider.getAccessToken("https://api.botframework.com");
     let graph:
       | {
diff --git a/extensions/msteams/src/sdk.ts b/extensions/msteams/src/sdk.ts
@@ -4,6 +4,52 @@ import type { MSTeamsCredentials } from "./token.js";
 export type MSTeamsSdk = typeof import("@microsoft/agents-hosting");
 export type MSTeamsAuthConfig = ReturnType<MSTeamsSdk["getAuthConfigWithDefaults"]>;
 
+/**
+ * Token provider that wraps @azure/identity's DefaultAzureCredential.
+ * Implements the same getAccessToken(scope) interface as MsalTokenProvider
+ * so it can be used as a drop-in replacement throughout the plugin.
+ *
+ * Accepts appId (clientId) and tenantId so the credential targets the
+ * correct bot identity — required for workload identity and user-assigned
+ * managed identity where multiple identities may be available.
+ */
+export class DefaultAzureCredentialTokenProvider {
+  private credential: import("@azure/identity").DefaultAzureCredential | undefined;
+  private readonly clientId: string;
+  private readonly tenantId: string;
+
+  constructor(clientId: string, tenantId: string) {
+    this.clientId = clientId;
+    this.tenantId = tenantId;
+  }
+
+  /**
+   * Acquire a token for the given resource. Callers pass resource URIs
+   * (e.g. "https://graph.microsoft.com"), which are normalized to AAD
+   * scopes ("https://graph.microsoft.com/.default") as required by
+   * @azure/identity's getToken().
+   */
+  async getAccessToken(resource: string) {
+    if (!this.credential) {
+      const { DefaultAzureCredential } = await import("@azure/identity");
+      this.credential = new DefaultAzureCredential({
+        managedIdentityClientId: this.clientId,
+        workloadIdentityClientId: this.clientId,
+        tenantId: this.tenantId,
+      });
+    }
+    // Normalize resource URI to AAD scope — MsalTokenProvider accepts bare
+    // resource URIs but DefaultAzureCredential.getToken() requires scopes.
+    const scope = resource.endsWith("/.default")
+      ? resource
+      : `${resource.replace(/\/+$/, "")}/.default`;
+    const token = await this.credential.getToken(scope);
+    if (!token)
+      throw new Error(`DefaultAzureCredential: failed to acquire token for scope ${scope}`);
+    return token.token;
+  }
+}
+
 export async function loadMSTeamsSdk(): Promise<MSTeamsSdk> {
   return await import("@microsoft/agents-hosting");
 }
@@ -27,6 +73,10 @@ export function buildMSTeamsAuthConfig(
       if (creds.ficClientId) base.FICClientId = creds.ficClientId;
       if (creds.widAssertionFile) base.WIDAssertionFile = creds.widAssertionFile;
       break;
+    case "defaultAzureCredential":
+      // No additional fields needed — DAC handles credential discovery.
+      // The SDK still needs clientId/tenantId for audience validation.
+      break;
     case "clientSecret":
     default:
       if (creds.appPassword) base.clientSecret = creds.appPassword;
@@ -36,6 +86,21 @@ export function buildMSTeamsAuthConfig(
   return sdk.getAuthConfigWithDefaults(base);
 }
 
+/**
+ * Create the appropriate token provider based on auth type.
+ * For defaultAzureCredential, returns our DAC wrapper instead of MsalTokenProvider.
+ */
+export function createTokenProvider(
+  creds: MSTeamsCredentials,
+  authConfig: MSTeamsAuthConfig,
+  sdk: MSTeamsSdk,
+) {
+  if (creds.authType === "defaultAzureCredential") {
+    return new DefaultAzureCredentialTokenProvider(creds.appId, creds.tenantId);
+  }
+  return new sdk.MsalTokenProvider(authConfig);
+}
+
 export function createMSTeamsAdapter(
   authConfig: MSTeamsAuthConfig,
   sdk: MSTeamsSdk,
@@ -46,5 +111,5 @@ export function createMSTeamsAdapter(
 export async function loadMSTeamsSdkWithAuth(creds: MSTeamsCredentials) {
   const sdk = await loadMSTeamsSdk();
   const authConfig = buildMSTeamsAuthConfig(creds, sdk);
-  return { sdk, authConfig };
+  return { sdk, authConfig, creds };
 }
diff --git a/extensions/msteams/src/send-context.ts b/extensions/msteams/src/send-context.ts
@@ -11,7 +11,7 @@ import type {
 } from "./conversation-store.js";
 import type { MSTeamsAdapter } from "./messenger.js";
 import { getMSTeamsRuntime } from "./runtime.js";
-import { createMSTeamsAdapter, loadMSTeamsSdkWithAuth } from "./sdk.js";
+import { createMSTeamsAdapter, createTokenProvider, loadMSTeamsSdkWithAuth } from "./sdk.js";
 import { resolveMSTeamsCredentials } from "./token.js";
 
 export type MSTeamsConversationType = "personal" | "groupChat" | "channel";
@@ -127,7 +127,7 @@ export async function resolveMSTeamsSendContext(params: {
   const adapter = createMSTeamsAdapter(authConfig, sdk);
 
   // Create token provider for Graph API / OneDrive operations
-  const tokenProvider = new sdk.MsalTokenProvider(authConfig) as MSTeamsAccessTokenProvider;
+  const tokenProvider = createTokenProvider(creds, authConfig, sdk) as MSTeamsAccessTokenProvider;
 
   // Determine conversation type from stored reference
   const storedConversationType = ref.conversation?.conversationType?.toLowerCase() ?? "";
diff --git a/extensions/msteams/src/setup-surface.ts b/extensions/msteams/src/setup-surface.ts
@@ -374,6 +374,14 @@ export const msteamsSetupWizard: ChannelSetupWizard = {
             appId,
             appPassword,
             tenantId,
+            // Reset auth type and related fields when re-entering credentials
+            // as client secret — otherwise the old authType takes precedence.
+            authType: "clientSecret",
+            certPemFile: undefined,
+            certKeyFile: undefined,
+            sendX5C: undefined,
+            ficClientId: undefined,
+            widAssertionFile: undefined,
           },
         },
       };
diff --git a/extensions/msteams/src/token.test.ts b/extensions/msteams/src/token.test.ts
@@ -164,6 +164,19 @@ describe("resolveMSTeamsCredentials", () => {
     ).toBeUndefined();
   });
 
+  it("resolves defaultAzureCredential with only appId and tenantId", () => {
+    const resolved = resolveMSTeamsCredentials({
+      appId: "app-id",
+      tenantId: "tenant-id",
+      authType: "defaultAzureCredential",
+    });
+
+    expect(resolved?.authType).toBe("defaultAzureCredential");
+    expect(resolved?.appId).toBe("app-id");
+    expect(resolved?.tenantId).toBe("tenant-id");
+    expect(resolved?.appPassword).toBeUndefined();
+  });
+
   it("throws when appPassword remains an unresolved SecretRef object", () => {
     expect(() =>
       resolveMSTeamsCredentials({
@@ -268,4 +281,14 @@ describe("hasConfiguredMSTeamsCredentials", () => {
       }),
     ).toBe(false);
   });
+
+  it("detects defaultAzureCredential as configured with only appId and tenantId", () => {
+    expect(
+      hasConfiguredMSTeamsCredentials({
+        appId: "app-id",
+        tenantId: "tenant-id",
+        authType: "defaultAzureCredential",
+      }),
+    ).toBe(true);
+  });
 });
diff --git a/extensions/msteams/src/token.ts b/extensions/msteams/src/token.ts
@@ -77,6 +77,9 @@ export function hasConfiguredMSTeamsCredentials(cfg?: MSTeamsConfig): boolean {
       return hasCertificateAuthMaterial(cfg);
     case "federatedCredential":
       return hasFederatedAuthMaterial(cfg);
+    case "defaultAzureCredential":
+      // DAC handles its own credential discovery — appId + tenantId is sufficient.
+      return true;
     case "clientSecret":
     default:
       return Boolean(hasConfiguredSecretInput(cfg?.appPassword));
@@ -119,6 +122,11 @@ export function resolveMSTeamsCredentials(cfg?: MSTeamsConfig): MSTeamsCredentia
         widAssertionFile: trimPresence(cfg?.widAssertionFile),
       };
     }
+    case "defaultAzureCredential": {
+      // DAC defers credential selection to @azure/identity at runtime.
+      // Only appId + tenantId are required from config.
+      return { appId, tenantId, authType };
+    }
     case "clientSecret":
     default: {
       const appPassword =
diff --git a/src/config/types.msteams.ts b/src/config/types.msteams.ts
@@ -70,8 +70,11 @@ export type MSTeamsConfig = {
    * - "certificate": Uses certPemFile + certKeyFile for certificate-based auth.
    * - "federatedCredential": Uses FIC (First-party Integration Channel) client ID
    *   with workload identity federation (no secret needed).
+   * - "defaultAzureCredential": Defers credential selection to @azure/identity's
+   *   DefaultAzureCredential, which tries env vars, workload identity, managed
+   *   identity, az cli, and other sources automatically.
    */
-  authType?: "clientSecret" | "certificate" | "federatedCredential";
+  authType?: "clientSecret" | "certificate" | "federatedCredential" | "defaultAzureCredential";
   /** Path to the certificate PEM file (used when authType is "certificate"). */
   certPemFile?: string;
   /** Path to the certificate key file (used when authType is "certificate"). */
diff --git a/src/config/zod-schema.providers-core.ts b/src/config/zod-schema.providers-core.ts
@@ -1483,7 +1483,9 @@ export const MSTeamsConfigSchema = z
     configWrites: z.boolean().optional(),
     appId: z.string().optional(),
     appPassword: SecretInputSchema.optional().register(sensitive),
-    authType: z.enum(["clientSecret", "certificate", "federatedCredential"]).optional(),
+    authType: z
+      .enum(["clientSecret", "certificate", "federatedCredential", "defaultAzureCredential"])
+      .optional(),
     certPemFile: z.string().optional(),
     certKeyFile: z.string().optional(),
     sendX5C: z.boolean().optional(),
