Fix SSO+OBO flow issues for declarative agents: improve warnings, fix identifierUris, add redirect URIs

Agent-Logs-Url: https://github.com/OfficeDev/microsoft-365-agents-toolkit/sessions/b88f930d-aad3-4922-9191-d1d66283e283

Co-authored-by: HuihuiWu-Microsoft <73154171+HuihuiWu-Microsoft@users.noreply.github.com>

Author: Copilot

packages/fx-core/resource/package.nls.json

@@ -1052,7 +1052,8 @@
   "core.addAuthAction.validation.url": "Invalid URL format. Please enter a valid URL.",
   "core.oauthScopeQuestion.validation.scope": "Invalid scope format. Please enter a valid scope. Samle: scope1: description for scope1; scope2: description for scope2",
   "core.authNameQuestion.validation.empty": "Auth name cannot be empty.",
-  "driver.oauth.microsoftEntraWarning": "If you are using your own Microsoft Entra app, please: 1. Update the application id uri of your Microsoft Entra app to %s, 2. Add %s to redirect uri of your Microsoft Entra app.",
+  "driver.oauth.microsoftEntraWarning": "Microsoft Entra SSO configuration required for On-Behalf-Of (OBO) token exchange. If you are managing your Microsoft Entra app registration manually, please: 1. Set the Application ID URI to %s only — do not add additional identifier URIs as this breaks the OBO token exchange silently. 2. Add both %s and %s to the web redirect URIs of your app registration. Missing redirect URIs cause error 50011 during SSO. If using the toolkit-managed aad.manifest.json, these settings are configured automatically by the aadApp/update step.",
+  "driver.oauth.microsoftEntraOboInfo": "SSO+OBO flow configured with Application ID URI: %s. For the On-Behalf-Of exchange to succeed, ensure your Microsoft Entra app has: (a) only this Application ID URI set as identifierUri, (b) the access_as_user delegated scope defined, (c) Teams/Office client apps pre-authorized for that scope, and (d) the idtyp optional claim added to access tokens. If the OBO exchange fails silently, check Entra ID sign-in logs for errors such as 50011 (redirect URI mismatch).",
   "core.addKnowledgeQuestion.webContent.title": "Web Content",
   "core.addKnowledgeQuestion.webContent.placeholder": "Enter an absolute URL to a site to be searched for content.",
   "core.addKnowledgeQuestion.invalidWebContent.message": "Invalid web content. Please provide a valid URL.",

packages/fx-core/src/component/driver/oauth/create.ts

@@ -24,7 +24,7 @@ import { loadStateFromEnv } from "../util/utils";
 import { OauthNameTooLongError } from "./error/oauthNameTooLong";
 import { CreateOauthArgs } from "./interface/createOauthArgs";
 import { CreateOauthOutputs, OutputKeys } from "./interface/createOauthOutputs";
-import { defaultRedirectUri, logMessageKeys } from "./utility/constants";
+import { additionalRedirectUri, defaultRedirectUri, logMessageKeys } from "./utility/constants";
 import { OauthInfo, getAuthInfo, validateSecret, validateUrl } from "./utility/utility";
 import { OauthIdentityProviderInvalid } from "./error/oauthIdentityProviderInvalid";
 
@@ -133,14 +133,20 @@ export class CreateOauthDriver implements StepDriver {
             oauthRegistrationRes.resourceIdentifierUri
           );
 
-          void context.ui!.showMessage(
-            "warn",
+          const warningMessage = getLocalizedString(
+            logMessageKeys.microsoftEntraWarning,
+            oauthRegistrationRes.resourceIdentifierUri,
+            defaultRedirectUri,
+            additionalRedirectUri
+          );
+          context.logProvider?.warning(warningMessage);
+          void context.ui!.showMessage("warn", warningMessage, false);
+
+          context.logProvider?.info(
             getLocalizedString(
-              logMessageKeys.microsoftEntraWarning,
-              oauthRegistrationRes.resourceIdentifierUri,
-              defaultRedirectUri
-            ),
-            false
+              logMessageKeys.microsoftEntraOboInfo,
+              oauthRegistrationRes.resourceIdentifierUri
+            )
           );
         }
 

packages/fx-core/src/component/driver/oauth/utility/constants.ts

@@ -10,6 +10,7 @@ export const logMessageKeys = {
   skipUpdateOauth: "driver.oauth.log.skipUpdateOauth",
   successUpdateOauth: "driver.oauth.log.successUpdateOauth",
   microsoftEntraWarning: "driver.oauth.microsoftEntraWarning",
+  microsoftEntraOboInfo: "driver.oauth.microsoftEntraOboInfo",
 };
 
 export const maxSecretLength = 512;
@@ -18,3 +19,6 @@ export const maxDomainPerOauth = 1;
 
 export const defaultRedirectUri =
   "https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect";
+
+export const additionalRedirectUri =
+  "https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect";

templates/vs/csharp/declarative-agent-with-action-from-scratch-oauth/aad.manifest.json.tpl

@@ -4,7 +4,6 @@
     "displayName": "{{appName}}-aad",
     "identifierUris": [
 {{#MicrosoftEntra}}
-        "api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}",
         "${{AADAUTHCODE_APPLICATION_ID_URI}}"
 {{/MicrosoftEntra}}
 {{^MicrosoftEntra}}
@@ -59,7 +58,8 @@
     "web": {
         "redirectUris": [
 {{#MicrosoftEntra}}
-            "https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect"
+            "https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect",
+            "https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect"
 {{/MicrosoftEntra}}
 {{^MicrosoftEntra}}
             "https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect"

templates/vs/csharp/declarative-agent-with-action-from-scratch-oauth/appPackage/apiSpecificationFile/repair.yml.tpl

@@ -17,7 +17,7 @@ components:
           authorizationUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/authorize
           tokenUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/token
           scopes:
-            api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read: Read repair records
+            ${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read: Read repair records
 {{/MicrosoftEntra}}
 {{^MicrosoftEntra}}
     oAuth2AuthCode:
@@ -39,7 +39,7 @@ paths:
       security:
 {{#MicrosoftEntra}}
         - aadAuthCode:
-          - api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read
+          - ${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read
 {{/MicrosoftEntra}}
 {{^MicrosoftEntra}}
         - oAuth2AuthCode:

templates/vsc/js/declarative-agent-with-action-from-scratch-oauth/aad.manifest.json.tpl

@@ -4,7 +4,6 @@
     "displayName": "{{appName}}-aad",
     "identifierUris": [
 {{#MicrosoftEntra}}
-        "api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}",
         "${{AADAUTHCODE_APPLICATION_ID_URI}}"
 {{/MicrosoftEntra}}
 {{^MicrosoftEntra}}
@@ -59,7 +58,8 @@
     "web": {
         "redirectUris": [
 {{#MicrosoftEntra}}
-            "https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect"
+            "https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect",
+            "https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect"
 {{/MicrosoftEntra}}
 {{^MicrosoftEntra}}
             "https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect"

templates/vsc/js/declarative-agent-with-action-from-scratch-oauth/appPackage/apiSpecificationFile/repair.yml.tpl

@@ -17,7 +17,7 @@ components:
           authorizationUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/authorize
           tokenUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/token
           scopes:
-            api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read: Read repair records
+            ${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read: Read repair records
 {{/MicrosoftEntra}}
 {{^MicrosoftEntra}}
     oAuth2AuthCode:
@@ -39,7 +39,7 @@ paths:
       security:
 {{#MicrosoftEntra}}
         - aadAuthCode:
-          - api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read
+          - ${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read
 {{/MicrosoftEntra}}
 {{^MicrosoftEntra}}
         - oAuth2AuthCode:

templates/vsc/ts/declarative-agent-with-action-from-scratch-oauth/aad.manifest.json.tpl

@@ -4,7 +4,6 @@
     "displayName": "{{appName}}-aad",
     "identifierUris": [
 {{#MicrosoftEntra}}
-        "api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}",
         "${{AADAUTHCODE_APPLICATION_ID_URI}}"
 {{/MicrosoftEntra}}
 {{^MicrosoftEntra}}
@@ -59,7 +58,8 @@
     "web": {
         "redirectUris": [
 {{#MicrosoftEntra}}
-            "https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect"
+            "https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect",
+            "https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect"
 {{/MicrosoftEntra}}
 {{^MicrosoftEntra}}
             "https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect"

templates/vsc/ts/declarative-agent-with-action-from-scratch-oauth/appPackage/apiSpecificationFile/repair.yml.tpl

@@ -17,7 +17,7 @@ components:
           authorizationUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/authorize
           tokenUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/token
           scopes:
-            api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read: Read repair records
+            ${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read: Read repair records
 {{/MicrosoftEntra}}
 {{^MicrosoftEntra}}
     oAuth2AuthCode:
@@ -39,7 +39,7 @@ paths:
       security:
 {{#MicrosoftEntra}}
         - aadAuthCode:
-          - api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read
+          - ${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read
 {{/MicrosoftEntra}}
 {{^MicrosoftEntra}}
         - oAuth2AuthCode: