Issue with OAuth2 Redirection During Sign-In on Copilot Declarative Agent with API Plugin

[swamisnawale]

What I am doing
I am creating a custom Copilot agent with API plugin calls to the Microsoft Graph API /me and /users endpoints to retrieve user details. For authentication, I am using OAuth as the security schema defined in my Open API description file.

What I did so far

1. Created a new Copilot agent with an API plugin using Teams Toolkit and the Open API description file.
2. Registered an app in Azure AD, generated a client secret, and granted delegated permissions (see image below).
   
3. For the redirect URL, I added "https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect" as per the documentation: https://learn.microsoft.com/en-us/microsoft-365-copilot/extensibility/api-plugin-authentication
4. After this, I deployed the agent. When I ask a query like "Get me details of ", it prompts me to allow API access.
5. When I click "Allow", it asks me to sign in.

Expected behavior
When I click "Sign In", it should open a popup for login. After entering the credentials, the popup should close.

Issue I am facing
When I click "Sign In", the popup opens but freezes, showing nothing. This issue suddenly started occurring, even though it was working fine yesterday. I have also tested this with multiple users.

Screenshots

[teams-toolkit-assistant]

👋 Hi @swamisnawale,

Thanks for reaching out! We value your feedback and will do our best to address your issue promptly. Sometimes, we may need to investigate further, but we'll usually get back to you within 2 days with an update. Please stay tuned.

This is an automated response from our GitHub App. Here's the AI-generated message:

Based on your query and the provided information, it seems that you're experiencing an issue with the OAuth2 redirection during the sign-in process for your custom Copilot agent using the Teams Toolkit. Here are the steps and suggestions to troubleshoot and potentially resolve this issue:

Error Details

• Error Trigger: Clicking "Sign In" opens a popup that freezes and shows nothing.
• Previous Functionality: This issue started occurring suddenly, even though it was working fine previously.
• Testing: Occurs with multiple users.

Potential Causes and Solutions

1. OAuth2 Redirect URI Issues

• Cause: The redirect URI might not be properly configured or there might be issues with the token exchange process.
• Action: Double-check the redirect URI in your Azure AD app registration. Ensure that it is set to https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect.
• Help Link: Refer to the official documentation to confirm the setup: OAuth2 Redirect Configuration.

2. App Registration and Permissions

• Cause: There might be an issue with the app registration or the permissions granted.
• Action: Verify that the app registration in Azure AD has the correct permissions (delegated permissions) and that the client secret is valid.
• Steps:
  1. Go to the Azure portal.
  2. Navigate to Azure Active Directory > App registrations.
  3. Select your app and review the API permissions and Certificates & secrets sections.

3. Network and Browser Issues

• Cause: Browser or network issues might cause the popup to freeze.
• Action: Test the sign-in process in different browsers and ensure there are no network restrictions or blocks that could interfere with the process.

4. Debugging Authentication Flow

• Cause: There might be an issue with the backend handling the authentication process.
• Action: Check the network tab in the browser's developer tools for any failed requests or error messages during the sign-in process.
• Proposed Solution: Ensure that the backend is correctly handling the OAuth token exchange. Check if the client credentials are correctly passed (not both in header and body).

5. Backend Configuration

• Cause: Issues with the backend configuration for handling OAuth tokens.
• Action: If you are using Okta or another identity provider, make sure that it supports the client credentials method being used.
• GitHub Reference: Similar issues have been discussed and resolved by modifying the backend configuration to support the proper client credentials method. For more details, check GitHub Issue #12722.

Additional Resources

• OAuth2 Documentation: For detailed information on OAuth2 configurations, refer to the official Microsoft Documentation.
• Example Code: Ensure that the authentication flow includes authentication.notifySuccess() to close the popup after successful login.

function getTokenInTeams() {
    app.getContext().then((ctx) => {
        if (ctx) {
            console.log(ctx);
            authentication.authenticate({
                url: window.location.origin + ".auth/login/aad/callback",
                width: 600,
                height: 535,
            })
            .then(
                (result) => {
                    console.log("Got a result", result);
                    // Add notifySuccess here
                    authentication.notifySuccess();
                },
                (err) => {
                    if (err.message == "FailedToOpenWindow") {
                        console.log("Error Message: FailedToOpenWindow");
                    } else {
                        console.log("Error Message: " + err.message);
                    }
                }
            );
        }
    });
}

If the problem persists, consider reaching out to Microsoft support or the Teams Toolkit community for further assistance.

Note: This message was generated automatically by an AI-powered system.

[Nivedipa-MSFT]

@swamisnawale - Thank you for bringing this issue to our attention. We will look into it and get back to you shortly.

[matteoperazzolo]

I have the same problem.

[SLdragon]

hi, @swamisnawale and @matteoperazzolo , for Declarative Agent with Microsoft Entra OAuth action, the Microsoft Entra app needs to add identify URI follow specific pattern:

You can find this identify URI from teams developer portal

[swamisnawale]

@SLdragon Thanks for your reply, I will try this out. Just a quick question, is this something that newly added? because earlier this was not setup and yet the agent was working without any issue.

[SLdragon]

@swamisnawale , yes, this is a new requirement to use Declarative Agent for Microsoft Entra OAuth. Previously, it was not required, so your agent was working correctly

[claraschneiker]

Hi @SLdragon, is there a full documentation yet where to add the SSO registration in the app manifest yet? I have the same issue.

[swamisnawale]

@claraschneiker , I followed the steps that @SLdragon given to setup the SSO Registrations, and the agent has been working properly.

[SLdragon]

Hi @SLdragon, is there a full documentation yet where to add the SSO registration in the app manifest yet? I have the same issue.

Currently, there is no official documentation on where to add the SSO registration in the app manifest. However, it will be available in the future. In the meantime, if you create a "from scratch" DA template with Entra SSO in TTK, it will automatically handle it for you

[SLdragon]

Close this issue, and if you need additional help, feel free to reopen it or create a new issue