Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix [Feature]: Federated credential support for Microsoft Teams (certificate + managed identity) [1 comments, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#54903Fetched 2026-04-08 01:34:42
View on GitHub
Comments
1
Participants
1
Timeline
1
Reactions
0
Author
HDYAHDYA
Participants
HDYAHDYA
Timeline (top)
commented ×1

Add federated authentication support for the Microsoft Teams channel plugin, enabling certificate-based and Azure Managed Identity auth as alternatives to client secrets.

Root Cause

Add federated authentication support for the Microsoft Teams channel plugin, enabling certificate-based and Azure Managed Identity auth as alternatives to client secrets.

Fix Action

Fix / Workaround

Current workaround: None. Users must use client secrets or build custom authentication wrappers outside OpenClaw.

Code Example

{ appId: "...", appPassword: "...", tenantId: "..." }

---

{ appId: "...", tenantId: "...", authType: "federated", certificatePath: "/path/to/cert.pem", certificateThumbprint: "AABB1122" }

---

{ appId: "...", tenantId: "...", authType: "federated", useManagedIdentity: true, managedIdentityClientId: "..." }
RAW_BUFFERClick to expand / collapse

Summary

Add federated authentication support for the Microsoft Teams channel plugin, enabling certificate-based and Azure Managed Identity auth as alternatives to client secrets.

Problem to solve

The MS Teams plugin currently only supports client secret (appPassword) authentication. This is insufficient for production/enterprise deployments where:

  • Security policies prohibit shared secrets — many organizations mandate passwordless authentication for service identities.
  • Secret rotation is operationally costly — client secrets expire and must be rotated manually, causing outages if missed.
  • Azure-native deployments (AKS, App Service) should use managed identity — workload identity is the Azure-recommended pattern for pod-to-service auth, eliminating secrets entirely.
  • Certificate-based auth is required by some compliance frameworks (e.g., FedRAMP, SOC 2) that disallow long-lived shared secrets.

Current workaround: None. Users must use client secrets or build custom authentication wrappers outside OpenClaw.

Proposed solution

Extend MSTeamsCredentials to support three authentication methods via a new authType config field:

1. Client secret (existing, default):

{ appId: "...", appPassword: "...", tenantId: "..." }

2. Certificate-based (new):

{ appId: "...", tenantId: "...", authType: "federated", certificatePath: "/path/to/cert.pem", certificateThumbprint: "AABB1122" }

3. Managed Identity (new):

{ appId: "...", tenantId: "...", authType: "federated", useManagedIdentity: true, managedIdentityClientId: "..." }

Implementation details:

  • MSTeamsCredentials becomes a discriminated union: type: "secret" | "federated"
  • resolveAuthType() defaults to "secret" when authType is not set — fully backward compatible
  • Managed identity uses @azure/identity (ManagedIdentityCredential / DefaultAzureCredential), dynamically imported at runtime
  • Certificate auth reads PEM file and passes clientCertificate to the Teams SDK App constructor
  • New Zod schema fields with cross-field validation
  • 6 new env vars: MSTEAMS_AUTH_TYPE, MSTEAMS_CERTIFICATE_PATH, MSTEAMS_CERTIFICATE_THUMBPRINT, MSTEAMS_USE_MANAGED_IDENTITY, MSTEAMS_MANAGED_IDENTITY_CLIENT_ID

Alternatives considered

  • Client secret with short TTL + auto-rotation: Still requires secret management infrastructure (Key Vault, rotation functions). Managed identity eliminates this entirely.
  • External token proxy: Running a sidecar that handles auth and proxies to the bot. Adds operational complexity and latency.
  • Azure AD certificate via env var (base64-encoded): Avoids file path but is awkward for large PEM files and harder to rotate via mounted secrets.

Impact

  • Affected: Any Teams deployment on Azure infrastructure (AKS, App Service, VMs) that wants passwordless auth, or any org with security policies requiring certificate-based auth.
  • Severity: High for enterprise/production deployments — blocks adoption in orgs that prohibit client secrets.
  • Frequency: Affects every deployment that needs managed identity or certificate auth (permanent, not intermittent).
  • Consequence: Without this, users must either accept the security risk of long-lived client secrets or build custom auth wrappers, adding significant development and maintenance overhead.

Evidence/examples

  • Azure recommends workload identity for AKS: AKS Workload Identity docs
  • Bot Framework SDK supports certificate and managed identity auth natively
  • @microsoft/teams.apps SDK accepts token callback and clientCertificate in the App constructor
  • Similar pattern used by oauth2-proxy and other Azure-integrated services

Additional information

  • PR already submitted: #53615 implements this feature with full test coverage (24 tests: 17 token + 7 sdk)
  • Backward compatible: Existing appId + appPassword configurations continue working without any changes — resolveAuthType() defaults to "secret"
  • No new hard dependencies for existing users: @azure/identity is added as a dependency but only imported at runtime when managed identity is configured
  • Documentation included: PR adds comprehensive docs to docs/channels/msteams.md covering certificate auth, managed identity, and AKS workload identity setup
  • Tested on AKS: Verified with workload identity on an AKS cluster with federated identity credential

extent analysis

Fix Plan

To add federated authentication support for the Microsoft Teams channel plugin, follow these steps:

  • Extend the MSTeamsCredentials type to support three authentication methods via a new authType config field.
  • Implement a discriminated union for MSTeamsCredentials with types "secret" and "federated".
  • Create a resolveAuthType() function that defaults to "secret" when authType is not set.
  • Use the @azure/identity package to implement managed identity authentication.
  • Add support for certificate-based authentication by reading the PEM file and passing the clientCertificate to the Teams SDK App constructor.

Example code for the MSTeamsCredentials type:

interface MSTeamsCredentials {
  type: "secret" | "federated";
  appId: string;
  tenantId: string;
  authType?: "secret" | "federated";
  appPassword?: string;
  certificatePath?: string;
  certificateThumbprint?: string;
  useManagedIdentity?: boolean;
  managedIdentityClientId?: string;
}

Example code for the resolveAuthType() function:

function resolveAuthType(credentials: MSTeamsCredentials): "secret" | "federated" {
  return credentials.authType || "secret";
}

Example code for managed identity authentication:

import { ManagedIdentityCredential } from "@azure/identity";

const credential = new ManagedIdentityCredential();
const token = await credential.getToken(`https://graph.microsoft.com/.default`);

Example code for certificate-based authentication:

import * as fs from "fs";
import * as path from "path";

const certificatePath = "/path/to/cert.pem";
const certificate = fs.readFileSync(path.join(__dirname, certificatePath));
const clientCertificate = {
  thumbprint: "AABB1122",
  certificate: certificate.toString(),
};

Verification

To verify that the fix worked, test the Microsoft Teams channel plugin with different authentication methods:

  • Test with client secret authentication to ensure backward compatibility.
  • Test with managed identity authentication to ensure that the plugin can authenticate using the @azure/identity package.
  • Test with certificate-based authentication to ensure that the plugin can authenticate using a PEM file.

Extra Tips

  • Make sure to update the documentation to reflect the new authentication methods.
  • Test the plugin thoroughly to ensure that it works as expected with different authentication methods.
  • Consider adding additional logging and error handling to help diagnose any issues that may arise.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#search optimization#API routing#API middleware#SSR setup#ISR setup

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING