Issue with Oauth2 redirect upon signing in on Declarative Agent with existing API plugin

[michellekeoy]

Describe the bug Context: I am creating a custom declarative agent with an existing API plugin using OAuth2 authorization code flow.

What has been done so far:

• The declarative agent has been built, I can see and test it on teams
• OAuth client has been registered following this documentation, with authorize, token, and refresh routes, and scope. OAUTH2_CONFIGURATION_ID has been added to manifest.
• Followed this instruction: If your OAuth provider requires specifying allowed redirect URIs when registering your app, include https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect in the allowed redirect URIs. Side note: I am confused about this redirect URI specifically. How does it know which chat/agent to return to?
• I am able to get prompted to sign in to my security provider Okta.
• I get a popup to login with Okta, I am able to login to Okta with my credentials
• I am able to see in our Okta logs of a successful login (/authorize and /token endpoints are hit and successfully grant an access token)
• I see in the network tab 302s and 200s, no error codes can be seen.
• After logging in with Okta, the login popup turns into a blank page.
• I do not get redirected to the chat, and if I send another message to the chat, we get prompted to sign in with OAuth flow again.

To Reproduce Not sure if you would be able to reproduce the behaviour, but I am happy to connect and show you on a call.

Expected behavior I would assume we get redirected to the copilot chat with my custom declarative agent.

Screenshots Screenshots have sensitive information, but they don't provide much. I have described to best ability above, let me know if you need more details!

VS Code Extension Information (please complete the following information):

• OS: Darwin x64 23.6.0
• Version 1.95.1 (Universal)

CLI Information (please complete the following information):

• OS: [e.g. iOS8.1]
• Version [e.g. 22]

[microsoft-github-policy-service[bot]]

Thank you for contacting us! Any issue or feedback from you is quite important to us. We will do our best to fully respond to your issue as soon as possible. Sometimes additional investigations may be needed, we will usually get back to you within 2 days by adding comments to this issue. Please stay tuned.

[SLdragon]

Hi, @michellekeoy

I am confused about this redirect URI specifically. How does it know which chat/agent to return to?

The redirect URI is used to receive the token and will automatically close after consent, it will not return to any chat/agent.

Regarding your issue, it seems the Copilot API call failed with the token, so that it ask your consent again. This could be due to an invalid scope or other reasons. Could you share your OAuth registration info so I can take a look?

[michellekeoy]

@SLdragon Noted. Yes, where can I share that info in a secure place? Why did the API call fail if Okta has returned a success and I receive a 200? Scope is correct or else the access token would not have been granted.

[SLdragon]

Do you mean that your API service responded with a 200 status?

Can you check the API call logs in the service backend to see if it received the correct token and parameters?

[michellekeoy]

@SLdragon Yes, checked, correct. It is successful. It may be clearer if we hop on a call to debug instead, as I'm not sure I can send sensitive information in this forum. My timezone EST though

[SLdragon]

OK, you can find me on Teams rentu@microsoft.com

[michellekeoy]

@SLdragon Requested you on Teams