Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Improves the OAuth token exchange flow to better handle consent-required scenarios by signaling a precondition failure state through the flow and returning a Teams-friendly invoke response behavior.
Changes:
- Introduces
_FlowErrorTag.PRECONDITION_FAILEDand propagates it through the OAuth continuation logic. - Returns a 412 invoke response for token-exchange consent-required failures to prompt Teams to fall back to regular login.
- Enhances token-exchange error reporting and adjusts default invoke response behavior in the adapter.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/connector/client/user_token_client.py | Improves token-exchange error detail by including response body in raised errors/logs. |
| libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/channel_service_adapter.py | Changes default invoke response when none is set (501 → 200). |
| libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/app/oauth/_handlers/_user_authorization.py | Adds handling to return a 412 invoke response for consent-required token exchange failures. |
| libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/_oauth/_oauth_flow.py | Propagates consent-required failures as a tagged flow error and handles signin/failure invokes. |
| libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/_oauth/_flow_state.py | Adds the new flow error tag enum value. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
axelsrz
changed the title
rodrigobr-msft
approved these changes
May 1, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| async def _continue_from_invoke_token_exchange( | ||
| self, activity: Activity | ||
| ) -> TokenResponse: | ||
| ) -> tuple[TokenResponse, _FlowErrorTag]: |
| connection_name=flow_state.connection, | ||
| failure_detail="The Agent is unable to exchange token. Proceed with regular login.", | ||
| ), | ||
| ).model_dump(exclude_unset=True), |
Comment on lines
+266
to
+271
| if not ( | ||
| context.activity.channel_id.channel == Channels.ms_teams | ||
| and sign_in_state.continuation_activity | ||
| and context.activity.type == ActivityTypes.invoke | ||
| and context.activity.name | ||
| == SignInConstants.token_exchange_operation_name |
2 tasks
axelsrz
added a commit
that referenced
this pull request
May 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request improves the OAuth token exchange flow to handle user consent scenarios more robustly and to provide clearer error signaling throughout the authentication process. The key changes introduce a new error tag for consent-related precondition failures, propagate this state through the OAuth flow, and update the response handling to better align with Microsoft Teams' expectations for token exchange failures.
Fixes #294
OAuth Token Exchange and Error Handling Improvements:
_FlowErrorTag.PRECONDITION_FAILEDto represent cases where user consent is required before token exchange can proceed._continue_from_invoke_token_exchangein_oauth_flow.pyto catch consent-related errors, returning a tuple of(None, _FlowErrorTag.PRECONDITION_FAILED)when a 400 error with "Consent Required" is encountered, instead of raising an exception.continue_flowto propagate the new error tag, handlesignin/failureactivities, and avoid incrementing attempt counters for consent precondition failures. [1] [2]User Authorization and Response Handling:
_handle_flow_responsein_user_authorization.pyto detect thePRECONDITION_FAILEDstate and respond with a 412 InvokeResponse, prompting Teams to request user consent and retry the token exchange.channel_service_adapter.pyfrom HTTP 501 (Not Implemented) to HTTP 200 (OK), ensuring better compatibility with Teams' expectations.Logging and Error Propagation:
user_token_client.pyby raising a detailedClientResponseErrorwith the response body when token exchange fails (status code >= 300), aiding in debugging and error transparency.