Create 'signin/failure' invoke activity handling#459
Merged
Conversation
corinagum
force-pushed
the
cg/signin-failure
branch
from
8ce57b8 to
49b2bfb
Compare
corinagum
force-pushed
the
cg/signin-failure
branch
from
13c3570 to
3f75792
Compare
heyitsaamir
previously approved these changes
Mar 4, 2026
corinagum
force-pushed
the
cg/signin-failure
branch
from
e97410c to
fba1d17
Compare
heyitsaamir
previously approved these changes
Mar 4, 2026
heyitsaamir
approved these changes
Mar 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves #460
Route and handle
signin/failureinvoke activities that Teams sends when SSO token exchange fails. Adds a system default handler that logs actionable warnings and emits error events, plus a signin.failure route for developer overrides.Previously, when Teams sent a
signin/failureinvoke (e.g., due to an SSO misconfiguration), the SDKs silently swallowed the failure with no logging, no error events, and no developer notification. This made SSO configuration issues extremely difficult to diagnose.User: hi
(No response from app)
The Problem
When a Teams app uses SSO (Single Sign-On) with a Token Exchange URL configured in the OAuth connection settings, Teams attempts a silent token exchange. If this fails -- for example, because the Entra app registration's "Expose an API" configuration doesn't match the Token Exchange URL -- Teams sends a
signin/failureinvoke activity with details like:{ "type": "invoke", "name": "signin/failure", "value": { "code": "resourcematchfailed", "message": "Resource match failed" } }Before this change, none of the three SDKs routed or handled this invoke. The failure was invisible to the user, SDK, and the developer. The user saw no sign-in card, no error message, and no indication of what went wrong.
Now, sign in failures with send a warning, emits error event, and return HTTP 200 by default. Developers can also register custom handlers if desired, for example:
TypeScript:
Example log on
signin/failure:Note that the default behavior will still appear to fail silently for the user. There will be logs, but it will be up to the developer to determine how the user experiences the sign-in failure.
'resourcematchfailed'is an example of a setup error, however, and should not be an error that a 'real' user experiences. If desired, we could potentially modify the default behavior to send something to the user, but I'm disinclined to make that decision on the behalf of the developer.Feature work tested and verified in C#, PY, and TS.