Skip to main content

Auth Flows

OSO MS Teams CLI uses delegated Microsoft Graph auth for normal user actions. By default, teams auth login and teams auth login --device-code use OSO's multi-tenant public client app with the organizations authority. Customer-owned Entra apps remain supported with --client-id, --tenant-id, and profile configuration.

Client credentials are supported only for Microsoft Graph operations that explicitly support application permissions. They are not the normal model for live Teams chat or channel message posting. For unattended service-identity posting, the product direction is a Teams app/bot mode, not app-only Graph message sends.

Token resolution order for normal commands:

  1. TEAMS_CLI_ACCESS_TOKEN.
  2. OS keyring token for the selected profile.
  3. Authentication error.

Client ID and tenant ID resolution order is CLI flag, environment variable, then profile config.

Token audience

Normal commands call Microsoft Graph endpoints, so the selected token must be a Microsoft Graph access token. The CLI must not reuse bearer tokens issued for Microsoft Teams client resources, Skype, ChatSvcAgg, SharePoint, Exchange, or any other audience.

This matters for environment token overrides. TEAMS_CLI_ACCESS_TOKEN is a bypass around keyring lookup, not a token conversion mechanism. If the token audience is not Microsoft Graph, Graph will reject the request with InvalidAuthenticationToken: Invalid audience.

Unsupported examples:

  • ~/.config/fossteams/token-teams.jwt
  • ~/.config/fossteams/token-skype.jwt
  • ~/.config/fossteams/token-chatsvcagg.jwt

The usability lesson from those tools is valid: auth should be easier to start and easier to diagnose. The implementation answer is better Graph-native login, token inspection, and consent guidance, not importing captured Teams client tokens.