feat(msteams): add DefaultAzureCredential auth type for passwordless Teams auth

[BingqingLyu]

Context

Issue openclaw#40855 requested passwordless authentication for the MS Teams channel. PR openclaw#40884 added certificate and federated credential support. PR openclaw#47934 addressed review feedback on that work — fixing schema validation, type design, env var hints, and SDK env fallback handling.

This PR builds on both to add defaultAzureCredential as a fourth auth type, completing the passwordless auth story for enterprise deployments.

Problem

Certificate and federated credential auth modes require operators to explicitly configure credential material (cert paths, FIC client IDs, workload identity assertion files). In Kubernetes deployments with Azure Workload Identity, and in local development with az login, these details are already available in the environment — but the operator still has to know which mode to select and which fields to set.

DefaultAzureCredential from @azure/identity solves this by automatically discovering credentials from the environment: workload identity, managed identity, Azure CLI, environment variables, and other sources. The operator only needs to provide appId and tenantId.

Changes

New auth type: defaultAzureCredential

{
  "channels": {
    "msteams": {
      "enabled": true,
      "appId": "<app-registration-id>",
      "tenantId": "<tenant-id>",
      "authType": "defaultAzureCredential"
    }
  }
}

DefaultAzureCredentialTokenProvider (extensions/msteams/src/sdk.ts)

• Wraps @azure/identity's DefaultAzureCredential with the same getAccessToken(scope) interface as MsalTokenProvider
• Passes appId as managedIdentityClientId and workloadIdentityClientId so the credential targets the correct bot identity
• Normalizes resource URIs to AAD scopes (https://graph.microsoft.com → https://graph.microsoft.com/.default) since DefaultAzureCredential.getToken() requires scope format, not bare resource URIs

createTokenProvider() factory (extensions/msteams/src/sdk.ts)

• Returns DAC or MSAL provider based on authType
• Used by all 4 token acquisition sites: probe.ts, monitor.ts, send-context.ts, graph.ts

Setup surface fix (extensions/msteams/src/setup-surface.ts)

• When re-entering credentials as client secret via the setup wizard, authType and related fields (certPemFile, certKeyFile, ficClientId, widAssertionFile) are now reset. Previously, re-running setup on a non-client-secret config would preserve the old authType, causing resolveMSTeamsCredentials() to ignore the newly entered secret.

Release checks (extensions/msteams/package.json)

• Added @azure/identity to rootDependencyMirrorAllowlist so scripts/release-check.ts does not report bundled extension dependency drift.

Config schema + types

• authType union extended with "defaultAzureCredential" in both types.msteams.ts and zod-schema.providers-core.ts

Use cases

AKS with Workload Identity — the pod's service account has a federated credential. DefaultAzureCredential picks it up automatically. No secrets, no cert files, no Vault.

Local development — az login and go. Same config works everywhere.

Azure VMs / App Service — managed identity. Same config.

Dependencies

• @azure/identity ^4.9.1 added as a dependency of the msteams extension (not root package.json, per plugin guidelines)

AI Disclosure

• AI-assisted (Claude Code + Codex review — multiple review cycles)
• Fully tested — 246/246 msteams tests passing
• pnpm build && pnpm check && pnpm test green (pre-existing normalizeAgentId tsgo error on main excluded)
• Authors understand what the code does
• Codex review addressed: scope normalization, identity pinning, setup surface reset, release checks allowlist

Fixes openclaw#40855
Related: openclaw#40884, openclaw#47934