[Bug]: MS Teams delegated OAuth launcher uses xdg-open on win32 instead of explorer.exe

[shaun0927]

Summary

MS Teams delegated OAuth setup currently launches the browser with xdg-open on win32, so the native Windows path does not use the repository's normal Windows browser-open behavior.

Steps to reproduce

1. Stub process.platform to "win32".
2. Call openDelegatedOAuthUrl("https://example.com/oauth") from extensions/msteams/src/setup-surface.ts.
3. Observe the spawned command.

Expected behavior

On Windows, delegated OAuth setup should use the same browser-open command family as the shared helper in src/infra/browser-open.ts, which resolves to explorer.exe on win32.

Actual behavior

openDelegatedOAuthUrl() currently selects:

• open on macOS
• xdg-open on every other platform

That means win32 still tries xdg-open.

OpenClaw version

Observed on main at fbccc18e745e (2026-04-16) before the local fix.

Operating system

Windows 11 (repro validated with a local win32-targeted unit test in a source checkout).

Install method

Source checkout / local test workspace.

Model

N/A (setup-surface issue before model selection).

Provider / routing chain

N/A (delegated OAuth launcher path only).

Logs, screenshots, and evidence

Relevant code paths:

• extensions/msteams/src/setup-surface.ts:32-35
• src/infra/browser-open.ts:36-39

Local repro evidence:

• A targeted local repro test passed while asserting that openDelegatedOAuthUrl() calls xdg-open when process.platform === "win32".
• The same repro confirmed the shared browser-open helper still resolves to explorer.exe on win32.

Impact and severity

• Affected users/systems/channels: native Windows users configuring MS Teams delegated OAuth
• Severity: medium (can block or break browser launch during setup)
• Frequency: deterministic in the validated win32 repro path
• Consequence: delegated OAuth setup uses the wrong launcher on Windows and diverges from the repo's shared browser-open behavior

Additional information

This looks like a narrow cross-platform regression rather than a broader auth or token-handling issue. The smallest fix appears to be adding an explicit win32 -> explorer.exe branch (or reusing a platform-safe shared launcher through an allowed seam).

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep this issue open: current main still routes MS Teams delegated OAuth through xdg-open on win32, and the issue is paired with open closing PR #67660, so it should stay open until that PR or a deliberate replacement lands.

Reproducibility: yes. Stub process.platform to win32, call openDelegatedOAuthUrl(), and inspect the mocked spawn command; current main still selects xdg-open.

Next step
Not a repair-lane candidate because #67660 is an open same-author closing PR; the next action is maintainer review of that PR or a deliberate replacement.

Review details

Best possible solution:

Keep this issue tied to #67660 until maintainers land or replace it with a narrow MS Teams plugin fix that matches the current Windows browser-open contract, preserves shell: false, and adds focused win32 regression coverage.

Do we have a high-confidence way to reproduce the issue?

Yes. Stub process.platform to win32, call openDelegatedOAuthUrl(), and inspect the mocked spawn command; current main still selects xdg-open.

Is this the best way to solve the issue?

Unclear. Fixing the MS Teams setup helper is the right boundary, but the exact launcher should be reconciled with the current shared Windows contract before accepting explorer.exe or any cmd.exe-based alternative.

What I checked:

• Current main still falls through to xdg-open: openDelegatedOAuthUrl() chooses open only for darwin and xdg-open for every other platform, so win32 still follows the reported path. (extensions/msteams/src/setup-surface.ts:34, 9404a4ddcd11)
• Delegated OAuth setup uses the affected launcher: The setup finalizer passes openDelegatedOAuthUrl as the openUrl callback to loginMSTeamsDelegated, so this platform branch affects the delegated OAuth setup flow. (extensions/msteams/src/setup-surface.ts:286, 9404a4ddcd11)
• Existing test mirrors the missing Windows branch: The current setup-surface test asserts the same darwin ? open : xdg-open command selection and has no win32 launcher expectation. (extensions/msteams/src/setup-surface.test.ts:70, 9404a4ddcd11)
• Shared browser-open contract is Windows-specific: The shared helper resolves win32 to System32/rundll32.exe url.dll,FileProtocolHandler, and onboarding tests assert that command without cmd.exe parsing. (src/infra/browser-open.ts:54, 9404a4ddcd11)
• Open closing PR exists: Provided GitHub context lists PR fix(msteams): use explorer.exe for delegated OAuth on win32 #67660 as open, unmerged, same-author, and using closing syntax for this issue, so review policy keeps the issue open until that implementation candidate is resolved. (025daab938e8)
• Extension boundary affects fix shape: Extension production code must use plugin SDK surfaces or local barrels and must not import core src/** internals directly, so a fix should stay local or add a documented plugin-facing seam. (extensions/AGENTS.md:27, 9404a4ddcd11)

Likely related people:

• @vincentkoc: Available local blame on current main attributes the MS Teams setup launcher, its test, and the shared Windows browser-open helper to commit d4268b1, and the changelog also credits @vincentkoc on prior Windows onboarding browser-open hardening. (role: recent main-line maintainer / current line owner; confidence: medium; commits: d4268b1b2b74; files: extensions/msteams/src/setup-surface.ts, extensions/msteams/src/setup-surface.test.ts, src/infra/browser-open.ts)
• @shaun0927: Opened PR fix(msteams): use explorer.exe for delegated OAuth on win32 #67660 with closing syntax and focused changes for the MS Teams delegated OAuth launcher, tests, and changelog. (role: linked implementation candidate author; confidence: medium; commits: 025daab938e8, fd4906c78657; files: extensions/msteams/src/setup-surface.ts, extensions/msteams/src/setup-surface.test.ts, CHANGELOG.md)
• @nightq: Opened related closed PRs fix: MS Teams OAuth on Windows and browser.cdpUrl security redaction #67738 and fix: MS Teams OAuth on Windows and browser.cdpUrl security redaction #68077 covering the same Windows MS Teams OAuth behavior, including an alternate Windows launcher approach maintainers should compare against the current shared helper. (role: related implementation candidate author; confidence: medium; commits: 26978eb20b8c, 310ab64e185a, c8d68107e806; files: extensions/msteams/src/setup-surface.ts, extensions/msteams/src/setup-surface.test.ts)

Remaining risk / open question:

• The preferred Windows opener needs maintainer choice: this issue and PR fix(msteams): use explorer.exe for delegated OAuth on win32 #67660 name explorer.exe, PR fix: MS Teams OAuth on Windows and browser.cdpUrl security redaction #68077 proposed cmd /c start, while current shared browser opening uses trusted rundll32.exe url.dll,FileProtocolHandler.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9404a4ddcd11.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep this issue open. Current main still sends MS Teams delegated OAuth URLs to xdg-open on every non-macOS platform, including win32, and there is an open same-author implementation PR with closing syntax that should be reviewed before the issue is resolved.

Required change / next step:

This is not a repair-lane candidate because an open same-author PR already closes this issue, and a related PR proposes an alternative approach; the next action is maintainer review of the existing candidates.

Review details

Best possible solution:

Keep the issue open until maintainers review and land #67660, choose a safer replacement, or close the candidate PRs with a clear alternative. The accepted fix should align MS Teams delegated OAuth with the current Windows browser-open contract through an allowed plugin boundary and add focused win32 regression coverage.

What I checked:

• Current MS Teams launcher still falls through on win32: openDelegatedOAuthUrl() chooses open only for darwin and xdg-open for every other platform, so win32 still follows the reported failing branch. (extensions/msteams/src/setup-surface.ts:34, acae48b790fa)
• Delegated OAuth setup uses this launcher: The setup wizard passes openDelegatedOAuthUrl as the openUrl callback into loginMSTeamsDelegated, so the platform branch affects the delegated OAuth setup path. (extensions/msteams/src/setup-surface.ts:288, acae48b790fa)
• Existing test mirrors the missing branch: The current unit test asserts the same darwin ? open : xdg-open split and has no Windows-specific command expectation. (extensions/msteams/src/setup-surface.test.ts:70, acae48b790fa)
• Shared browser-open helper has a Windows-specific path: The shared browser-open helper uses the Windows system URL handler through rundll32.exe url.dll,FileProtocolHandler on win32, confirming that MS Teams remains divergent from the current shared contract. (src/infra/browser-open.ts:54, acae48b790fa)
• Open implementation candidate exists: Provided GitHub context lists fix(msteams): use explorer.exe for delegated OAuth on win32 #67660 as open, unmerged, same-author, and containing Closes this issue; review rules keep the issue open while that implementation candidate remains open. (fd4906c78657)
• Extension boundary matters for the fix shape: extensions/AGENTS.md says extension production code should use plugin SDK surfaces and must not import core src/** internals directly, so a fix should either stay local or add an allowed plugin-facing seam. (extensions/AGENTS.md:15, acae48b790fa)

Likely related people:

• @steipete: Available local blame attributes the current MS Teams setup-surface launcher, its test, and the shared browser-open helper lines to Peter Steinberger, and the current main commit is also authored by him. (role: recent maintainer / current line owner; confidence: medium; commits: a972c9ec4547, acae48b790fa; files: extensions/msteams/src/setup-surface.ts, extensions/msteams/src/setup-surface.test.ts, src/infra/browser-open.ts)
• @shaun0927: Opened fix(msteams): use explorer.exe for delegated OAuth on win32 #67660 with closing syntax for this issue and a focused proposed change to the MS Teams delegated OAuth launcher and tests. (role: linked implementation candidate author; confidence: medium; commits: fd4906c78657; files: extensions/msteams/src/setup-surface.ts, extensions/msteams/src/setup-surface.test.ts, CHANGELOG.md)
• @nightq: Opened related PRs fix: MS Teams OAuth on Windows and browser.cdpUrl security redaction #67738 and fix: MS Teams OAuth on Windows and browser.cdpUrl security redaction #68077 covering this Windows OAuth behavior, though fix: MS Teams OAuth on Windows and browser.cdpUrl security redaction #68077 proposes a different launcher approach that needs maintainer review against current Windows browser-open hardening. (role: related implementation candidate author; confidence: medium; commits: 26978eb20b8c, 310ab64e185a, c8d68107e806; files: extensions/msteams/src/setup-surface.ts, extensions/msteams/src/setup-surface.test.ts)

Remaining risk / open question:

• The open PRs point in slightly different directions: fix(msteams): use explorer.exe for delegated OAuth on win32 #67660 proposes explorer.exe, fix: MS Teams OAuth on Windows and browser.cdpUrl security redaction #68077 proposes cmd /c start, while current shared browser opening uses trusted rundll32.exe; maintainers should pick the Windows opener deliberately rather than accepting a launcher regression.

Codex review notes: model gpt-5.5, reasoning high; reviewed against acae48b790fa.

[BradGroux]

Closing this as completed by 366f1ea7064cf8f4cc853ce7a91542a78dc35baf on current main.

The reported win32 -> xdg-open delegated OAuth launcher path no longer exists: MS Teams delegated OAuth now uses the manual setup path for all environments, and openDelegatedOAuthUrl() returns the manual-open message instead of spawning xdg-open, open, or explorer.exe.