msteams: v2026.4.26 ships broken JWT validator (jwt.verify is not a function); fix b3bc60ae missed the cut

[mroboff]

Summary

The msteams plugin bundled with openclaw@2026.4.26 (which pins @openclaw/msteams@2026.4.25) silently drops every inbound Teams message because jwt.verify is not a function. Outbound messages from the bot continue to work, masking the failure — bots appear "online" but never receive user messages.

A fix has already landed on main in commit b3bc60ae40 ("fix(msteams): unwrap jwt runtime deps", 2026-04-27 20:53 UTC), but it was not included in the v2026.4.26 release which was cut a few hours later. So users upgrading to v2026.4.26 still hit this regression.

Reproduction

1. Install openclaw@2026.4.26 (bundles @openclaw/msteams@2026.4.25)
2. Configure a fully working Bot Channels / Teams app with valid appId, appPassword, tenantId, public messaging endpoint
3. Send any message to the bot in a Teams DM

Expected: Bot receives the message and an agent reply is dispatched.
Actual: Endpoint returns HTTP 401 silently, no agent run, no log output (even at logging.level=debug). Outbound from the bot still works, so the failure is invisible without packet/inbound instrumentation.

Root cause

In the compiled bundle dist/extensions/msteams/graph-users-Bgd5K8gB.js:

// Compiled (broken):
botFrameworkJwtDepsPromise ??= Promise.all([import("jsonwebtoken"), import("jwks-rsa")])
  .then(([jwt, { JwksClient }]) => ({ jwt, JwksClient }));

jsonwebtoken is a CommonJS module. Dynamic import() of a CJS module in Node ESM yields a namespace where verify only exists on .default (while decode is also exposed on the namespace, which is why jwt.decode(token) succeeds and jwt.verify(...) throws TypeError: jwt.verify is not a function).

The try { ... } catch { return false; } in createBotFrameworkJwtValidator.validate then silently swallows the TypeError, returning a falsy validation result and 401-ing the request.

The TS source already has the safe wrappers (loadJsonwebtokenRuntime, loadJwksClientRuntime) introduced in b3bc60ae40, but the plugin shipped at @openclaw/msteams@2026.4.25 (bundled in openclaw@2026.4.26) was built before that commit landed, and the bundler appears to have inlined the destructure rather than calling the helpers.

Diagnostic capture (what we observed)

With local instrumentation patches:

[MSTEAMS_DIAG] inbound POST /api/messages ua=Microsoft-SkypeBotApi (Microsoft-BotFramework/3.0)
[MSTEAMS_DIAG] JWT header={"alg":"RS256","kid":"Pr1J4k5mkxHV31woViVQirfzm5s","typ":"JWT"}
[MSTEAMS_DIAG] JWT claims iss=https://api.botframework.com aud=<our appId> serviceurl=https://smba.trafficmanager.net/amer/<tenant>/ exp=… (valid)
[JWT_DIAG] resolving kid=… from https://login.botframework.com/v1/.well-known/keys
[JWT_DIAG] got public key, length=450
[JWT_DIAG] EXCEPTION during verify: name=TypeError message=jwt.verify is not a function
[MSTEAMS_DIAG] JWT validation FAILED (returned falsy)

Token claims are correct, JWKS fetch is correct, kid resolves, public key extraction works. The verify call itself throws.

Local hot-fix that restored two-way comms

// dist/extensions/msteams/graph-users-Bgd5K8gB.js
botFrameworkJwtDepsPromise ??= Promise.all([import("jsonwebtoken"), import("jwks-rsa")])
  .then(([jwtMod, { JwksClient }]) => ({
    jwt: jwtMod.default ?? jwtMod,
    JwksClient,
  }));

After this single-line fix, JWT validation passes, conversations register, agent runs dispatch, and replies flow back to Teams.

Severity

High for any 1:1 or group Teams use case. The failure is invisible (silent 401, no logs even at debug), and the bot looks healthy from the outside because outbound works. We hit ~12 days of dead inbound before pinpointing it.

Suggested actions

1. Cut a v2026.4.27 (or v2026.4.26.1) that includes b3bc60ae40 and republishes @openclaw/msteams with the matching version bump.
2. Consider upgrading the silent catch { return false; } in createBotFrameworkJwtValidator.validate to log the error at warn level — silent JWT validation failures are nearly impossible to diagnose without source patching.
3. Add a JWT validation smoke test against a fixture token in CI to catch this regression.

Environment

• openclaw: 2026.4.26
• @openclaw/msteams: 2026.4.25
• Node: v22.22.0
• OS: Debian 13 (Linux 6.12.74+deb13+1-amd64)
• Bot Framework: standard Microsoft Teams channel via Azure Bot resource (Single Tenant)

Happy to provide a PR for both the source-level guarantee that the bundler can't strip the wrappers, and the catch-block logging improvement, if it would help. Thanks for OpenClaw — once we got past this, two-way comms have been rock solid. 🦞

[clawsweeper]

Thanks for the context here. I did a careful shell check against current main, and this is already implemented.

Close as implemented. Current main unwraps the staged CommonJS JWT runtime modules before validation, the regression-shaped test covers the reported jsonwebtoken ESM/CJS shape, and the published openclaw@2026.4.27 tarball contains the fixed compiled Microsoft Teams artifact while 2026.4.26 shows the broken destructuring.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review details

Best possible solution:

Keep the shipped v2026.4.27 implementation as the release fix for the broken bundled artifact; track warn-level JWT diagnostics or stronger live smoke coverage separately if maintainers still want those follow-ups.

Do we have a high-confidence way to reproduce the issue?

Yes. The release regression is reproducible at the package-artifact level: the 2026.4.26 tarball has the broken jwt namespace destructure, while the 2026.4.27 tarball has the default-unwrapping runtime loader before jwt.verify.

Is this the best way to solve the issue?

Yes. For the release-facing failure, shipping a new OpenClaw package whose compiled Microsoft Teams bundle unwraps the runtime modules is the narrow maintainable fix; logging improvements are useful but not required to resolve the broken release.

Security review:

Security review: This is a non-PR release regression review; no patch diff was submitted for security or supply-chain review.

What I checked:

• current-main-source-fix: Current main loads jsonwebtoken through loadJsonwebtokenRuntime, unwraps .default when present, validates decode/verify, and passes that runtime into Bot Framework JWT validation before jwt.verify. (extensions/msteams/src/sdk.ts:731, 98b96182f8e1)
• current-main-regression-test-shape: The msteams test mock matches the reported jsonwebtoken@9 dynamic import shape: decode is named while verify is only available on default. (extensions/msteams/src/sdk.test.ts:62, 98b96182f8e1)
• release-changelog-proof: The v2026.4.27 changelog records the Microsoft Teams fix: unwrap staged CommonJS JWT runtime dependencies before Bot Connector token validation so inbound Teams messages no longer 401. (CHANGELOG.md:232, cbc2ba093146)
• release-tag-proof: v2026.4.27 points at release commit cbc2ba0931468259f26a7c547131a06e03ca6c6c, whose root package version is 2026.4.27. (package.json:3, cbc2ba093146)
• published-artifact-fixed: Streaming the published openclaw@2026.4.27 npm tarball shows dist/extensions/msteams/graph-users-CNpnmnVk.js calls loadJsonwebtokenRuntime(jwtModule) and loadJwksClientRuntime(jwksModule) before jwt.verify.
• prior-artifact-broken: Streaming the published openclaw@2026.4.26 npm tarball confirms the reported broken compiled artifact destructures Promise.all([import("jsonwebtoken"), import("jwks-rsa")]) as ([jwt, { JwksClient }]) and later calls jwt.verify.

Likely related people:

• steipete: Authored the v2026.4.27 release commit that ships the fixed package version and changelog entry, and authored the current checked-out main commit. (role: release maintainer; confidence: high; commits: cbc2ba093146, 98b96182f8e1; files: CHANGELOG.md, package.json, extensions/msteams/package.json)
• vincentkoc: Current-main blame for the Teams JWT unwrap helpers and regression-test mock points to this author, and the changelog shows recent Teams/JWT-adjacent maintenance credited to this handle. (role: recent maintainer; confidence: medium; commits: 02597caa8bff; files: extensions/msteams/src/sdk.ts, extensions/msteams/src/sdk.test.ts, CHANGELOG.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 98b96182f8e1; fix evidence: release v2026.4.27, commit cbc2ba093146.

[rvwcs-jimt]

Thank you, I've been trying to debug msteams JWT auth issues for a day, finally locked in properly and discovered this exception. googled it to find this open issue.

I feel an exception like this being thrown should always get traced somewhere.

Great to have confirmation that I'm not just insane