[Bug]: MS Teams bot fails silently when network paths are blocked — errors are swallowed and logs don't help

[david-garcia-garcia]

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

We had to open two firewall egress rules to get the Teams bot working:

• login.botframework.com — needed to fetch the JWKS keys for validating inbound Bot Framework JWTs
• smba.trafficmanager.net — needed by the Bot Framework Connector when the bot replies to messages

Neither of these hosts is documented in the Teams channel setup, and when either one is blocked the bot fails in ways that are genuinely hard to trace. This is a request to make those failure modes visible.

Steps to reproduce

When login.botframework.com was blocked, every inbound webhook returned 401 Unauthorized. That on its own is somewhat expected — but the problem is that 401 also covers:

• a misconfigured appId / appPassword
• an expired or malformed token sent by Teams
• a clock skew / expiry issue
• a JWKS fetch failure (our case — firewall)

There is no way to tell them apart at info log level. The actual DNS / TLS error from the JWKS fetch is absorbed inside createBotFrameworkJwtValidator (sdk.ts):

} catch {
  return false;   // <-- DNS error, ECONNREFUSED, TLS issue — all collapsed to false
}

The middleware in monitor.ts then logs "JWT validation failed" at debug and sends 401. So at default log levels, all you see is 401. You don't see a JWKS fetch timeout, you don't see an ENOTFOUND, nothing. It looks like a credentials problem.

When smba.trafficmanager.net was blocked the bot received messages fine (JWT validation was now passing), but replies never arrived. The outbound send errors in errors.ts classify transport-level failures (connection refused, DNS failure, timeout) as "unknown", and "unknown" gets no hint message from formatMSTeamsSendErrorHint. So the log shows the reply failed, but gives no pointer to egress or the Connector endpoint.

Expected behavior

Why diagnosis was painful

When login.botframework.com was blocked, every inbound webhook returned 401 Unauthorized. That on its own is somewhat expected — but the problem is that 401 also covers:

• a misconfigured appId / appPassword
• an expired or malformed token sent by Teams
• a clock skew / expiry issue
• a JWKS fetch failure (our case — firewall)

There is no way to tell them apart because the actual DNS / TLS error from the JWKS fetch is absorbed inside createBotFrameworkJwtValidator (sdk.ts):

} catch {
  return false;   // <-- DNS error, ECONNREFUSED, TLS issue — all collapsed to false
}

The middleware in monitor.ts then sends 401. All you see is 401 — no JWKS fetch timeout, no ENOTFOUND, nothing. It looks like a credentials problem.

When smba.trafficmanager.net was blocked the bot received messages fine (JWT validation was now passing), but replies never arrived. The outbound send errors in errors.ts classify transport-level failures (connection refused, DNS failure, timeout) as "unknown", and "unknown" gets no hint message from formatMSTeamsSendErrorHint. So the log shows the reply failed, but gives no pointer to egress or the Connector endpoint.

---

Code locations where errors disappear or get too quiet

JWT key fetch swallowed — sdk.ts, createBotFrameworkJwtValidator

The inner catch around getSigningKey + jwt.verify returns false for everything — a bad signature, an expired token, or a firewall blocking login.botframework.com:443. They're all the same from the caller's perspective.

Invoke fast-ack swallows handler errors — sdk.ts, adapter.process

For invoke activities, 200 is flushed before await logic(context) runs (this is correct Teams behaviour to avoid invoke timeouts). But if the handler throws after that, the catch block skips the 500 response (if (!isInvoke) { response.status(500).send(...) }). The failure lands in runtime.error only. Teams already considers the invoke handled.

Message handler failures hidden behind optional chaining — monitor-handler.ts

handler.onMessage(async (context, next) => {
  try {
    await handleTeamsMessage(context as MSTeamsTurnContext);
  } catch (err) {
    deps.runtime.error?.(`msteams handler failed: ${formatUnknownError(err)}`);
  }
  await next();
});

deps.runtime.error?. is optional. If runtime.error is not provided, a thrown error from handleTeamsMessage disappears entirely. The pipeline also always calls next(), so from the outside the handler looks like it completed normally.

The same pattern applies to onReactionsAdded and onReactionsRemoved.

Allowlist hydration errors swallowed — monitor.ts

At startup, allowlist entries are resolved against Graph. If Graph calls fail, the bot falls back to raw config entries and logs the error at runtime.log?. level — which is also optional, meaning it can silently vanish if the runtime hook isn't wired.

Outbound failures get no network hint — errors.ts, formatMSTeamsSendErrorHint

The classifier handles auth, throttled, and transient (5xx) with actionable strings. Transport-level errors — ECONNREFUSED, ENOTFOUND, TLS handshake failures toward the Connector — fall into "unknown" and get no hint at all. There is nothing pointing to smba, egress rules, or TLS inspection.

Target resolver errors reported but hook is optional — channel.ts

} catch (err) {
  runtime.error?.(`msteams resolve failed: ${String(err)}`);
  markPendingLookupFailed(pending);
}

Same pattern: optional hook, so depending on runtime setup the error may not surface.

Actual behavior

Swallowed or confusing error details

OpenClaw version

2026.5.3

Operating system

Ubuntu 24.0.

Install method

No response

Model

N/A

Provider / routing chain

N/A

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open; current main still obscures the two reported MS Teams network failure modes, and the related issue search did not find another open tracker or merged fix for this exact diagnostics gap.

Reproducibility: yes. source-level: blocked JWKS fetches are caught and reduced to false, and blocked Connector posts without an HTTP status classify as unknown with no hint. I did not live-block the network paths in a Teams tenant.

Next step
This is a narrow, plugin-owned diagnostics repair with clear source paths, no protected labels, no open fixing PR, and no core API/product decision needed.

Review details

Best possible solution:

Add a narrow MS Teams plugin fix that preserves 401/auth security behavior while logging safe JWKS/network causes, adds a transport/egress send hint, and documents the required Bot Framework hosts.

Do we have a high-confidence way to reproduce the issue?

Yes, source-level: blocked JWKS fetches are caught and reduced to false, and blocked Connector posts without an HTTP status classify as unknown with no hint. I did not live-block the network paths in a Teams tenant.

Is this the best way to solve the issue?

Yes, the best direction is a plugin-local diagnostics fix, not a core channel contract change. Keep token validation strict and avoid logging secrets or full bearer tokens.

Acceptance criteria:

• pnpm test extensions/msteams/src/sdk.test.ts extensions/msteams/src/errors.test.ts extensions/msteams/src/monitor.lifecycle.test.ts
• pnpm exec oxfmt --check --threads=1 extensions/msteams/src/sdk.ts extensions/msteams/src/errors.ts extensions/msteams/src/monitor.ts extensions/msteams/src/sdk.test.ts extensions/msteams/src/errors.test.ts extensions/msteams/src/monitor.lifecycle.test.ts docs/channels/msteams.md CHANGELOG.md
• pnpm check:changed in Testbox before handoff if promoted to a PR

What I checked:

• JWKS failures collapse to unauthorized: createBotFrameworkJwtValidator resolves the issuer-specific JWKS client, then catches every getSigningKey or jwt.verify error and returns false, so DNS/TLS/firewall failures are indistinguishable from invalid credentials at the caller boundary. (extensions/msteams/src/sdk.ts:859, 3290cba1a603)
• JWT middleware logs only generic debug output: When validation returns false, the webhook middleware logs only JWT validation failed through the debug logger before returning 401. (extensions/msteams/src/monitor.ts:292, 3290cba1a603)
• Transport send errors get no hint: Outbound send errors without an HTTP status fall through to kind: "unknown", and formatMSTeamsSendErrorHint returns undefined for unknown classifications. (extensions/msteams/src/errors.ts:207, 3290cba1a603)
• Reply logging depends on missing hint: The reply dispatcher appends the formatted hint when present, so unknown transport failures are logged without an egress or Connector endpoint pointer. (extensions/msteams/src/reply-dispatcher.ts:301, 3290cba1a603)
• Teams setup docs omit the reported egress hosts: The Teams setup doc mentions IMDS egress for managed identity but does not document login.botframework.com or smba.trafficmanager.net as required Bot Framework network paths. Public docs: docs/channels/msteams.md. (docs/channels/msteams.md:419, 3290cba1a603)
• Dependency behavior supports the source reproduction: jwks-rsa@4.0.1 declares getSigningKey as a promise and its request wrapper rejects network request errors; @microsoft/teams.common@2.0.9 uses Axios for Connector HTTP posts, so blocked outbound paths surface as thrown transport errors before OpenClaw classifies/logs them.

Likely related people:

• steipete: Recent GitHub commit history shows multiple touches to the central Teams files, including refactor: trim msteams helper exports, JWT runtime dependency work, and docs updates. (role: recent maintainer; confidence: high; commits: 3f002b10d281, b3bc60ae259b, fd83c49cffc0; files: extensions/msteams/src/sdk.ts, extensions/msteams/src/errors.ts, extensions/msteams/src/monitor.ts)
• sudie-codes: Auth and proactive-send history is strongly related: commits accepted Bot Framework audience tokens, SingleTenant STS issuer validation, SSO invoke handling, and tenant/aadObjectId proactive-send fixes. (role: feature-history owner; confidence: high; commits: a59a9bfb072e, 7e6b4d70b94a, 2b5b58194b7e; files: extensions/msteams/src/sdk.ts, extensions/msteams/src/monitor.ts)
• BradGroux: Recent Teams logging history includes the fix to use formatUnknownError for error logging, which is adjacent to the current diagnostics gap. (role: adjacent logging contributor; confidence: medium; commits: 03c64df39fe7, fce81fccd859; files: extensions/msteams/src/monitor.ts, extensions/msteams/src/errors.ts)
• vincentkoc: Recent Teams work includes global-audience token binding, test/startup maintenance, docs sweeps, and official plugin distribution docs that overlap the auth/docs surface. (role: adjacent maintainer; confidence: medium; commits: e1840b858125, dbd26e49f133, 41268ded2d23; files: extensions/msteams/src/sdk.ts, docs/channels/msteams.md)

Remaining risk / open question:

• I did not run a live firewall-blocked Teams scenario; the reproduction is source-level plus dependency-source backed.
• The issue bundles several diagnostics complaints; the strongest evidence is for JWKS fetch visibility and Connector send hints, while the optional runtime.error?. concern is weaker because RuntimeEnv requires error and monitorMSTeamsProvider supplies a default runtime.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 3290cba1a603.