fix(msteams): accept SingleTenant sts.windows.net issuer in JWT validator (#64270)

[sudie-codes]

Summary

Fixes SingleTenant bot JWT validation failures. SingleTenant has been Microsoft's default bot type since 2025-07-31, so every new Teams bot deployment was hitting 401 Unauthorized on incoming webhooks.

Root cause

The sts.windows.net v1 issuer entry in BOT_FRAMEWORK_ISSUERS was hardcoded to one specific tenant UUID (d6d49420-f39b-4df7-a1dc-d59a935871db). SingleTenant tokens carry issuer https://sts.windows.net/{tenantId}/ scoped to the bot's own tenant, so every other deployment failed issuer validation.

The second half of the bug report, missing https://api.botframework.com from the audience list, was already fixed in #62674. The current createBotFrameworkJwtValidator builds allowedAudiences = [appId, api://appId, https://api.botframework.com], so no further audience changes are needed. Verified against extensions/msteams/src/sdk.ts.

Fix

• Change the sts.windows.net entry from a hardcoded string to (tenantId) => \https://sts.windows.net/${tenantId}/\``, matching the shape of the existing login.microsoftonline.com/.../v2.0 v2 entry. createBotFrameworkJwtValidator already resolves function-form issuers against creds.tenantId, so no caller changes are needed.
• Rename the existing STS Windows test to explicitly reference SingleTenant and [Bug] MS Teams SingleTenant bot: JWT validation fails (issuer + audience mismatch) #64270, and have it read creds.tenantId so it exercises the tenant-aware path.
• Add a regression guardrail test: the previously hardcoded UUID must be rejected when the bot is configured for a different tenant. This prevents silently accepting cross-tenant tokens if the string ever gets reintroduced.

Note on related PR

#64276 (by @mschaepers, the issue reporter) proposes the same sts.windows.net fix. This PR builds on their approach with identical production semantics, plus an extra regression test for the cross-tenant case and a code comment that documents why the function form exists. If #64276 lands first, this PR becomes a small test-only follow-up.

Test plan

• pnpm test extensions/msteams/src/sdk.test.ts (13 passed, including the two new SingleTenant cases)
• CI green

Fixes #64270

Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR fixes a JWT validation bug (#64270) where sts.windows.net v1 issuer tokens were rejected for all SingleTenant bot deployments except the one whose UUID happened to be hardcoded. The fix replaces the hardcoded string with a function (tenantId) => \https://sts.windows.net/${tenantId}/\`` — exactly matching the existing pattern used for the login.microsoftonline.com v2 entry — and adds both a positive test confirming tenant-aware acceptance and a regression guardrail test confirming the old UUID is rejected for a differently-configured bot.

Confidence Score: 5/5

Safe to merge — minimal, targeted fix using an established pattern with correct tests and no security regressions.

The production change is a one-line replacement following an existing pattern already used in the same array. resolveIssuerEntry and allowedIssuers both already handle the function form correctly, so no call-site changes are needed. The two new tests cover both the happy path and the cross-tenant rejection path. No unrelated changes are introduced.

No files require special attention.

_{Reviews (1): Last reviewed commit: "fix(msteams): accept SingleTenant sts.wi..." | Re-trigger Greptile}