MS Teams SSO signin failure with resourcematch failed #193132
-
Discussion TypeQuestion Discussion ContentHi team, I'm trying to implement single sign on for a simple bot app built using Teams SDK and I keep getting a 200 response with a sign in failure. I have checked the application ID URI, token exchange URL (in bot resource) and the manifest When I try to sign in from teams client the resource match failed keeps happening even if the troubleshooting checklist looks fine. I have also checked the jwt generated when testing the oauth connection (https://token.botframework.com/api/oauth/TestConnectionCallback) configured for the Azure bot resource and it works fine with graph endpoints. TIA |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments 4 replies
-
|
Thanks for posting in the GitHub Community, @tharuds! We're happy you're here. You are more likely to get a useful response if you are posting your question in the applicable category, the Discussions category is solely related to conversations around the GitHub product Discussions. This question should be in the |
Beta Was this translation helpful? Give feedback.
This comment was marked as low quality.
This comment was marked as low quality.
This comment was marked as low quality.
This comment was marked as low quality.
-
|
This specific error: is almost always caused by a mismatch between the resource (audience) in the token and what Teams expects during SSO token exchange — even if everything looks correct. What’s actually happeningIn Teams SSO, the flow is:
If the resource (aud) does not exactly match what your bot expects, you get: Most common root causes:Based on your description, these are the likely issues: 1. Tenant mismatch (very likely in your case)You mentioned:
This is a red flag. -> Teams SSO requires consistent tenant context If:
-> Resource validation fails 2. Application ID URI mismatchEven if it “looks correct”, this must be exactly identical everywhere: Must match across:
Typical correct format: Common mistake: Even a small mismatch → failure 3. OAuth connection misconfiguration (Bot Service)Your Bot’s OAuth connection must:
Also ensure: 4. Using wrong token (Graph vs custom resource)You said:
That’s expected — but irrelevant. Graph token: Your bot expects: These are different tokens. How to debug properlyDecode the JWT (use jwt.ms) and check: {
"aud": "...",
"iss": "...",
"tid": "..."
}Verify:
Fix strategy:Step 1 — Align tenantPick ONE:
Step 2 — Fix Application ID URIIn Azure: Step 3 — Update Teams manifest"webApplicationInfo": {
"id": "<client-id>",
"resource": "api://<client-id>"
}Step 4 — Recreate OAuth connectionSometimes configs get cached:
Step 5 — Clear Teams cache (important)Teams aggressively caches tokens:
Key insightThis error is not about authentication failing Everything can “look right” — but if: → it will always fail |
Beta Was this translation helpful? Give feedback.
-
|
Hi, |
Beta Was this translation helpful? Give feedback.
Hi,
I was able to fix the issue and couldn't update here.
Root cause was an App Registration conflict in the Developer Portal
Sharing the fix in case it helps others who hit the same "resource match failure":
The issue was caused by an inconsistency in the app registration on the Developer Portal.. the Teams client wasn't correctly matching the registered app to its manifest.
This tends to happen when the registration is done manually rather than through the M365 Agents Toolkit, which normally handles registering the app and its entities for you. The SSO sample guides don't mention this out explicitly, so if you're setting things up manually, double-check that your app registration and ma…