feat(auth): re-add advanced issuer + slack team connection fields (PLEN-2153)

@anshugarg15checks n/achecks…feat/plen-2153-microsoft-slack-advanced-fields → master11 files · +159 −26updated 3w ago

▸Description · 2 noise

Description

Re-adds the advanced optional connection_fields from the reverted PR #22425 (reverted in #23427). This time, the well-formed-URL invariant is enforced by two corresponding apollo runtime fixes — see the strict merge order in Depends on below.

What changed:

7 Microsoft toolkits (outlook, one_drive, excel, microsoft_teams, dynamics365, azure_devops, share_point): add an optional issuer connection_field in strictFields.baseUrl with default: 'common', advanced=true. URL closures template directly with ${fields.issuer}:
```
token_url: (fields) => `https://login.microsoftonline.com/${fields.issuer}/oauth2/v2.0/token`,
authorization_url: (fields) => `https://login.microsoftonline.com/${fields.issuer}/oauth2/v2.0/authorize`,
```
No eval routing, no auth_url_host indirection. Apollo's seedSchemaFieldDefaults (hermes#10059) seeds the schema-declared default: 'common' into the templating data dict for any connection whose stored data lacks issuer (i.e. existing Microsoft connections created before this field). So URL templating sees issuer = 'common' for legacy connections and the user-supplied value for new ones.

issuer lives in baseUrl (not db) because URL closures only see baseUrl + eval + implicit fields. The baseUrl strictFields bucket is whitelisted; issuer was added as a known key in @composiohq/auth-config@0.1.23 (hermes#10058).
slack + slackbot: add an optional team field in strictFields.queryParams.generic_id marked advanced: true with no default, referenced from authorization_params as team: fields.generic_id. Apollo's applyNonEmptyAuthParams (hermes#10058) drops keys whose resolved value is empty, so when the user omits team, the param is omitted from the URL (instead of landing as &team=, which Slack rejects — the bug that caused the original PR's revert).

How did I test this PR

Regenerated config.json for all 9 toolkits via bun run auth-config/src/configToJson.ts apps/<app>/config.ts:
- Microsoft URLs land as https://login.microsoftonline.com/{{issuer}}/oauth2/v2.0/{token,authorize}. With apollo #10059, missing issuer → seeded 'common' from schema default; user-supplied value passes through.
- Slack authorization_params lands as { response_type: 'code', user_scopes: 'admin', team: '{{generic_id}}' }. With generic_id absent, apollo's applyNonEmptyAuthParams drops the key; with it supplied, emits &team=T0123ABC.

Depends on

This PR MUST merge AFTER both of these have landed:

ComposioHQ/hermes#10058 — applyNonEmptyAuthParams helper (drops empty resolved values from auth params) + @composiohq/auth-config@0.1.23 (adds issuer to the baseUrl whitelist).
ComposioHQ/hermes#10059 — seedSchemaFieldDefaults extension in getDataToResolveTemplatesWithEvalFields (seeds schema-declared default values into the templating dict, so missing-on-connection fields resolve correctly).

Without #10058: Slack &team= regression returns and breaks Slack OAuth. Without #10059: existing Microsoft connections (no issuer stored) produce login.microsoftonline.com//oauth2/... → 404.

Closes PLEN-2153 Closes PLEN-2154 Closes PLEN-2155

🤖 Generated with Claude Code

▸ 2 bot/status comments hidden

@linear-code[bot]3w ago

Problem

Our current auth config is static — we can't make OAuth endpoints dynamic or conditional based on customer-provided values. This blocks two key enterprise use cases:

1. Microsoft Tenant ID in OAuth URL

Microsoft single-tenant apps require /{tenantId} in the token/authorize URL instead of /common. Our current setup hardcodes /common, which:

Blocks single-tenant Entra apps entirely
May not enforce tenant-specific security policies even for multi-tenant apps during refresh
Customer (Glean) raised this — Ishan (Glean) confirmed: 'refreshing using /common for multitenant apps is also not correct — ideally you should be using /{tenant} for both token and refresh endpoints'

2. Slack Team ID

Same pattern — Slack's OAuth can be scoped to a specific workspace using team parameter. Without advanced params, we can't pass this dynamically.

RFC

Karthikeya has written an RFC: Advanced Auth Parameters for Toolkits

Lingala has reviewed and approved the approach, with comments to discuss.

A PR was started with Zen but needs testing.

Impact

Glean (enterprise) — blocked on single-tenant MS apps & Slack team scoping
General enterprise — M&A scenarios where tenancy controls on OAuth are critical
Multiple toolkits — not just MS & Slack, this is a general pattern needed across enterprise auth

Context

Internal discussion thread
Customer thread (ext-glean)
Originally planned for end of April, but action-scope mapping work is progressing well so this may be picked up sooner

Ask

Check whether Microsoft OAuth can support an OAuth endpoint like (instead of ), and whether adding it would be breaking.

loading diff…

@linear-code[bot]3w ago

Problem

Our current auth config is static — we can't make OAuth endpoints dynamic or conditional based on customer-provided values. This blocks two key enterprise use cases:

1. Microsoft Tenant ID in OAuth URL

Microsoft single-tenant apps require /{tenantId} in the token/authorize URL instead of /common. Our current setup hardcodes /common, which:

Blocks single-tenant Entra apps entirely
May not enforce tenant-specific security policies even for multi-tenant apps during refresh
Customer (Glean) raised this — Ishan (Glean) confirmed: 'refreshing using /common for multitenant apps is also not correct — ideally you should be using /{tenant} for both token and refresh endpoints'

2. Slack Team ID

Same pattern — Slack's OAuth can be scoped to a specific workspace using team parameter. Without advanced params, we can't pass this dynamically.

RFC

Karthikeya has written an RFC: Advanced Auth Parameters for Toolkits

Lingala has reviewed and approved the approach, with comments to discuss.

A PR was started with Zen but needs testing.

Impact

Glean (enterprise) — blocked on single-tenant MS apps & Slack team scoping
General enterprise — M&A scenarios where tenancy controls on OAuth are critical
Multiple toolkits — not just MS & Slack, this is a general pattern needed across enterprise auth

Context

Internal discussion thread
Customer thread (ext-glean)
Originally planned for end of April, but action-scope mapping work is progressing well so this may be picked up sooner

Ask

Check whether Microsoft OAuth can support an OAuth endpoint like (instead of ), and whether adding it would be breaking.

feat(auth): re-add advanced issuer + slack team connection fields (PLEN-2153)

Description

How did I test this PR

Depends on

Problem

1. Microsoft Tenant ID in OAuth URL

2. Slack Team ID

RFC

Impact

Context

Ask

Description

How did I test this PR

Depends on

Problem

1. Microsoft Tenant ID in OAuth URL

2. Slack Team ID

RFC

Impact

Context

Ask

Slack Threads

Updated Apr 6, 2026

What's needed

RFC & Progress

Impact

Additional Context