Built-in task tool fails with "No GitHub OAuth token" in BYOK/Azure AI Foundry deployments #559
Description
Description
When using the Copilot SDK with a BYOK (Bring Your Own Key) Azure AI Foundry provider, the built-in task tool always fails because the sub-agent it spawns cannot authenticate. The parent session authenticates via Azure AI Foundry, but the sub-agent expects GitHub OAuth or Copilot HMAC credentials which don't exist in BYOK mode.
Every task invocation fails immediately with:
{
"message": "Error: No GitHub OAuth token or Copilot HMAC key provided",
"code": "failure"
}This also means MCP servers configured in the parent session are inaccessible to sub-agents, since they never get past the auth step.
Environment
- Copilot SDK Version: 0.1.26 (.NET)
- .NET Version: 10.0
- OS: Linux (Ubuntu 24.04, containerized)
- Provider: Azure AI Foundry BYOK (
type: "azure") - Model: gpt-5.2
Steps to Reproduce
- Create a Copilot client with a BYOK Azure AI Foundry provider
- Create a session with MCP servers configured
- Send a prompt that causes the agent to use the
tasktool - The model calls the
tasktool to delegate work to a sub-agent - The sub-agent immediately fails with the auth error above
var client = new CopilotClient(new CopilotClientOptions
{
CliPath = "copilot",
UseStdio = true
});
await client.StartAsync();
var session = await client.CreateSessionAsync(new SessionConfig
{
Model = "gpt-5.2",
Provider = new ProviderConfig
{
Type = "azure",
BaseUrl = "https://my-resource.services.ai.azure.com/openai/deployments/gpt-5.2",
ApiKey = "<key>"
},
McpServers = new Dictionary<string, McpServerConfig>
{
...
}
});
// Agent will try to use `task` tool to delegate to a sub-agent
// Sub-agent fails with "No GitHub OAuth token or Copilot HMAC key provided"
await session.SendAndWaitAsync(new MessageOptions
{
Prompt = "...."
});Expected Behavior
The task tool should either:
- Propagate the parent session's auth context (BYOK provider config) and MCP server configurations to the sub-agent, OR
- Fail gracefully with an error indicating that
taskis not supported in BYOK mode, so the model can fall back to direct tool calls
Actual Behavior
The task tool spawns a sub-agent that immediately fails because it tries to authenticate via GitHub OAuth/HMAC, which is not available in BYOK deployments. The error gives the model no indication that it should retry the same work as a direct tool call instead.
Impact
This effectively breaks any multi-step investigation workflow in BYOK mode:
- The model prefers delegating MCP tool calls via
task(likely trained on patterns wheretaskworks) taskalways fails in BYOK mode- The model rarely recovers by calling MCP tools directly
- The session produces empty results despite MCP servers being configured and available
Related Issues
- MCP servers in CustomAgentConfig are not exposed to the agent during execution #553 — MCP servers in CustomAgentConfig are not exposed to the agent during execution (similar MCP propagation problem, but for custom agents rather than built-in
task) - Custom Agents are not working | Node | Dotnet #251 — Custom Agents are not working (custom agent configs overwritten during session init)
- Sub-agent messages are queued instead of streamed in real-time #477 — Sub-agent messages are queued instead of streamed (separate sub-agent issue)