Bot framework SSO in Virtual Assistant + Skills scenario

Question

I followed all the procedure descripted here and have the sample correctly working.

However, when I try to replicate the solution in a VirtualAssistant + Skills scenario it doesn't work: VA obtains the token but when the skill needs it, it will prompt again.

I also followed these steps without success.

In the Startup.cs of the code created with Virtual Assistant Template, there is this lines:

// Configure TokenExchangeConfig for SSO
if (settings.TokenExchangeConfig != null)
{
  services.AddSingleton<ITokenExchangeConfig>(settings.TokenExchangeConfig);
}

And also this in the appconfig.json:

"tokenExchangeConfig": {
  "connectionName": "",
  "provider": ""
},

however I cannot find a place where it is explained how to configure this. May someone address me to the right documentation?

Answer 1

This config is used by the VA to get an "ExchangeableToke" from ABS, this connection is what you configured in the settings tab of your VA Bot Channel Service. Please refer to the VA code below:

private async Task<bool> InterceptOAuthCardsAsync(ClaimsIdentity claimsIdentity, Activity activity)
    {
        if (activity.Attachments != null)
        {
            BotFrameworkSkill targetSkill = null;
            foreach (var attachment in activity.Attachments.Where(a => a?.ContentType == OAuthCard.ContentType))
            {
                if (targetSkill == null)
                {
                    targetSkill = GetCallingSkill(claimsIdentity);
                }

                if (targetSkill != null)
                {
                    var oauthCard = ((JObject)attachment.Content).ToObject<OAuthCard>();

                    if (oauthCard != null && oauthCard.TokenExchangeResource != null &&
                        _tokenExchangeConfig != null && !string.IsNullOrWhiteSpace(_tokenExchangeConfig.Provider) &&
                        _tokenExchangeConfig.Provider == oauthCard.TokenExchangeResource.ProviderId)

In the SSO senario, when the skill bot needs to access the resources such as email or calendar, it will check the ABS to find whether or not a token is cached. if not, it will ask the user to login, then it will send the OAuthCard to the VA. VA use the method above (InterceptOAuthCardsAsync) to check if the condition satisfied, and the config will be used.
Here is the sequence diagram of the SSO process. My problem is when the skill got the "TokenExchangeInvokeRequest" from the VA, nothing happened after that, the skill should use the exchangeable token to get graph token, i have no idea what happened.