Reputation: 313
MS Teams - Messaging Extension SSO - Claims
I am trying to implement SSO for a messaging extension inside Teams. The issue I'm running into is to do with missing consent, User.Read.
I'm using the teams SDK to generate an ID token using the microsoftTeams.authentication.getAuthToken function in the messaging extension, which I will exchange server side, but this does not include the User.Read claim (So the user can not consent to it) which I need for later graph calls. I have tired adding this to the “claims” property in the AuthTokenRequest but it doesn’t seem to do anything.
microsoftTeams.authentication.getAuthToken({
claims: ["https://graph.microsoft.com/user.read"],
successCallback: (token: string) => {
setToken(token);
},
failureCallback: (message: string) => console.log("Failed:", message)
});
I am confident that SSO is set up correctly as it works using a bot message if I follow the app-sso sample found here: https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/app-sso/nodejs
Asking the user to log in before opening the messaging extension also correctly request consent to User.Read. I am using is node.js for the server which made this document harder to understand: https://learn.microsoft.com/en-us/microsoftteams/platform/messaging-extensions/how-to/enable-sso-auth-me
Any help would be greatly appreciated on how to get the User.Read claim when performing SSO in messaging extensions.
Cheers
Upvotes: 0
Views: 302
Answers (1)
Reputation: 313
The only way to get the additional scope I required (User.Read) was to have the server return a certain error on invalid grants.
When the client got this error, call the microsoftTeams.authentication.authenticate function to open another page in a pop out window.
On this page, I used the MSAL npm package to have the user consent to the User.Read permissions
// There is more than just this call, but the documentation is pretty good
const request: RedirectRequest = {
scopes: [`https://graph.microsoft.com/User.Read`],
loginHint
};
msalClient.loginRedirect(request);
To make this silent, I got the loginHint from the teams context and passed that to the request
microsoftTeams.getContext(context => {
start(context.loginHint ?? "");
});
Upvotes: 1
Related Questions
- Why does authentication not go through in MS Teams Bot app?
- Requesting an access token for an MSTeams bot
- Single Sign On(-ish) behavior from MS Teams with BotFramework Composer
- Teams Messaging Extensions Config Auth
- Botframework and Teams SSO
- Microsoft Bot Teams error "SSO is not enabled for bot on Teams channel."
- How to add authorization to Microsoft Teams Bot in Azure
- MS teams Microsoft Bot Authentication V4
- Unable to Sign-in in Bot Framework for Microsoft Teams channel
- Authentication Sample Bot does not let me authenticate in Microsoft Teams