Silent authentication for own website inside tab of custom Teams app

Question

After two months of experimenting with Teams Authentication via adal.js and msal.js and failure, I’m close to giving up. So I really need your help.

Basically I need to “silently” authenticate the logged in Teams User for my own website (tab) inside my app that I created with App Studio. The reason for that is, so that I can use the data of the authentication token for the login of my own website.

So far I was only able to get this working with msal.js and a popup, which according to Teams developer I’ve asked is not the way to go. Understandable, since I cannot use the popup method on the Teams Client because it gets blocked.

I’ve tried this silent login method (https://github.com/OfficeDev/microsoft-teams-sample-complete-node/blob/master/src/views/tab-auth/silent.hbs) that was recommend to me. Sadly it didn’t work. All I get is a “Renewal failed: Token renewal operation failed due to timeout” error.

Since the msal.js popup variant (Node.js Azure Quick Start Example) I used before worked in a web browser, I don’t think that the configuration of Azure App is wrong.

This is my code so far:

// onLoad="prepareForm()"

<!--- Import package for authentication information in Teams/Azure---> 
<script src="https://secure.aadcdn.microsoftonline-p.com/lib/1.0.15/js/adal.min.js" integrity="sha384-lIk8T3uMxKqXQVVfFbiw0K/Nq+kt1P3NtGt/pNexiDby2rKU6xnDY8p16gIwKqgI" crossorigin="anonymous"></script> 
<script src="https://statics.teams.microsoft.com/sdk/v1.4.2/js/MicrosoftTeams.min.js" crossorigin="anonymous"></script>

<script language="JavaScript">

let config = {
    clientId: "1402f497-d6e8-6740-9412-e12def41c451", // I've changed it for this stackoverflow post
    redirectUri: "https://myredirect.com", // I've changed it for this stackoverflow post
    cacheLocation: "localStorage",
    navigateToLoginRequestUrl: false, 
};

microsoftTeams.initialize()

/// START Functions for Teams

function getTeamsContext() {
    microsoftTeams.getContext(function(context) {
        startAuthentication(context);
    });         
}

function startAuthentication(teamsContext) {
    if (teamsContext.loginHint) {
        config.extraQueryParameters = "scope=openid+profile&login_hint=" + encodeURIComponent(teamsContext.loginHint);
    } else {
        config.extraQueryParameters = "scope=openid+profile";
    }

    let authContext = new AuthenticationContext(config);

    user = authContext.getCachedUser();
    if (user) {
        if (user.profile.oid !== teamsContext.userObjectId) {
        authContext.clearCache();
        }
    }

    let token = authContext.getCachedToken(config.clientId);

    if (token) {
        console.log(token)
        // Get content of token
    } else {
        // No token, or token is expired
        authContext._renewIdToken(function (err, idToken) {
            if (err) {
                console.log("Renewal failed: " + err);
                // Some way of logging in via Popup or similiar
            } else {
                console.log(idToken)
                // Get content of token
            }
        });
    }         
}

/// END Functions for Teams

// initialized on page load! 
function prepareForm() {
    getTeamsContext();
    document.InputForm.password.focus() 
}

<script/>

Those are my questions:

What causes this error?
How do I authenticate the token on manipulation and is it Teams or Azure? (Does adal.js any functions for this?)
How do I login if the silent authentication fails and popups are blocked? Is there a website for authentication provided by Teams that returns a token?
Are there any working examples of the silent authentication that are not from the official Microsoft website? (I don't understand them.)

Could you please take a look at [Refreshing token with adal.js](https://shweta612.wordpress.com/2017/06/14/adal-js-token-renewal-operation-failed-due-to-timeout/) to fix Token Renewal failed issue. — Trinetra-MSFT, Jan 16 '20 at 05:49
@Trinetra-MSFT Hi. Thanks for the response. Now I get my token. How do I validate the token on manipulation? In the official documentation they state that you are suppose to use the Microsoft Graph API. Is this correct or do I misunderstand this? — , Jan 20 '20 at 07:47
Sorry for the delay in response. Yes You can use adal.js or you can also authenticate with Graph API. here is the sample for [Authentication with Graph](https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/csharp_dotnetcore/24.bot-authentication-msgraph). Let me know if this doesn't help you. — Trinetra-MSFT, Jan 20 '20 at 07:52
@Trinetra-MSFT Thanks, this helped me. But now I have another problem. When I try to run the login() function of adal.js in the Teams Client (Desktop) I get an "Refused to display 'login.microsoftonline...' in a frame because it set 'X-Frame-Options' to deny" error. This only happens when I'm not in developer preview. This issue is not present in Chrome. Do you know what causes this issue? — , Jan 20 '20 at 09:15
Did you added you website url & "*token.botframework.com" in validDomain list of manifest? — Trinetra-MSFT, Jan 20 '20 at 12:48
@Trinetra-MSFT Do I need "*token.botframework.com" if I'm not using a bot? Or is a bot required? — , Jan 20 '20 at 13:35
Yes, you need to add "*token.botframework.com" in your valid Domain list, Where you are authenticating, Is it tab or Bot? Please take a look at [TeamsAuthSampleCode](https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/csharp_dotnetcore/46.teams-auth) — Trinetra-MSFT, Jan 21 '20 at 08:58
@Trinetra-MSFT I authenticate in my tab. But what do you mean by valid Domains? Do you mean valid Domains in my app in Teams or in the manifest of the Azure app in Azure? I've already tried adding "*token.botframework.com" to my valid Domains in my Teams app with the same error. But I should mention that a removed the star in the beginning of the link, else I couldn't add the domain. — , Jan 21 '20 at 09:11
@Trinetra-MSFT Ah, ok. I've tried exporting the app from app studio, changing the manifest.json file, reuploading and installing it. Still the same result. — , Jan 21 '20 at 09:37
Could you please share your app manifest so we can check it at our end? — Trinetra-MSFT, Jan 21 '20 at 11:10
@Trinetra-MSFT I had to change some information since I do this for work: https://cdn.discordapp.com/attachments/652517618082906142/669168936948072448/manifest.json — , Jan 21 '20 at 13:18
Refused to display 'login.microsoftonline...' in a frame because it set 'X-Frame-Options' to deny" error shows you are trying to load an external website with in iframe login flow will not allow this. Please take a look at this working [sample code](https://github.com/microsoft/BotBuilder-Samples/blob/master/samples/javascript_nodejs/46.teams-auth/dialogs/mainDialog.js) — Trinetra-MSFT, Jan 23 '20 at 11:09

Silent authentication for own website inside tab of custom Teams app

0 Answers0