2

In the Single Sign-On for Teams

I have the call microsoftTeams.authentication.getAuthToken(authTokenRequest); working; that is, it successfully returns a token resolving to my Azure Active Directory (AAD) successfully. All good. Surprisingly easy. JWT returns with correct audience and scopes (as I have set in my tenant's AAD)

However what I get back when I decode the JWT this seems to just be an Authentication Token, not an Access Token.

Looking at the sample at Task Meow/teams.auth.service.js Does not seem to show how to swap the Auth for the Access Token.

I assume the code will look something like the method getToken() ... but since I have already spent 10+ working days on auth (old ADAL OH MY GOODNESS WAS THIS HORRIBLE) ...

Question:

I was wondering if there are any other good samples of MicrosoftTeams.js Authenticate / Auth Token / MSAL Access token out there?

NickHodge
  • 313
  • 3
  • 10
  • this is only Auth token? https://www.c-sharpcorner.com/article/jwt-json-web-token-authentication-in-asp-net-core/ – pix Jan 28 '20 at 10:46
  • Here is a [Code sample for Authentication in Node](https://github.com/OfficeDev/microsoft-teams-sample-complete-node) You can also have a look into [Microsoft Teams authentication flow for tabs](https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-flow-tab#samples) – Subhasish Jan 30 '20 at 05:49
  • I know this is a bit late but I encountered the same question and opened an issue in the Teams SDKs Github-Repo. It turns out the token actually is an ID token containing the required scope and thus can be used as an access token. This is very confusing when comparing to the regular auth-flow but it's relieving to know it serves both purposes. (The issue:https://github.com/OfficeDev/microsoft-teams-library-js/issues/446) – Beltway Dec 16 '20 at 08:29
  • 1
    I gave up. It got too hard (for our circumstances) – NickHodge Dec 17 '20 at 09:31

2 Answers2

3

Anyway, I did solve my problem by the following

  1. Follow TaskMeow example through the abstractions ofauth.service.js > sso.auth.service.js > teams.auth.service.js
  2. As I wanted additional AAD scopes (Files.ReadWrite.All to access the Sharepoint Online files in Teams and Groups.ReadWrite.All - to add Tabs) my getToken() method in teams.auth.service.js is something like the following:
getToken() {
    if (!this.getTokenPromise) {
      this.getTokenPromise = new Promise((resolve, reject) => {
        this.ensureLoginHint().then(() => {
          this.authContext.acquireToken(
            'https://graph.microsoft.com',
            (reason, token, error) => {
              if (!error) {
                resolve(token);
              } else {
                reject({ error, reason });
              }
            }
          );
        });
      });
    }
    return this.getTokenPromise;
  }

Editorial Comment:

  1. Authentication in Microsoft Teams is too difficult
  2. There seems to be many "approaches" in the documentation
  3. The present "SSO" flow still has flaws, and is in "Developer Preview"

If you are an SPA developer it is just too difficult. I am (obviously) not an expert on Authentication -- so current "recipes" are imperative.

This is especially the case if you want more than the default "scopes" as described in Single Sign-on ... and most of the "good stuff" in Microsoft Graph is outside of these default scopes.

NickHodge
  • 313
  • 3
  • 10
0

Also, this snippet may help.

If you follow the recommended Taskmeow in your Microsoft Teams app, you will get a quick appearance of the Redirect URI (aka /tab/silent-start)

To solve this, adal.js caches the user and access token.

So you can add a check in login()

login() {
    if (!this.loginPromise) {
      this.loginPromise = new Promise((resolve, reject) => {
        this.ensureLoginHint().then(() => {
          // Start the login flow

          let cachedUser = this.authContext.getCachedUser();
          let currentIdToken = this.authContext.getCachedToken(this.applicationConfig.clientId);

          if (cachedUser && currentIdToken) {
            resolve(this.getUser());
          } else {
            microsoftTeams.authentication.authenticate({
              url: `${window.location.origin}/silent-start.html`,
              width: 600,
              height: 535,
              successCallback: result => {
                resolve(this.getUser());
              },
              failureCallback: reason => {
                reject(reason);
              }
            });
          } 
        });
      });
    }
    return this.loginPromise;
  }
NickHodge
  • 313
  • 3
  • 10