0

I'm trying to make a teams tab app with ASP.NET and set up SSO by following this tutorial, and it worked.
https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-aad-sso

Now I have an authentication token, so that I can retrieve some user info from it, that's good.

What I want to know is, how do I make a secure web API call to save some data, like an edited schedule item or such, with this token? Is that ok(, or right approach) to post this token to a web API and decode it on a server side then check content of the token, like Issuer or Audience property to make sure it's a valid web access?

Yoo Matsuo
  • 2,361
  • 2
  • 28
  • 41
  • Yes, You can post the token to server side and decode it, however standard security practices must be followed for developing API. You can refer to any Graph API call and see the security measures taken and implement the same in your API. – Manish-MSFT Oct 19 '20 at 09:46
  • @Manish-MSFT I'm not talking about using Graph API on the server side here. What I want to know is how you call a web API securely from the client side to save some data after obtaining an auth token with SSO, so could you please describe in more details what is "standard security practices" and how I can apply it in this scenario? I thought checking an auth token which is posted on the server side along with saving data might be enough. – Yoo Matsuo Oct 21 '20 at 00:29
  • To call web API securely from client-side you need to add provide authentication and authorization to API. Please see [here](https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/) for more such scenarios. – Manish-MSFT Oct 21 '20 at 05:20
  • Thanks, however the link you provided explains different stuff since it's not using the token already obtained by SSO. Anyway, I'll go with a way posting the token to the server and checking whether it's valid or not. – Yoo Matsuo Oct 21 '20 at 05:54
  • I'm trying to learn more about this myself, but from what I'm understanding so far: the SSO token is an -ID- token, not an Auth token, so it's not meant to be used for authorization inside a web service. In addition, it's a Graph token, and so it's not meant to be validated your side. Essentially, and again, this is to my knowledge right now, you should actually be requesting your own tokens, via your own signin, and using those to authenticate and authorise in your api. – Hilton Giesenow Nov 23 '20 at 18:38
  • @HiltonGiesenow Thank you for your comment. According to your idea "requesting your own tokens, via your own signin, and using those to authenticate and authorise in your api", well, what's the point of using SSO then? I don't find any reasons to use SSO in the first place if I need to show a login prompt to users for saving data in the server side. – Yoo Matsuo Nov 24 '20 at 00:55
  • 1
    So that's partly what I'm trying to understand - see my question here for example: https://stackoverflow.com/questions/64946041/validating-a-microsoft-graph-jwt-token/64979400#64979400 . In short, I think we need to remember this is "Single Sign-On" - the point is to eliminate the need for the user to "Sign On" (i.e. authenticate) - it's goal is not to -authorize- per se (e.g. against a backend API) – Hilton Giesenow Nov 24 '20 at 05:35
  • [SSO for bots](https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/auth-aad-sso-bots) is available now, you can try this – Trinetra-MSFT Nov 27 '20 at 09:48

0 Answers0