search

AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.63k stars 2.64k forks source link

Cannot convert Teams user token to ACS token #6990

Open redakker opened 6 months ago

redakker commented 6 months ago

Core Library

MSAL.js (@azure/msal-browser)

Wrapper Library

MSAL Angular (@azure/msal-angular)

Public or Confidential Client?

Public

Documentation Location

https://learn.microsoft.com/en-us/azure/communication-services/quickstarts/manage-teams-identity?pivots=programming-language-javascript

Description

I want to convert my Teams User token to an ACS token. I successfully got my Teams User token with the tool: Angular 16 - MSAL Angular v3 Sample but When I want to convert it into ACS token this code drops an error: const communicationAccessToken: CommunicationAccessToken = await client.getTokenForTeamsUser({ teamsUserAadToken: teamsToken, clientId: this.aadAppId, userObjectId: this.aadTenant, });

Error: core.mjs:10614 ERROR Error: Uncaught (in promise): RestError: Provided access token is not valid. RestError: Provided access token is not

That token is used which is coming back from the response's payload: let teamsToken = (this.eventPayload as AuthenticationResult)?.accessToken;

My Teams permissions seem okay.

cotufaloschiflones commented 3 months ago

Hello, any progress here? I'm getting the same error, a 401 error with:

RestError: {"error":{"code":"InvalidAccessToken","message":"Provided access token is not valid."}}

@redakker Have you figured out something about it?

cotufaloschiflones commented 3 months ago

@redakker Hello, to me, the logic tells me that you should be able here to use authentication.getToken from teams sdk to use that token (because you are an authenticated user), but doing it like this, doesnt works. Doesnt work neither if you use msal with the proper scopes (Teams.ManageCalls, Teams.ManageChat) and get the token after re-login the user again wich is weird...

But at the end, for me the only way to acquire a valid teams token to exchange by another token from ACS was using InteractiveBrowserCredential like follows:

Create first a tokenCredential based on the method InteractiveBrowserCredential from @azure/identity. This will re-login user again (you'll see a popup instantly) const tokenCredential = new InteractiveBrowserCredential({ clientId, tenantId });

Then you can ask for a token with the desired scopes to that tokenCredential const {token: teamsUserAadToken} = await tokenCredential.getToken([ "https://auth.msft.communication.azure.com/Teams.ManageCalls", "https://auth.msft.communication.azure.com/Teams.ManageChats" ])

Then, you can use this generated token like follows: const identityClient = new CommunicationIdentityClient(connectionString) const { token } = await identityClient.getTokenForTeamsUser({ teamsUserAadToken, clientId, userObjectId });

hope it helps!