search

DuendeSoftware / Support

Support for Duende Software products
20 stars 0 forks source link

Teams app authentication with BFF #1259

Closed chandraarora closed 3 months ago

chandraarora commented 3 months ago

Hi

We are running Duende Identity server and it runs perfectly. We are about to publish our software also in teams apps. Teams app has its on library to call oauth server authentication and getting the access token.

Would it be possible to use bff on teams app? if you have an example it will be a great help to us.

Thanks Chandra

chandraarora commented 3 months ago

Hi

I have draw a picture. It is working till successfull authentication but would need help in redirection.

image

Thanks

RolandGuijt commented 3 months ago

When you say Teams app do you mean Microsoft Teams or is it an app you created? I'm guessing the latter since it runs on localhost in your image. If that's the case: is it a Single Page Application (SPA)?

chandraarora commented 3 months ago

Hi

Thank you for your reply

It is Microsoft Teams app which will be published after development is complete.

It is SPA and I would like to use BFF so that authentication is done on server side. I can get the redirect to my api which works fine. I am not able to redirect from api to teams app which is running on localhost:53000 evetually it will be a Ms teams.

How to get back to localhost from bff or from IDP.

@.***

From: RolandGuijt @.> Sent: Freitag, 17. Mai 2024 11:20 To: DuendeSoftware/Support @.> Cc: Chandra Arora @.>; Author @.> Subject: Re: [DuendeSoftware/Support] Teams app authentication with BFF (Issue #1259)

When you say Teams app do you mean Microsoft Teams or is it an app you created? I'm guessing the latter since it runs on localhost in your image. If that's the case: is it a Single Page Application (SPA)?

- Reply to this email directly, view it on GitHubhttps://github.com/DuendeSoftware/Support/issues/1259#issuecomment-2117114983, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIRM7FUGJFMK4BUHCUZFVQ3ZCXDU7AVCNFSM6AAAAABHYY6KCCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJXGEYTIOJYGM. You are receiving this because you authored the thread.Message ID: @.**@.>>

RolandGuijt commented 3 months ago

I'm confused. When you say API you mean the BFF server application perhaps? I don't see an API in your diagram.

chandraarora commented 3 months ago

Yes , API mean is Bff server

From: RolandGuijt @.> Sent: Freitag, 17. Mai 2024 16:25 To: DuendeSoftware/Support @.> Cc: Chandra Arora @.>; Author @.> Subject: Re: [DuendeSoftware/Support] Teams app authentication with BFF (Issue #1259)

I'm confused. When you say API you mean the BFF server application perhaps? I don't see an API in your diagram.

- Reply to this email directly, view it on GitHubhttps://github.com/DuendeSoftware/Support/issues/1259#issuecomment-2117728059, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIRM7FTZ2BM7GGRR3C4RFU3ZCYHKTAVCNFSM6AAAAABHYY6KCCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJXG4ZDQMBVHE. You are receiving this because you authored the thread.Message ID: @.**@.>>

RolandGuijt commented 3 months ago

The main reason the BFF pattern is used is to move the complexity around authentication from SPA to BFF. When using a BFF the SPA itself doesn't need OAuth support. The BFF will get the identity and access tokens on behalf of the SPA. In addition the access token will not be sent to the SPA but instead it is kept on the BFF.

So the only thing the SPA has to do really is trigger the login process by calling an endpoint on the BFF (bff/login e.g.). The BFF will then set an identity cookie after verifying and reading the identity token and as mentioned, store the access token. After that it redirects to the SPA which is reloaded. That is the no. 4 on your diagram. The cookie is encrypted and only the BFF has the key, so the SPA has to request the user's claims via an endpoint on the BFF (bff/user is the default in Duende BFF).

The flow for your Teams app shouldn't be any different than any other javascript application. If you're unsure how this works in code my suggestion is to check out our examples that use vanilla javascript.

chandraarora commented 3 months ago

I have issue in redirecting to "After that it redirects to the SPA which is reloaded"

In the redirection if I set the redirect url to bff then it works but when I set the redirect url of spa in this case it is localhost:53000/auth-end, then I get error

@.***

From: RolandGuijt @.> Sent: Montag, 20. Mai 2024 08:10 To: DuendeSoftware/Support @.> Cc: Chandra Arora @.>; Author @.> Subject: Re: [DuendeSoftware/Support] Teams app authentication with BFF (Issue #1259)

The main reason the BFF pattern is used is to move the complexity around authentication from SPA to BFF. When using a BFF the SPA itself doesn't need OAuth support. The BFF will get the identity and access tokens on behalf of the SPA. In addition the access token will not be sent to the SPA but instead it is kept on the BFF.

So the only thing the SPA has to do really is trigger the login process by calling an endpoint on the BFF (bff/login e.g.). The BFF will then set an identity cookie after verifying and reading the identity token and as mentioned, store the access token. After that it redirects to the SPA which is reloaded. That is the no. 4 on your diagram. The cookie is encrypted and only the BFF has the key, so the SPA has to request the user's claims via an endpoint on the BFF (bff/user is the default in Duende BFF).

The flow for your Teams app shouldn't be any different than any other javascript application. If you're unsure how this works in code my suggestion is to check out our exampleshttps://github.com/DuendeSoftware/BFF/tree/main/samples that use vanilla javascript.

- Reply to this email directly, view it on GitHubhttps://github.com/DuendeSoftware/Support/issues/1259#issuecomment-2119735941, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIRM7FTHHY3BHP3IH6X5OWLZDGHSPAVCNFSM6AAAAABHYY6KCCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJZG4ZTKOJUGE. You are receiving this because you authored the thread.Message ID: @.**@.>>

chandraarora commented 3 months ago

Or I am not giving the correct setting in bff to redirect to spa.

When Ido redirect to bff , what settings should I give in bff so that it goes to spa?

Sent from Outlook for iOShttps://aka.ms/o0ukef

From: Chandra Arora Sent: Monday, May 20, 2024 11:01:45 AM To: DuendeSoftware/Support @.>; DuendeSoftware/Support @.> Cc: Author @.***> Subject: RE: [DuendeSoftware/Support] Teams app authentication with BFF (Issue #1259)

I have issue in redirecting to “After that it redirects to the SPA which is reloaded”

In the redirection if I set the redirect url to bff then it works but when I set the redirect url of spa in this case it is localhost:53000/auth-end, then I get error

@.***

From: RolandGuijt @.> Sent: Montag, 20. Mai 2024 08:10 To: DuendeSoftware/Support @.> Cc: Chandra Arora @.>; Author @.> Subject: Re: [DuendeSoftware/Support] Teams app authentication with BFF (Issue #1259)

The main reason the BFF pattern is used is to move the complexity around authentication from SPA to BFF. When using a BFF the SPA itself doesn't need OAuth support. The BFF will get the identity and access tokens on behalf of the SPA. In addition the access token will not be sent to the SPA but instead it is kept on the BFF.

So the only thing the SPA has to do really is trigger the login process by calling an endpoint on the BFF (bff/login e.g.). The BFF will then set an identity cookie after verifying and reading the identity token and as mentioned, store the access token. After that it redirects to the SPA which is reloaded. That is the no. 4 on your diagram. The cookie is encrypted and only the BFF has the key, so the SPA has to request the user's claims via an endpoint on the BFF (bff/user is the default in Duende BFF).

The flow for your Teams app shouldn't be any different than any other javascript application. If you're unsure how this works in code my suggestion is to check out our exampleshttps://github.com/DuendeSoftware/BFF/tree/main/samples that use vanilla javascript.

— Reply to this email directly, view it on GitHubhttps://github.com/DuendeSoftware/Support/issues/1259#issuecomment-2119735941, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIRM7FTHHY3BHP3IH6X5OWLZDGHSPAVCNFSM6AAAAABHYY6KCCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJZG4ZTKOJUGE. You are receiving this because you authored the thread.Message ID: @.**@.>>

RolandGuijt commented 3 months ago

By default Duende BFF will redirect to "/" when login completes, but you can also use another URL. Please look here for an example.

chandraarora commented 3 months ago

Hi Ronald

I have create one more diagram to explain the situation. From teams app we open the window as popup in a new window and cookie and token exchange happens in 2nd window. How we get cookie to window 1

Thanks Chandra

@.***

From: RolandGuijt @.> Sent: Montag, 20. Mai 2024 13:15 To: DuendeSoftware/Support @.> Cc: Chandra Arora @.>; Author @.> Subject: Re: [DuendeSoftware/Support] Teams app authentication with BFF (Issue #1259)

By default Duende BFF will redirect to "/" when login completes, but you can also use another URL. Please look herehttps://docs.duendesoftware.com/identityserver/v6/bff/session/management/login/ for an example.

- Reply to this email directly, view it on GitHubhttps://github.com/DuendeSoftware/Support/issues/1259#issuecomment-2120232045, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIRM7FSBWPRXCZREVAIMNTTZDHLK5AVCNFSM6AAAAABHYY6KCCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRQGIZTEMBUGU. You are receiving this because you authored the thread.Message ID: @.**@.>>

chandraarora commented 3 months ago

Hi

Please see the docs from Ms teams app

https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-oauth-provider

When it is sending request to IDP , it add state parameters in the redirect uri and and it gets the response it callback the teams with these parameters.

Thanks Chandra

From: RolandGuijt @.> Sent: Montag, 20. Mai 2024 13:15 To: DuendeSoftware/Support @.> Cc: Chandra Arora @.>; Author @.> Subject: Re: [DuendeSoftware/Support] Teams app authentication with BFF (Issue #1259)

By default Duende BFF will redirect to "/" when login completes, but you can also use another URL. Please look herehttps://docs.duendesoftware.com/identityserver/v6/bff/session/management/login/ for an example.

- Reply to this email directly, view it on GitHubhttps://github.com/DuendeSoftware/Support/issues/1259#issuecomment-2120232045, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIRM7FSBWPRXCZREVAIMNTTZDHLK5AVCNFSM6AAAAABHYY6KCCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRQGIZTEMBUGU. You are receiving this because you authored the thread.Message ID: @.**@.>>

RolandGuijt commented 3 months ago

The link from the docs is assuming you are requesting tokens from the IdP directly. You're not using that with a BFF since that handles all complexities around authentication for the SPA. Please refer to my posts above.

We have reached the end of what we can do to help you with your issue on this issue tracker since the challenges you still have are not directly related to our BFF product. Therefore I'm closing this issue. If you want further help we could help out using our remote consulting offering. Please get in touch for more information about that.