search

MicrosoftDocs / msteams-docs

Source for the Microsoft Teams developer platform documentation.
https://aka.ms/teamsdev
Creative Commons Attribution 4.0 International
286 stars 508 forks source link

[Bug] Log in Page (called by typescript SDK's authentication.authenticate()) Is Blocked Under Teams Native App on Windows #11395

Open johnmiroki opened 3 months ago

johnmiroki commented 3 months ago

Steps to reproduce

We've build a Teams app (SAP SuccessFactors), in which there's a tab. When user clicks on Login button, under the hood we call SDK's authenticate method: code snippet:

import { app, authentication, dialog } from "@microsoft/teams-js";

    authentication
      .authenticate({
        url: loginUrl,
        isExternal: false,
        width: 600,
        height: 800
      })
      .then(() => {
        window.location.reload();
      })
      .catch((reason: any) => {
        window.location.reload();
        console.log(reason);
        setBusy(false);
      });

We are an enterprise app, and some of our customers log in automatically with their certificate without having to input username and password.

Expected behavior

A popup shows up loading the login page passed in authenticate(). It should work in Teams native app on Windows, macOS or supported browsers like Chrome

Actual behavior

On macOS or browsers, things work as expected. But with native Teams app on Windows, the login pop does not load at all. It feels like it's totally blocked by some OS mechanism. Unfortunately , this happens not on our application level, but rather on Windows (OS) or the interaction between Microsoft Teams native app and the OS (Windows), so no logging or any other details can be provide:

CleanShot 2024-07-31 at 18 18 25@2x CleanShot 2024-08-01 at 20 57 37@2x

We also observe this may not happen (but not always) on the older non-new Teams app. But it's not stable. The behavior isn't consistent. Please help us help our customers. Thanks!

Error details

No response

ChetanSharma-msft commented 3 months ago

Hello @johnmiroki - Thanks for raising your query. Could you please confirm if you are facing same issue in Browser as well?

If yes, could you please check and share the console error logs from browser devTools?

Also, what authentication you have implemented? Is it Azure Active Direct authentication?

We have couple of Tab SSO samples that you can refer: https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-sso

johnmiroki commented 3 months ago

@ChetanSharma-msft This is Windows native MS Teams app specific. We can't reproduce it on browser nor macOS. So I'm afraid no logs are available to us. But Microsoft experts may have more insights. The authentication is via our own IAS, not Azure related.

Take this with a grain of salt, but we think it's to do with client certificate authentication and mTLS. On browser version of Teams, before the login popup loads the page, a certificate selector would appear (see screenshot), but on native Teams app, this selector doesn't show. And it feels like this certificate selector UI is somehow blocked by Teams app on Windows image

johnmiroki commented 3 months ago

The issue may only exist in the New Teams App, whereas in the legacy Teams App, we don't meet the problem (or not as often at least) So it could be due to the foundation change from Electron to WebView2? This could also explain why this issue is non-existent on macOS: WebView2 isn't available in macOS, so I assume Electron is used on macOS just a wild guess, don't let me mislead you. image

johnmiroki commented 2 months ago

@Meghana-MSFT Hi Meghana, any finding or updates? Thanks!

Meghana-MSFT commented 2 months ago

@johnmiroki - Apologies for the delay, we are checking this. We will get back to you.

johnmiroki commented 2 months ago

@Meghana-MSFT Hi Meghana, is there any update? Much appreciated!

Meghana-MSFT commented 2 months ago

@johnmiroki - Apologies for the delayed response. We are not able to repro this, it says "Service connection between SAP SuccessFactors and Microsoft 365 hasn’t been established. Please first reach out to your administrator for configurations on both sides".

We are raising a bug for this, could you please share a repro video for this issue so that the engineering team can have more insights. Please share above details at microsoftteamsdev@microsoft.com.

johnmiroki commented 1 month ago

@Meghana-MSFT We got this internal ID from our Microsoft partner: 3956235. Could you please look it up in your internal system? Much appreciated!

Meghana-MSFT commented 1 month ago

@johnmiroki - We have raised a bug for this, we will keep you posted on the updates. Thank you.

Meghana-MSFT commented 1 month ago

@johnmiroki - Engineering team has looked into this, they are also not able to reproduce this issue because there is some kind of configuration needed for the SAP SuccessFactors app:

image

Could you Please share Teams Client logs + network traces (ideally Fiddler w/ SSL tracing enabled). Also, it would be great if we could get a minimal repro app that can be used to recreate the issue.

Teams does enforce that the auth URL being opened by the app must match the validDomains defined in the app's manifest. This enforcement only happens in the Teams Desktop Client since in our Web Client, the popup is directly opened by the App SDK via window.open call in the iframe. The most likely explanation for this issue is that the app is trying to pass a URL to the authentication.authenticate API that doesn't match any of their validDomains.

johnmiroki commented 1 month ago

@Meghana-MSFT Hi Meghana, the thing is, it requires a Windows system with enterprise certificate installed to reproduce it. We can't provide remote access, unfortunately. Will a live demo session be helpful? If so, we can set up one. Let me know. Thanks!

johnmiroki commented 1 month ago

@Meghana-MSFT Can you specify how to acquire Teams logs? Thanks!

johnmiroki commented 4 weeks ago

We made an app for you to install in Windows + new Teams native app to reproduce the problem. Upon installing, go to the app, and click on Open In normal (eg macOS client), there will be a certificate selector pop up In Windows, the pop up is blank and blocking cert-test.zip image image

Meghana-MSFT commented 3 weeks ago

@johnmiroki - Thank you for the app package, we will share this with engineering team.

Meghana-MSFT commented 3 weeks ago

@johnmiroki - We have the below observations from engineering team -

I tried using the app provided by the developer but I see the auth popup fails to load because the https://kgtestcert.azurewebsites.net/hello endpoint that is being loaded in the popup returns a 403 error: Image image

If I navigate the auth popup to the https://kgteststart.azurewebsites.net/ instead, it works without any issues:Image image

The app developer needs to make sure that the URL they are loading in the auth popup is accessible to the user.

johnmiroki commented 3 weeks ago

@Meghana-MSFT It seems like there's no ssl cert installed in the testing environment of your engineers. So I'm going to provide one for them to install (by double-clicking) before the test. After installation of the certificate, please first try on Edge with teams.microsoft.com for happy path. A certificate selection pop-up should be shown upon clicking "Open". Then, try the same with native Teams app (new). Please log out Teams app once before the test so that all cache and sessions are clear up.

Is there any way to set up a live session so that we can speed up the process. Our mutual customer has really been anxious to see this resolved. Thank you!

Here's the cert file (unzip before use): sap_cert_test.pfx.zip

Meghana-MSFT commented 2 weeks ago

@johnmiroki - We are not able to install the test cert since it seems to be password protected.

johnmiroki commented 2 weeks ago

@Meghana-MSFT The file isn't password protected. Just click on Next or similar button to skip it. Thanks!