Get error when sending invoke request to get sso token

KennethBWSong commented 11 months ago

Code:

...
return ActivityHandler.createInvokeResponse({
          statusCode: 401,
          type: "application/vnd.microsoft.activity.loginRequest",
          value: {
            text: 'SignIn Text',
            connectionName: "",
            tokenExchangeResource: {
              id: uuid.v1(),
              uri: null,
              providerId: null
            },
            buttons: [{
              type: 'openUrl',
              title: 'Please sign in',
              value: `${process.env.INITIATE_LOGIN_ENDPOINT}?scope=User.Read&clientId=${process.env.M365_CLIENT_ID}&tenantId=${process.env.M365_TENANT_ID}&loginHint=test@kenbwsong.onmicrosoft.com`,
            }],
          }

Get error: Unexpected response type for Status Code: 401 Expected responseTypes: application/vnd.microsoft.activity.loginRequest or application/vnd.microsoft.error.invalidAuthCode

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

ID: 4621d020-5122-7e86-61ad-17089be7921d
Version Independent ID: 4621d020-5122-7e86-61ad-17089be7921d
Content: Add code to enable SSO for Adaptive Cards Universal Actions - Teams
Content Source: msteams-platform/task-modules-and-cards/cards/Universal-actions-for-adaptive-cards/sso-adaptive-cards-universal-action.md
Service: msteams
GitHub Login: @v-sdhakshina
Microsoft Alias: surbhigupta

Nivedipa-MSFT commented 11 months ago

@KennethBWSong - Thanks for reporting your issue. The error message indicates that the response type for the status code 401 is unexpected. The expected response types are application/vnd.microsoft.activity.loginRequest or application/vnd.microsoft.error.invalidAuthCode.

In your code, you are setting the response type as application/vnd.microsoft.activity.loginRequest, which is correct. However, the error might be due to the incorrect values you are setting for connectionName, uri, and providerId in the tokenExchangeResource object. These values should not be empty or null.

Here is a corrected version of your code:

return ActivityHandler.createInvokeResponse({
  statusCode: 401,
  type: "application/vnd.microsoft.activity.loginRequest",
  value: {
    text: 'SignIn Text',
    connectionName: "<Your Connection Name>",
    tokenExchangeResource: {
      id: uuid.v1(),
      uri: "<Your Resource URI>",
      providerId: "<Your Provider ID>"
    },
    buttons: [{
      type: 'openUrl',
      title: 'Please sign in',
      value: `${process.env.INITIATE_LOGIN_ENDPOINT}?scope=User.Read&clientId=${process.env.M365_CLIENT_ID}&tenantId=${process.env.M365_TENANT_ID}&loginHint=test@kenbwsong.onmicrosoft.com`,
    }],
  }
});

KennethBWSong commented 11 months ago

@Nivedipa-MSFT Thank you for your reply! We propose to handle SSO token on our own, and thus we are sending an empty connection name. For the rest (uri / provider id in tokenExchangeResource), we are following the sample here. Actually in this sample, response with type "application/vnd.microsoft.card.loginRequest" is sent. Would you please help to clarify what is the correct way to get SSO token without using tokenStore?

Nivedipa-MSFT commented 10 months ago

@KennethBWSong - If you prefer to manage the SSO token independently and avoid using the tokenStore, you have the flexibility to do so. It's essential to ensure that you correctly implement the OAuth flow and manage the token exchange process.

The 'connectionName' field in the OAuth card allows you to specify the name of the OAuth connection to use. If you're handling the SSO token on your own, you can simply leave this field empty.

In the OAuth card, the 'tokenExchangeResource' field serves to define the resource for which the token is requested. This should represent the URI of the resource you intend to access using the token.

Here is an example demonstrating how you can modify the OAuth card to manage the SSO token independently:

{
  "statusCode": 401,
  "type": "application/vnd.microsoft.activity.loginRequest",
  "value": {
    "text": "Please sign-in",
    "connectionName": "",
    "tokenExchangeResource": {
      "id": "<unique-identifier>",
      "uri": "<application-or-resource-identifier>",
      "providerId": "<optional-provider-identifier>"
    },
    "buttons": [
      {
        "title": "Sign-In",
        "text": "Sign-In",
        "type": "signin",
        "value": "<sign-in-URL>"
      }
    ]
  }
}

Upon receiving this OAuth card, the Teams client will make an attempt to acquire an on-behalf-of token from Azure AD, utilizing the 'tokenExchangeResource' value and the Teams client token. If the token exchange is successful, the Teams client will forward the token to your bot.

In the event of a token exchange failure for any reason, the Teams client will initiate the standard sign-in or OAuth flow. Hence, it's advisable to provide a sign-in URL in the OAuth card.

You can refer below document for more details:

https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/bot-sso-overview

Please let us know if you have any further query here.

KennethBWSong commented 10 months ago

@Nivedipa-MSFT Thank you for your reply! Actually the Oauth Card you provide seems the same as I provide in the issue. We are getting error "Unexpected response type for Status Code: 401 Expected responseTypes: application/vnd.microsoft.activity.loginRequest or application/vnd.microsoft.error.invalidAuthCode" for this card. Do you have any idea why the error will occur?

Nivedipa-MSFT commented 10 months ago

@KennethBWSong - The error message "Unexpected response type for Status Code: 401 Expected responseTypes: application/vnd.microsoft.activity.loginRequest or application/vnd.microsoft.error.invalidAuthCode" typically occurs when the server is expecting a different type of response than it received.

Here are a few possible reasons for this error:

Incorrect or expired OAuth token: Ensure that the OAuth token you're using is correct and not expired. You can verify this by checking the token's validity in the Azure portal.
Incorrect endpoint: Make sure that the endpoint you're using for authentication is correct. The endpoint should be 'https://login.microsoftonline.com/common/oauth2/v2.0/token' as mentioned in the Teams platform documentation.
Incorrect headers: Ensure that the headers in your request are correct. The 'Content-Type' header should be 'application/x-www-form-urlencoded' and the 'Authorization' header should contain the 'Bearer' scheme followed by your OAuth token.
Incorrect body: The body of your request should contain the 'grant_type', 'client_id', 'client_secret', 'scope', and 'code' parameters. Make sure these parameters are correct and properly URL-encoded.

Please verify above checkpoints and test this again?

KennethBWSong commented 10 months ago

@Nivedipa-MSFT We are using ActivityHandler.createInvokeResponse to send the oauth card same as this sample, and I don't think we need to handle the token/body issue

KennethBWSong commented 10 months ago

@Nivedipa-MSFT Some more updates here. I am sending the same adaptive card for get sso token as here and keep the type as "Action.Submit", and send the following invoke response when initialSso:

return ActivityHandler.createInvokeResponse({
      statusCode: 401,
      type: "application/vnd.microsoft.activity.loginRequest",
      value: {
        text: "Please sign in",
        connectionName: "",
        tokenExchangeResource: {
          id: uuid.v1(),
          uri: null,
          providerId: null
        },
        buttons: [
          {
            title: "Sign In",
            text: "Sign In",
            type: "signin",
            value: signInLink,
          }
        ]
      }
    });

Then I will successfully send the invoke response as following:

However, after this event there is no response and will not ask user to login. When I modify the value of type to "Action.Execute", I will get the following error for the invoke response: Can you give me some instruction how to pop up login dialog?

ChetanSharma-msft commented 9 months ago

Hello @KennethBWSong - Sorry for delay in response. We are looking into your issue and let you know the updates.

Naina-G commented 9 months ago

Hi, We are following the same sample as mentioned in the comments above and when we send a login request using the below code, we get the same error : Unexpected response type for Status Code: 401 Expected responseTypes: application/vnd.microsoft.activity.loginRequest or application/vnd.microsoft.error.invalidAuthCode

Are the values passed for uri and provider Id correct? Did this work for anyone?

       return ActivityHandler.createInvokeResponse( {
            statusCode: 401,
            type: "application/vnd.microsoft.card.loginRequest",
            value: {
                text: "Please sign in",
                connectionName: "",
                tokenExchangeResource: {
                  id: uuid.v1(),
                  uri: "<App Id of Bot from Azure",
                  providerId: null
                },
                buttons: [
                  {
                    title: "Sign In",
                    text: "Sign In",
                    type: "signin",
                    value: signInLink,
                  }
                ]
              }
        })

KennethBWSong commented 7 months ago

@ChetanSharma-msft Any update on this?

ChetanSharma-msft commented 7 months ago

Hello @KennethBWSong - Sorry for delay in response. We are looking into it and let you know the updates.

MicrosoftDocs / msteams-docs

Get error when sending invoke request to get sso token #9559

Document Details