OfficeDev / Microsoft-Teams-Samples

Welcome to the Microsoft Teams samples repository. Here you will find task-focused samples in C#, JavaScript and TypeScript to help you get started with the Microsoft Teams App!
MIT License
1.01k stars 771 forks source link

SSO samples don't work due to 'X-Frame-Options' set to 'deny' #1306

Open abenadar opened 4 months ago

abenadar commented 4 months ago

I set up the TabGraphToolkit sample accoridng to its guidelines. However, the tab did not load in the desktop Client. Trying the web clients in different browsers yielded similar results. While the error messages in FireFox and Edge where less useful, Chrome logged the following:

Refused to display 'https://login.microsoftonline.com/'in a frame because it set 'X-Frame-Options' to 'deny'.

If tabs require calling the log-in in an i-frame but MS refuses this, how would that even work? Am I missing something?

Meghana-MSFT commented 4 months ago

Thank you for reporting this, we will setup the sample (https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-graph-toolkit) and get back to you.

Meghana-MSFT commented 4 months ago

@abenadar - We checked this at our end by setting up the tab-graph-toolkit csharp sample. It is working fine at our end. Login was successful. Could you please let us know if you are facing this issue with nodejs sample?

image

abenadar commented 4 months ago

@Meghana-MSFT Thanks for looking into this. In the meantime I've been setting up the TAB-SSO sample as well only to hit the same issue. However, since this sample works outside of Teams I could prompt a log-in to recevie the following message:

AADSTS50194: Application '*****'(Teams (SSO)) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.

I couldn't find an explicit call to the common endpoint but perhaps the issues are related. Not that I'm specifically trying to set up a single tenant app.

I used the C# template in both cases. The manifest template couldn't be used due to neither Teams nor the Developer Portal understanding the old schema, but I don't think that's the issue.

Does the nodejs implementation not operate on I-frames or why do you suspect different results here?

Meghana-MSFT commented 4 months ago

There is no difference in nodeJS & C#. Since C# sample was working fine, we just wanted to confirm there is no code issue in nodeJs.

Regarding the above error in Tab-SSO sample, could you please change "TenantId"(https://github.com/OfficeDev/Microsoft-Teams-Samples/blob/ba3848040cb598920e0f2baa2b52d8ed482b2e16/samples/tab-sso/csharp/TeamsTabSSO/appsettings.json#L4C3-L4C17) from common to your tenant id and check once?

abenadar commented 4 months ago

@Meghana-MSFT

I had the parameter changed from the very start:


  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "TenantId": "27331141-*******************************",
    "ClientId": "4ece35fe-******************************",
    "AppSecret": "e3ad88a6-*******************************",
    "ApplicationIdURI": "api://*************.euw.devtunnels.ms/4ece35fe-*******************************/access_as_user",
    "AuthUrl": "/oauth2/v2.0/token",
    "ValidIssuers": "https://login.microsoftonline.com/27331141-**********************************/v2.0,https://sts.windows.net/27331141-********************************************/"
  },

I have no idea why the promt suggests otherwis, also couldn't find another call in the source code. Perhaps an issue with the Azure configuration but I double-cecked it being aligned with the guidelines.

abenadar commented 4 months ago

@Meghana-MSFT Update: I set up the sample using node mentioned above from a different tenant. I receive the same error mentioning multi-tenancy, but I can reproduce this in Teams now too. Setting up the app as multi-tenant may be worth a shot. However, I can't figure out what exactly the MPN ID is nor do I see it in the PArtner Center. Do I need to set up a Azure AI Cloud Partnership for this?

Meghana-MSFT commented 4 months ago

MPN ID is used to identify the organization, however it is optional. https://learn.microsoft.com/en-us/microsoftteams/platform/resources/schema/manifest-schema#:~:text=terms%20of%20use.-,mpnId,-10%20characters

abenadar commented 4 months ago

@Meghana-MSFT It's not optional for setting up multi-tenant sign-in the Azure registration.

I set up an Azure AI Cloud Partner partnership and tried the asscoiated IDs but apparently those are not the right ones. Currently I don't know what else to troubleshoot.

Wajeed-msft commented 4 months ago

MPN Id is associated with https://partner.microsoft.com/en-US/ account. You can find your Partner ID by navigating to: Settings > Account settings > Identifiers image

image

abenadar commented 4 months ago

MPN Id is associated with https://partner.microsoft.com/en-US/ account. You can find your Partner ID by navigating to: Settings > Account settings > Identifiers image

image

The only identifiers mentioned there were:

> Windows publisher ID
> Windows phone publisher ID
> Symantec ID

I registered with the Azure Ai Cloud Partner program as suggested by the most helpful answer given here and found the correct ID. However, registering it does not work yet due to lacking permissions (the app is registered with a different account than the MPN ID). Haven't found the exact cause yet.

Be mindful that multi-tenant log-in is not even what I want to achive. I'm doing all this just to trouble-shoot the issue from above.