Open twgolds opened 2 years ago
ghost
commented
2 years ago Hi twgolds! Thank you for bringing this issue to our attention. We will investigate and if we require further information we will reach out in one business day. Please use this link to escalate if you don't get replies.
Best regards, Teams Platform
ChetanSharma-msft
commented
2 years ago Hello @twgolds - Hope you are doing well!! Could you please share the repro steps or the doc that you are following for SAAS Integration. Also, could you please share a short video of your issue?
twgolds
commented
2 years ago The documentation for Teams SSO that I followed is :
As I say, it works absolutely fine when running with Teams as the host. It's when it's within SharePoint that it fails.
Can you send me your email so that I can send you a video?
twgolds
commented
2 years ago I had almost the same issue within Office.Com ( except Office.Com returns an error message ). The solution to that problem was simply to add the GUIDs for Office.Com ( web & desktop ) to the app registrations list of authorized client applications.
There are no GUIDs for SharePoint listed. Do I need to add something to the App Reg to authorize SPO in the same way that we add GUID's to authorize teams.com & office.com?
AE-MS
commented
2 years ago Unfortunately, the answer here will not be as satisfying as the answer to the office.com issue you were having. ☹️ SSO/getAuthToken() is not supported when running as a Teams app inside of SharePoint.
I will use this issue to track:
getAuthToken() clearer in this scenarioThank you for reporting this!
twgolds
commented
2 years ago Thanks for the response.
What's the timeline for supporting getAuthToken() in SharePoint? And if it's not going to be supported in the near term what's the solution to providing SSO when hosting a Teams app within SPO?
The issue this raises is that our Teams App is going into the store shortly and it's supposed to support SPO as well. If users cannot sign in, we'll get a lot of support tickets!
lucabandMSFT
commented
2 years ago hey @twgolds, Luca here from the SharePoint development platform team. Unfortunately that's not.. as simple as it sounds. SharePoint as a container is a little bit more complicated than Teams or let's say Office.com, because you can run 3rd party code at the container level it self (meaning: you can create a custom web part running in SharePoint as an example).
That makes tricky to securely expose an API like getAuthToken that the code can call because, in theory, 3rd party code could call that API, send it off box, and use that in malicious code to call your service and perform OBO token exchange.
We are exploring some options to see how we can do that securely but, for now, I unfortunately don't have a timeline I can share with you.
Out of curiosity: why do you need to use the Teams line of business model instead of using SharePoint Framework to build your solution for Teams and SharePoint.
thank you for reporting this and for spending the time to provide additional details.
twgolds
commented
2 years ago Hi @lucabandMSFT
Thanks for the response. I appreciate it is difficult to implement all the API calls that the Teams SDK provides, however, I do feel that if a certain call is not supported then the API should return some sort of message indicating that it is not supported and the non-supported calls should be documented somewhere!
There are a few reasons why we have used the Teams App model instead of SPFX.
Our situation is that we have a multi-tenant SAAS application and are able to surface our SAAS as a Teams App ( as it's "just an iframe" ) and that works really well. With our current Teams App, we can also show our application within SPO as a "Full-page application", it also works well. We also have an old-style SharePoint Add-In ( "It's just an iframe") that has been in the SharePoint store since 2016 and has been an effective solution too, but getting long in the tooth.
We're currently upgrading the Teams App to use the getAuthToken call rather than the previous version of authentication, which opened a pop-up window for the user to authenticate.
The great advantage of this is that it gets rid of the two main issues that we encounter with older authentication approach. That is sometimes pop-ups are blocked and sometimes third-party cookies are blocked ( I'm looking at you Safari ).
I did look at implementing an SPFX web part a long time ago ( back before Trump! ) as I took part in a three-day SPFX session in Seattle prior to its public release. However, not all the right pieces of SPFX were in place at the time and we had to do a whole load of work to do on our SAAS app.
Once we get the new Teams app out of the door, we'll be taking a more detailed look at the SPFX Isolated Web Parts as they look like they will be applicable to our situation.
On Sat, 22 Oct 2022 at 00:06, Luca Bandinelli @.***> wrote:
hey @twgolds https://github.com/twgolds, Luca here from the SharePoint development platform team. Unfortunately that's not.. as simple as it sounds. SharePoint as a container is a little bit more complicated than Teams or let's say Office.com, because you can run 3rd party code at the container level it self (meaning: you can create a custom web part running in SharePoint as an example).
That makes tricky to securely expose an API like getAuthToken that the code can call because, in theory, 3rd party code could call that API, send it off box, and use that in malicious code to call your service and perform OBO token exchange.
We are exploring some options to see how we can do that securely but, for now, I unfortunately don't have a timeline I can share with you.
Out of curiosity: why do you need to use the Teams line of business model instead of using SharePoint Framework to build your solution for Teams and SharePoint.
thank you for reporting this and for spending the time to provide additional details.
— Reply to this email directly, view it on GitHub https://github.com/OfficeDev/microsoft-teams-library-js/issues/1407#issuecomment-1287522505, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB5KSCIBFZU44NVNRRWYKMTWEMOYLANCNFSM6AAAAAARIAIP44 . You are receiving this because you were mentioned.Message ID: @.***>
lucabandMSFT
commented
2 years ago @twgolds, thanks for your feedback. That's totally fair request: let me track that internally and try to figure out when we can make that happen.
SPFx has evolved quite a bit in the past years and it should now (if that's not the case I would LOVE to get your feedback) provide the same capabilities in Teams as any other LoB / Provider hosted app without the needs of hosting your app elsewhere as you can include all the javascript files in the package and still leverage calls to APIs protected by AAD. Now, there are still some areas (primarily on the end user acquisition from store flow) where Teams LoB apps model has a clear advantage but.. we are getting there.
thanks again!
divishav
commented
6 months ago Hi @lucabandMSFT, Is there any update on this issue? We are also trying to use Teams SDK in Sharepoint and facing the same issue where microsoftTeams.authentication.getAuthToken() is not returning anything. What is the way forward to use MS graph APIs using Teams SDK in Sharepoint? Would appreciate any help on this.
Thanks, Divisha divishav@opentext.com
lucabandMSFT
commented
6 months ago Hi @divishav , I unfortunately do not have an update for you on how to support Teams application that uses getAuthToken from the SDK in SharePoint. Right now the only way to get Graph usage is by using the SharePoint Framework SDK which, I understand, is not what you are looking for.
I will leave this issue open and will provide an update as soon as I have one.
Thanks, Luca Bandinelli
I have integrated Teams with SSO into a SAAS application.
When signing in via Teams (desktop or web) everything works as expected.
I have also enabled the SharePoint integration features within the app manifest and added the App package to SharePoint Online:
When opening the "app" within SharePoint following code is executed:
microsoftTeams.app.initialize().then(() => { microsoftTeams.app.notifySuccess(); microsoftTeams.authentication.getAuthToken() .catch((e) => { alert(e); }) .then((token) => { ... do some stuff ... }); });The call to microsoftTeams.authentication.getAuthToken() does not return ( an error, or the token ). The call to initialize then times-out after 5 seconds.
I am unsure whether I am missing any additional configuration to ensure getAuthToken works.
Could you confirm that getAuthToken is expected to work in sharepoint.com? And if so, could you point me in the direction of the configuration required to get it to work?
If it is not supported within sharepoint.com, what is the proposed Microsoft approach to SSO into an Teams-App-Hosted-In-SharePoint?
Thanks