Teams auth bot sample not working in teams

[soamini-msft]

Github issues for C# /JS / Java/ Python should be used for bugs and feature requests. Use Stack Overflow for general "how-to" questions.

Sample information

1. Sample type: [\samples]
2. Sample language: dotnetcore
3. Sample name: Teams Auth Bot
4. https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/46.teams-auth

Describe the bug

After following along with the steps in the Teams Auth Bot, the authentication doesn't work in MS Teams.

To Reproduce

Steps to reproduce the behavior:

1. Follow steps in Teams Auth Bot readme
2. Deploy bot to Azure, following the documentations steps for creating and deploying bots
3. Upload bot manifest.zip to Teams
4. Try to sign in via the Bot on Teams

Expected behavior

The bot should sign user in without error messages.

Screenshots

When clicking "Sign In" button for first time, this error appears:

When clicking "Sign In" for a second time, this pop up appears:

Finally if try to interact with bot again, bot will respond:

Additional context

This issue is occurring with the sample code. Not using Single Sign On. I have tried creating the Bot resources in Azure with Managed Identity and multi-tenant, neither work and both give the same error in Teams.

[breakingram]

investigating.

[anishprasad01]

Hi @soamini-msft,

As per the instructions in the README for sample 46. Teams Auth, you must set UseSingleSignOn to true and upload a manifest containing webApplicationInfo to the Teams client.

Furthermore, the documentation specifies that the supported app types are single and multi tenant, so managed identities would not work.

Please double-check the README and the documentation on SSO in Teams and confirm you have correctly configured each step.

[breakingram]

Hey @soamini-msft

Thank you @anishprasad01 for verifying. We are not able to reproduce the issue using .NET Microsoft.Bot.Builder 4.16.0.

#

Here are the steps I took to run the team-auth sample: 1) Clone the repo https://github.com/Microsoft/botbuilder-samples.git 2) Navigate to samples/csharp_dotnetcore/46.teams-auth folder and open TeamsAuth.csproj 3) Follow Register your app through the Azure AD portal documentation. (steps 1 - 21) 4) Update the Azure portal with the OAuth connection

• Example (dummy data):

  5) Update the appsettings.json configuration for the bot to use the Microsoft App Id and App Password from the Bot Framework registration and set UseSingleSignOn to true. 5) Edit Teams application manifest contained in the teamsAppManifest folder to replace your Microsoft App Id (that was created when you registered your bot earlier) everywhere you see the place holder string <<YOUR-MICROSOFT-APP-ID>>

• Add "webApplicationInfo", example in manifest.json:

            "isNotificationOnly": false
          }
        ],
     +  "webApplicationInfo": {
     +   "id": "65db2773-ee97-4614-873a-86fdbcf30ad8",
     +    "resource": "api://botid-65db2773-ee97-4614-873a-86fdbcf30ad8"
        },
        "permissions": [
          "identity",
          "messageTeamMembers"
        ],

• Zip up the contents of the teamsAppManifest folder to create a manifest.zip
• Upload the manifest.zip to Teams by going to Apps > Manage your apps > Publish an app 6) Run ngrok - point to port 3978
• Example: In terminal, run: ngrok http -host-header=rewrite 3978
• Update Azure bot Messaging endpoint to ngroks https URL, example: 7) Run your bot, either from Visual Studio with F5 or using dotnet run in the appropriate folder.

[breakingram]

Hi @soamini-msft, any updates?

[breakingram]

Closing due to inactivity. @soamini-msft, please feel free to re-open if still facing issues. Thanks.

[soamini-msft]

Unfortunately, I am still not able to get the authentication working in Teams. I've followed the documentation steps for setting up Single Sign On and am using a Multitenant AAD app registration. Again, I'm getting this issue not while testing locally but after deploying the bot in Azure and trying to test it in Teams. It is working in the "Test in Web Chat" panel in the bot resource in Azure. Very unclear as to why it isn't also working in Teams, just a grey box pop ups towards the bottom of the chat without any text.

Some other notes: the documentation should be updated to reflect that a bot using Managed Identity will not work with Authentication in Teams, that is not clear. It is also not clear that you have to use SSO to use authentication in Teams with a Bot, the writing makes it seem like SSO is an option, not a requirement. The example repo I've opened this issue for has two manifest files, but because only SSO works, only the SSO manifest file works and the other manifest should be removed to reduce confusion.

[breakingram]

Hey @soamini-msft

Have you tried uninstalling the app in teams and uploading the same zipped manifest?

Also, if it's working in Azure bot service webchat, and not teams, then I'm guessing there could be something wrong with manifest.json file? which manifest did you upload to teams?

[soamini-msft]

Yup, I uninstall the app in teams and upload the zipped manifest every time I make a change.

I'm using the sso_manifest from the example, renamed it to manifest and deleted the other manifest as there can only be one. The zipped manifest is named manifest. Here is my manifest.json

{ "$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.5/MicrosoftTeams.schema.json", "manifestVersion": "1.5", "version": "1.0.0", "id": "1c8e62fb-f574-4726-8173-4577eac509d8", "packageName": "com.microsoft.teams.samples", "developer": { "name": "Microsoft", "websiteUrl": "https://example.azurewebsites.net", "privacyUrl": "https://example.azurewebsites.net/privacy", "termsOfUseUrl": "https://example.azurewebsites.net/termsofuse" }, "icons": { "color": "icon-color.png", "outline": "icon-outline.png" }, "name": { "short": "Teams SSO Auth", "full": "Teams Single Sign On Sample" }, "description": { "short": "Test Teams SSO Auth", "full": "This is a bot for testing Single Sign on for Teams" }, "accentColor": "#FFFFFF", "bots": [ { "botId": "1c8e62fb-f574-4726-8173-4577eac509d8", "scopes": [ "personal" ], "supportsFiles": false, "isNotificationOnly": false } ], "webApplicationInfo": { "id": "dedf8af6-e544-4d5a-9576-a701fc385aa2", "resource": "api://botid-dedf8af6-e544-4d5a-9576-a701fc385aa2" }, "permissions": [ "identity", "messageTeamMembers" ], "validDomains": [ "token.botframework.com", "ngrok.io" ] }

[breakingram]

Hey @soamini-msft

Have you tried using a tunneling service(ex: ngrok) between your local instance and your Azure Bot Service to check for request logs while interacting with the app in the Team?

#

Example:

1) Run the sample in VS - this will start local web service on port 3978 2) In terminal, run ngrok http -host-header=localhost 3978 3) Copy the https://..... forwarding session and paste to Messaging endpoint field in your Azure Bot Configuration

• Example: provide the ngrok URL + append /api/messages at the end

  4) Install the app in Teams and check the logs in ngrok terminal

[soamini-msft]

Yes, I use ngrok to test it locally. Getting the same issue with the blank grey box at the bottom of the chat with no text in it when running in Teams. While running locally, I can see the logs indicate the sign in process is working, but the bot doesn't continue with any conversation logic afterwards. It should be showing user profile information once logged in, this works in the Web Chat panel but not in Teams (locally or deployed).

I'm confused on what the potential issue is here. Is the sample working for you in Teams, as in you actually ran it in Teams and it is working?

[breakingram]

Hi @soamini-msft

In your manifest.json, could you please change the ids(dedf...) in webApplicationInfo to be the same as your bot id(1c8...)?

Example:

  "webApplicationInfo": {
    "id": "1c8e62fb-f574-4726-8173-4577eac509d8",
    "resource": "api://botid-1c8e62fb-f574-4726-8173-4577eac509d8"
  }

#

Is the sample working for you in Teams, as in you actually ran it in Teams and it is working?

Just checked, the sample is working from my end:

[soamini-msft]

I changed the values in webApplicationInfo but I am still getting the same exact error in Teams.

I'm confused, what are those values supposed to be for it to work? What does your manifest look like? In the docs, it indicates that the values for webApplicationInfo should be the Client Id of the AAD app registration of the bot's auth. Under "Configuration" --> "OAuth Connection Settings", the AAD app registration that was created for the bot's OAuth connection is there as:

I've tested this connection and it works, also works in Web Chat panel. Only doesn't work in Teams. Changing the values in webApplicationInfo doesn't make any sense to me, is it not supposed to point to the OAuth connection?

[breakingram]

Hi @soamini-msft

According to the Use SSO authentication doc:

enter the Application ID URI as api://botid-{YourBotId}. Here YourBotId is your Azure AD application ID.

#

From your above manifest.json, your bot id is: 1c8e62fb-f574-4726-8173-4577eac509d8

so in this case, your Application ID URI should be something like: api://botid-1c8e62fb-f574-4726-8173-4577eac509d8

#

Example: sharing my Azure Bot Service OAuth connection settings:

1) Token Exchange URL = api://botid-<<Microsoft-App-ID>> 2) Client id = Azure Bot "Microsoft App ID" 3) Client Secret = {AAD-APP-SECRET-VALUE}

• Example: provide the Value NOT Secret ID

#

Sharing my manifest.json:

{
  "$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.5/MicrosoftTeams.schema.json",
  "manifestVersion": "1.5",
  "version": "1.0.0",
  "id": "65db2773-ee97-4614-873a-86fdbcf30ad8",
  "packageName": "com.microsoft.teams.samples",
  "developer": {
    "name": "Microsoft",
    "websiteUrl": "https://example.azurewebsites.net",
    "privacyUrl": "https://example.azurewebsites.net/privacy",
    "termsOfUseUrl": "https://example.azurewebsites.net/termsofuse"
  },
  "icons": {
    "color": "icon-color.png",
    "outline": "icon-outline.png"
  },
  "name": {
    "short": "Team Auth Module",
    "full": "Simple Team Auth Module"
  },
  "description": {
    "short": "Test Team Auth Module Scenario",
    "full": "Simple Team Auth Module Scenario Test"
  },
  "accentColor": "#FFFFFF",
  "bots": [
    {
      "botId": "65db2773-ee97-4614-873a-86fdbcf30ad8",
      "scopes": [
        "personal"
      ],
      "supportsFiles": false,
      "isNotificationOnly": false
    }
  ],
  "webApplicationInfo": {
    "id": "65db2773-ee97-4614-873a-86fdbcf30ad8",
    "resource": "api://botid-65db2773-ee97-4614-873a-86fdbcf30ad8"
  },
  "permissions": [
    "identity",
    "messageTeamMembers"
  ],
  "validDomains": [
    "token.botframework.com",
    "*.ngrok.io"
  ]
}

I hope this helps, please let me know if you have further questions. Thanks.

[soamini-msft]

Thank you for all the help @ramfattah ! I eventually got it working, with the following combination:

"webApplicationInfo": { "id": "dedf8af6-e544-4d5a-9576-a701fc385aa2", "resource": "api://botid-1c8e62fb-f574-4726-8173-4577eac509d8" }

I created a second AAD App Registration specifically for the Bot's Authentication flow, as is suggested in the documentation. I tried having both values above as the bot's regular AAD app registration client id, but it would throw an error any time I tried to upload the manifest to Teams. This is the only combo I got to work, using the two different app registration id's, having the bot's authentication app registration client id for id and the bot's regular AAD app registration client id for resource.

It seems you only used one app registration for everything, and that worked for you. I'm using two different app registrations, and that's how I got it working. Leaving this here in case anyone else has similar issues.

The documentation really needs to be updated, as it is quite misleading, making it seem like you need to create a second app registration for the bot to use for authentication. Thank you for all of your help! Much appreciated.