Token Service Gives a 500 Service Error When Exchanging Token

Github issues should be used for bugs and feature requests. Use Stack Overflow for general "how-to" questions.

Version

4.22.2 DotNet C#

Describe the bug

I'm trying to set up SSO for my bot and a website.

The website is an Azure Web App that already has its own AAD Auth Set up.
The bot is hosted on Azure and also uses AAD. Auth is already working with the OAuthCard and Sign In button.

The idea is to keep users from having to authenticate 2 times, one for the website and another for the embedded bot. From what I've read with SSO I can pass the auth token that I received from the website to the bot and the bot will exchange this token for one of its own. Everything on behalf of the user.

This is what I've done so far:

Bot's App Registration

I have "Exposed an API" and created a scope: _MY_BOTSAPI/customScope
I have added the Web App Id to the list of Authorized Clients.

Bot Service

On the Configuration section I set up an OAuth 2 Connection with:
- ClientId: <Bot's Entra App Registration App Id>
- ClientSecret: <Bot's Entra App Registration App Secret>
- Authorization URL:
- Token URL:
- Refresh URL:
- Token Exchange URL: _MY_BOTS_API/CUSTOMSCOPE
- Scope: My Bot App's Scopes (openId, etc.)
Tested Connection from the portal and it works, I get a token.

Web App

I authenticate against my Web App's AAD endpoint using MSAL with SCOPE = ''_MY_BOTS_API/CUSTOMSCOPE" and get an AccessToken1. I can see that the aud claim matches the one I set on my Connection's Token Exchange URL
Using the react web chat I intercept the OAuth Card TokenExchangeResource
Reply with an Invoke TokenExchangeRequest and pass in the AccessToken1

Using the C# debugger, I can see that my bot does receive the request, however the exchange fails with a 500 error. Specifically, the error occurs at the ExchangeTokenAsync(turnContext, settings.ConnectionName, turnContext.Activity.From.Id, tokenExchangeRequest, cancellationToken) call.

Looking deeper I can see that the actual error occurs on the following REST API call: REQUEST

METHOD: POST
URI: https://api.botframework.com/api/usertoken/exchange?userId=123456&connectionName=OutlookDataGenAIBotAuthProxy&channelId=emulator
HEADERS: Authorization "Bearer "

BODY:

{
"token": <THE_ACCESS_TOKEN_FROM_MY_WEB_APP>
"uri":""
}

Which returns the following error: RESPONSE

{
  "error": {
    "code": "ServiceError",
    "message": "Unexpected error occurred during Token Exchange"
  }
}

What can be going on?

To Reproduce

Reproducing the exact thing might be tricky as it's tied to my own configuration. But following the explanation above with two other app registrations might work.

Expected behavior

I expect the TokenExchangeRequest to work, meaning the bot's OAuthCard is skipped as the user will be already authenticated.

Hi @pelanzag,

This issue could be related to a misconfiguration with SSO between the Bot and the website (WebChat). We have encountered a similar issue, when sending the token from WebChat to the Bot caused an "invalid token" error. Thus, here are the structure we used that helped us solve it and exchange the token successfully.

We used an Azure Bot, a local hosted website with WebChat, and two app registrations, one for the Azure Bot, and another one with the SSO configuration. Both Azure Bot and Website will request the token against the same SSO app registration, this allows to request the token from the Website and send it to the Bot to exchange it correctly.

Moreover, to connect the Azure Bot against the SSO app registration must be through the oAuth connection setting, filling up the SSO app registration information. Additionally, the SSO app registration must have the "Web" platform with the "token redirect".

Let us know if you have any questions.

Thanks, Joel

microsoft / botbuilder-dotnet