search

microsoft / teams-ai

SDK focused on building AI based applications and extensions for Microsoft Teams and other Bot Framework channels
MIT License
430 stars 185 forks source link

[Dev support] [JS]: Oauth consent flow not working with regional bot service #2186

Open Benjiiim opened 3 days ago

Benjiiim commented 3 days ago

Question

How to configure OAuth auth with a multi-tenant regional bot service to make the user consent flow work?

Code snippets

// Values from https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=userassigned%2Caadv2%2Ccsharp#prepare-the-bot-code and https://github.com/microsoft/botbuilder-js/issues/4418

let botFrameworkAuthConfig: ConfigurationBotFrameworkAuthenticationOptions = {
    BotOpenIdMetadata: "https://login.botframework.com/v1/.well-known/openidconfiguration",
    ValidateAuthority: true,
    OAuthApiEndpoint: "https://europe.api.botframework.com",
    OAuthUrl: "https://europe.api.botframework.com",
    ToChannelFromBotOAuthScope: "https://api.botframework.com",
    ToBotFromChannelOpenIdMetadataUrl: "https://login.botframework.com/v1/.well-known/openidconfiguration",
    ToBotFromEmulatorOpenIdMetadataUrl: "https://login.microsoftonline.com/botframework.com/v2.0/.well-known/openid-configuration",
    ToBotFromChannelTokenIssuer: "https://api.botframework.com",
    ToChannelFromBotLoginUrl: "https://login.microsoftonline.com/botframework.com",
    CallerId: "urn:botframework:azure"
  }

const adapter = new TeamsAdapter(
    botFrameworkAuthConfig,
    new ConfigurationServiceClientCredentialFactory({
        MicrosoftAppId: process.env.BOT_ID,
        MicrosoftAppPassword: process.env.BOT_PASSWORD,
        MicrosoftAppType: 'MultiTenant'
    })
);

Reproduction steps

- From the JS b.oauth-bot sample in the 1.6.1 release.
- In the azurebot.bicep file, replace the three 'global' values by 'westeurope'
- In the index.ts file, replace the TeamsAdapter instantiation code by the code above
- Run the app in local environment (registering the app in Entra ID, deploying the regional Bot Service in Azure and running the code locally).
- In Teams, send a message to the bot
- Wait for the consent banner to appear and click on "Continue"

Expected result

The consent dialog should open to allow the user to grant consent to the requested permission (User.Read)

Result

The consent banner disappears but the consent window never appears.

Additional notes

If admin consent has already been granted for this tenant before, the authentication flow works fine with the above config (user consent flow not needed).

Please note that the user consent flow in Teams works well when runing the sample with no modification (global configuration of the bot service and with an empty object passed in the TeamsAdapter constructor for the botFrameworkAuthConfig property).

Nivedipa-MSFT commented 4 hours ago

@Benjiiim - Thank you for your inquiry about your Teams app development issue! We will check and update you soon.