ryanbliss
commented
5 months ago I'm hitting this issue myself. Details below.
The description says that this can happen if SSO is misconfigured in Azure. However, if I use the "Test connection" button in the Azure portal it works fine. In fact, it works fine if I use the api://botid-{BOT_ID} uri redirect, but not if I change it to use api://{fully-qualified-domain-name}/botid-{BOT_ID} syntax that is recommended if I follow the instructions here: Configure your app in Microsoft Entra ID - Teams | Microsoft Learn
This is what I have in my aad registration:
I've triple checked that it is the same value is used in the Azure Bot OAuth connection and my environment variable passed to the Teams AI auth settings via:
const app = new ApplicationBuilder<ApplicationTurnState>()
.withStorage(storage)
.withAuthentication(adapter, {
autoSignIn: (context: TurnContext) => {
// Disable auto sign in for message activities
if (context.activity.type == ActivityTypes.Message) {
return Promise.resolve(false);
}
return Promise.resolve(true);
},
settings: {
graph: {
connectionName: process.env.OAUTH_CONNECTION_NAME ?? "",
title: "Sign in",
text: "Please sign in to use the bot.",
endOnInvalidMessage: true,
tokenExchangeUri: process.env.TOKEN_EXCHANGE_URI ?? "", // this is required for SSO
enableSso: true,
},
},
})
.build();Any clue what could be going on?
Describe the bug which user authentication flow? Bot Authentication Flow
When the bot sends a sign-in card to Teams with sso enabled it expects the teams client to send a
signin/tokenExchange, until then thesignUserInmethod here (line 631) will always returnpendingand the turn will end.Issue: If SSO is not properly configured in Azure or in the sign in card then it's possible that Teams client won't even prompt the user to sign in. And this isn't communicated back to the bot.
Potential Fix: If
pendingstate is returned more than 3 times then the sign in flow should be cancelled.