Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Dev support]: Issue implementing SSO for teams-ai bot #2183

Open
c-nielson opened this issue Nov 13, 2024 · 8 comments
Open

[Dev support]: Issue implementing SSO for teams-ai bot #2183

c-nielson opened this issue Nov 13, 2024 · 8 comments
Labels
dev support Dev support tracking

Comments

@c-nielson
Copy link

Hello, I'm having an issue implementing SSO authentication using Azure for my Teams AI bot.

I've set up both the bot and the app registration on Azure following documentation, and have set the Application ID URI to "api://botid-{appid}", and used this URI as the Token Exchange URL for my OAuth Connection in the bot configuration.
When I click "Test Connection" for the OAuth Connection it succeeds and I receive my token. However, when I run my bot locally and attempt to authenticate, I receive a 501 response in ngrok with the exact details in microsoft/botbuilder-dotnet#6824

{
    "name": "signin/failure",
    "type": "invoke",
    "value": {
        "code": "resourcematchfailed",
        "message": "Resource match failed"
    }
}

Any suggestions or information on further troubleshooting would be appreciated.
@c-nielson c-nielson added the dev support Dev support tracking label Nov 13, 2024
@Nivedipa-MSFT
Copy link

@c-nielson - Thank you for your inquiry about your Teams app development issue!
The "Resource match failed" error usually means there's a mismatch between the resource you're trying to access and your Azure app registration or bot settings. Here are some things to check:

  1. Make sure the Application ID URI in your Azure app registration matches exactly with the one used in your bot's OAuth connection. It should be in the format api://botid-{appid}.
  2. Verify that the Token Exchange URL in your OAuth connection settings is set to https://token.botframework.com/.auth/web/redirect.
  3. Ensure your Teams app manifest file includes the correct webApplicationInfo section. This section should have the id set to your Azure AD app ID and the resource set to your Application ID URI.
  4. Check that the necessary permissions and scopes are granted in your Azure app registration. This includes permissions for Microsoft Graph and any other APIs your bot needs to access.
  5. Ensure the redirect URI is correctly configured in your Azure app registration. For bots, this typically includes the URL where your bot is hosted, such as https://<your_ngrok_domain>/api/messages.
  6. Verify that ngrok is running correctly and forwarding requests to your local bot. Ensure the ngrok URL is correctly set in your bot's configuration.

Let me know if you need more help.

@asith-w
Copy link

asith-w commented Nov 14, 2024
edited
Loading

Based on my experience, it doesn't always work consistently, even with the correct configuration—some tenants encounter issues. Occasionally, it works with both configurations, such as api://{appid} (without the botid- prefix).

so..
After consent is granted, it seems any format like api://botid-{appid} or api://{appid} is accepted.
However, once the /signout command is executed, this behavior change. In my case, after signing out, it stopped working across all tenants, resulting in a "signin/failure" error and causing the authentication popup button to stop appearing.
Image

@c-nielson
Copy link
Author

c-nielson commented Nov 14, 2024
edited
Loading

Thanks for the response @Nivedipa-MSFT ! I followed these steps:

  1. App ID URI matches Token Exchange URL in OAuth Connection Setting (api://botid-{app_id})
  2. When Token Exchange URL is set to https://token.botframework.com/.auth/web/redirect the Test Connection fails, saying the redirect requested doesn't match what is configured.
  3. Added webApplicationInfo with "id": "{app_id}" and "resource": "api://{bot_domain}/{app_id}"
  4. Permissions set up correctly; currently just using openid scope, with client IDs for Teams and web added (5e3ce6c0-2b1f-4285-8d4b-75ee78787346 and 1fec8e78-bce4-4aaf-ab1b-5451cc387264)
  5. Web Redirect URI in app reg set to https://token.botframework.com/.auth/web/redirect
  6. ngrok running correctly; can send messages to bot and receive responses.

With these updated settings I still receive the same 501 response. If I change the manifest in step 3. to have a resource of the App ID URI (api://botid-{app_id}) I instead receive no response.

Do any of these settings stand out as incorrect?

@Nivedipa-MSFT
Copy link

@c-nielson - Could you please refer to the Microsoft documentation on enabling SSO for Teams bots for detailed steps and troubleshooting tips

@jamiesun
Copy link
Contributor

jamiesun commented Nov 20, 2024
edited
Loading

Based on my experience, it doesn't always work consistently, even with the correct configuration—some tenants encounter issues. Occasionally, it works with both configurations, such as api://{appid} (without the botid- prefix).

so.. After consent is granted, it seems any format like api://botid-{appid} or api://{appid} is accepted. However, once the /signout command is executed, this behavior change. In my case, after signing out, it stopped working across all tenants, resulting in a "signin/failure" error and causing the authentication popup button to stop appearing. Image

I had the exact same problem

This issue has been stuck for more than 3 months, and my app still can't enable SSO, I want to get attention

@jamiesun
Copy link
Contributor 

2024-11-20 16:15:13,978 - msrest.universal_http - DEBUG - Configuring redirects: allow=True, max=30
2024-11-20 16:15:13,978 - msrest.universal_http - DEBUG - Configuring request: timeout=100, verify=True, cert=None
2024-11-20 16:15:13,978 - msrest.universal_http - DEBUG - Configuring proxies: ''
2024-11-20 16:15:13,978 - msrest.universal_http - DEBUG - Evaluate proxies against ENV settings: True
2024-11-20 16:15:13,985 - urllib3.util.retry - DEBUG - Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
2024-11-20 16:15:13,985 - msal.authority - DEBUG - Initializing with Entra authority: https://login.microsoftonline.com/botframework.com
2024-11-20 16:15:13,996 - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): api.botframework.com:443
2024-11-20 16:15:13,997 - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): login.microsoftonline.com:443
2024-11-20 16:15:14,713 - urllib3.connectionpool - DEBUG - https://api.botframework.com:443 "GET /api/usertoken/GetToken?userId=29%3A1ijhDKMQAr8J9fBeWlIzYbfZxRr3****************72Y50mUVipYBZEPD7B482EbuA&connectionName=graph-connection&channelId=msteams&code=&api-version=token HTTP/11" 404 0
2024-11-20 16:15:14,898 - urllib3.connectionpool - DEBUG - https://login.microsoftonline.com:443 "GET /botframework.com/v2.0/.well-known/openid-configuration HTTP/11" 200 1753
2024-11-20 16:15:14,900 - msal.authority - DEBUG - openid_config("https://login.microsoftonline.com/botframework.com/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/d6d49420-f39b-4df7-a***************/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/d6d49420-f39b-4df7-a***************/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/d6d49420-f39b-4df7-a***************/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/d6d49420-f39b-4df7-a***************/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/d6d49420-f39b-4df7-a***************/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/d6d49420-f39b-4df7-a***************/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/d6d49420-f39b-4df7-a***************/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
2024-11-20 16:15:14,900 - msal.application - DEBUG - Broker enabled? None
2024-11-20 16:15:14,900 - msal.telemetry - DEBUG - Generate or reuse correlation_id: e37e56d5-d1ba-477e-a8e2-1d14c32e15bb
2024-11-20 16:15:15,153 - urllib3.connectionpool - DEBUG - https://login.microsoftonline.com:443 "POST /d6d49420-f39b-4df7-a***************/oauth2/v2.0/token HTTP/11" 200 1269
2024-11-20 16:15:15,155 - msal.token_cache - DEBUG - event={
    "client_id": "5e3cca66-7607-4d18-b214-78bc1da2b003",
    "data": {
        "claims": null,
        "scope": [
            "https://api.botframework.com/.default"
        ]
    },
    "environment": "login.microsoftonline.com",
    "grant_type": "client_credentials",
    "params": null,
    "response": {
        "access_token": "********",
        "expires_in": 86399,
        "ext_expires_in": 86399,
        "refresh_in": 43199,
        "token_type": "Bearer"
    },
    "scope": [
        "https://api.botframework.com/.default"
    ],
    "token_endpoint": "https://login.microsoftonline.com/d6d49420-f39b-4df7-a***************/oauth2/v2.0/token"
}
2024-11-20 16:15:15,155 - msrest.universal_http - DEBUG - Configuring redirects: allow=True, max=30
2024-11-20 16:15:15,155 - msrest.universal_http - DEBUG - Configuring request: timeout=100, verify=True, cert=None
2024-11-20 16:15:15,156 - msrest.universal_http - DEBUG - Configuring proxies: ''
2024-11-20 16:15:15,156 - msrest.universal_http - DEBUG - Evaluate proxies against ENV settings: True
2024-11-20 16:15:15,160 - msal.application - DEBUG - Cache hit an AT
2024-11-20 16:15:15,160 - msal.telemetry - DEBUG - Generate or reuse correlation_id: 08b43f81-33e1-42f7-b254-87fa52b56fca
2024-11-20 16:15:15,160 - msrest.universal_http - DEBUG - Configuring redirects: allow=True, max=30
2024-11-20 16:15:15,160 - msrest.universal_http - DEBUG - Configuring request: timeout=100, verify=True, cert=None
2024-11-20 16:15:15,160 - msrest.universal_http - DEBUG - Configuring proxies: ''
2024-11-20 16:15:15,160 - msrest.universal_http - DEBUG - Evaluate proxies against ENV settings: True
2024-11-20 16:15:15,166 - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): smba.trafficmanager.net:443
2024-11-20 16:15:15,634 - urllib3.connectionpool - DEBUG - https://smba.trafficmanager.net:443 "POST /amer/c8635901-451b-47b9-b1fc-731a8d37dc23/v3/conversations/a%3A1Aw8eyus_gH83HejtV79-AEO_HBlTu0s_AjIhdc2xPJx7l4Ti-n2p61Vl1n8SOW2X3-NIwsq-yCD2sjdP45drOjmrt7XK7***********************/activities/f%3A6b458909-27a0-5e9f-75c1-52c7672ffd4c HTTP/11" 201 22
2024-11-20 16:15:15,636 - msal.application - DEBUG - Cache hit an AT
2024-11-20 16:15:15,636 - msal.telemetry - DEBUG - Generate or reuse correlation_id: 15d78a96-a8e8-4018-b3b0-6a15f114197e
2024-11-20 16:15:15,637 - msrest.universal_http - DEBUG - Configuring redirects: allow=True, max=30
2024-11-20 16:15:15,637 - msrest.universal_http - DEBUG - Configuring request: timeout=100, verify=True, cert=None
2024-11-20 16:15:15,637 - msrest.universal_http - DEBUG - Configuring proxies: ''
2024-11-20 16:15:15,637 - msrest.universal_http - DEBUG - Evaluate proxies against ENV settings: True
2024-11-20 16:15:15,916 - urllib3.connectionpool - DEBUG - https://api.botframework.com:443 "GET /api/usertoken/GetToken?userId=29%3A1ijhDKMQAr8J9fBeWlIzYbfZxRr3HyJURB8suuBf6TuC77Jpdt4Q4c7ZUlXwIm72Y50m**************&connectionName=graph-connection&channelId=msteams&code=&api-version=token HTTP/11" 404 0
2024-11-20 16:15:15,923 - aiohttp.access - INFO - 127.0.0.1 [20/Nov/2024:16:15:10 +0800] "POST /api/messages HTTP/1.1" 501 207 "-" "Microsoft-SkypeBotApi (Microsoft-BotFramework/3.0)"
2024-11-20 16:15:15,938 - urllib3.connectionpool - DEBUG - https://smba.trafficmanager.net:443 "POST /amer/c8635901-451b-47b9-b1fc-731a8d37dc23/v3/conversations/a%3A1Aw8eyus_gH83HejtV79-AEO_HBlTu0s_AjIhdc2xPJx7l4Ti-n2p61Vl1n8SOW2X3-NIwsq-yCD2sjdP45drOjmrt7XK7***********************/activities/f%3A4918b220-a1f6-71b0-9196-af667f442dcc HTTP/11" 201 22
2024-11-20 16:15:15,941 - msal.application - DEBUG - Cache hit an AT
2024-11-20 16:15:15,942 - msal.telemetry - DEBUG - Generate or reuse correlation_id: 88b2f32f-8022-4f3f-b4c5-b4d371c434a6
2024-11-20 16:15:15,942 - msrest.universal_http - DEBUG - Configuring redirects: allow=True, max=30
2024-11-20 16:15:15,942 - msrest.universal_http - DEBUG - Configuring request: timeout=100, verify=True, cert=None
2024-11-20 16:15:15,942 - msrest.universal_http - DEBUG - Configuring proxies: ''
2024-11-20 16:15:15,942 - msrest.universal_http - DEBUG - Evaluate proxies against ENV settings: True
2024-11-20 16:15:16,237 - urllib3.connectionpool - DEBUG - https://api.botframework.com:443 "GET /api/usertoken/GetToken?userId=29%3A1ijhDKMQAr8J9fBeWlIzYbfZxRr3HyJURB8suuBf6TuC77Jpdt4Q4c7ZUlXwIm72Y50m**************&connectionName=graph-connection&channelId=msteams&code=&api-version=token HTTP/11" 404 0
2024-11-20 16:15:16,244 - aiohttp.access - INFO - 127.0.0.1 [20/Nov/2024:16:15:11 +0800] "POST /api/messages HTTP/1.1" 501 207 "-" "Microsoft-SkypeBotApi (Microsoft-BotFramework/3.0)"

Here's the log I've observed, /api/usertoken/GetToken is always 404

Is Cache hit an AT related

I'm sure my configuration is no problem, with vscode Teams Toolkit auto-provisioning,

@jamiesun
Copy link
Contributor 

2024-11-21 00:55:06,977 - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): api.botframework.com:443
2024-11-21 00:55:07,821 - urllib3.connectionpool - DEBUG - https://api.botframework.com:443 "GET /api/usertoken/GetToken?userId=29%3A1ijhDKMQAr8J9fBeWlIzYbfZxRr3HyJURB8suuBf6TuC77Jp*********EPD7B482EbuA&connectionName=graph-connection&channelId=msteams&code=&api-version=token HTTP/11" 404 0
2024-11-21 00:55:07,828 - msal.application - DEBUG - Cache hit an AT
2024-11-21 00:55:07,829 - msal.telemetry - DEBUG - Generate or reuse correlation_id: 2dd1b5bb-bd3d-407e-b550-20a2a64dc424
2024-11-21 00:55:07,829 - msrest.universal_http - DEBUG - Configuring redirects: allow=True, max=30
2024-11-21 00:55:07,830 - msrest.universal_http - DEBUG - Configuring request: timeout=100, verify=True, cert=None
2024-11-21 00:55:07,830 - msrest.universal_http - DEBUG - Configuring proxies: ''
2024-11-21 00:55:07,830 - msrest.universal_http - DEBUG - Evaluate proxies against ENV settings: True
2024-11-21 00:55:08,838 - urllib3.connectionpool - DEBUG - https://api.botframework.com:443 "POST /api/usertoken/exchange?userId=29%3A1ijhDKMQAr8J9fBeWlIzYbfZxRr3HyJURB8suuBf6TuC77Jpdt4Q*********D7B482EbuA&connectionName=graph-connection&channelId=msteams HTTP/11" 200 2122

After a lot of testing I found that I had overlooked an important issue, all of my failed cases were cross-tenant and successful when single-tenant, but my app setup made it clear that it was using multi-tenancy support, so what was missing

@Nivedipa-MSFT
Copy link

@c-nielson - Sample team is investigating on it. We will let you know once we get any updates on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dev support Dev support tracking
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jamiesun @asith-w @c-nielson @Nivedipa-MSFT