Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

404 Not found when trying to use Teams SSO to get the user token #6625

Open
Aspyryan opened this issue Dec 4, 2023 · 10 comments
Open

404 Not found when trying to use Teams SSO to get the user token #6625

Aspyryan opened this issue Dec 4, 2023 · 10 comments
Labels
Area: Teams The issue is related to Teams support bug Indicates an unexpected problem or an unintended behavior. needs-triage The issue has just been created and it has not been reviewed by the team.

Comments

@Aspyryan
Copy link

Aspyryan commented Dec 4, 2023

Version

SDK Platform: C#
SDK Version: Bot Builder 4.21.0
Active Channels: Teams
Deployment Environment: Azure Bot Service

Describe the bug

404 NOT FOUND when trying to GET the user token from teams with this request:
https://api.botframework.com/api/usertoken/GetToken?userId={user-id}&connectionName=BotOAuth&channelId=msteams
When using my own id I can get a token, but my colleagues cannot, when I send them a link to "test connection" from the Azure Bot page, they can get their token perfectly fine.

Expected behavior

It should return 200 with a token, just what happens with my user-id or return a prompt to allow access?

Additional

I am using the AdapterWithErrorHandler : CloudAdapter with base.Use(new TeamsSSOTokenExchangeMiddleware(storage, configuration["ConnectionName"])); and the main code can be found below. The tokenResponse is null due to the internal request getting a 404 NOT FOUND response.

protected override async Task OnMessageActivityAsync(ITurnContext<IMessageActivity> turnContext, CancellationToken cancellationToken)
{
	var userTokenClient = turnContext.TurnState.Get<UserTokenClient>();
	var tokenResponse = await userTokenClient.GetUserTokenAsync(turnContext.Activity.From.Id, _connectionName, turnContext.Activity.ChannelId, null, cancellationToken).ConfigureAwait(false);

	if (tokenResponse == null)
	{
                // Tried this, but this should be needed when using sso?
		var oauth = new OAuthCard(text: "test", connectionName: _connectionName, new List<CardAction>()
		{
			new CardAction(type: ActionTypes.Signin, title: "test")
		});
				
		await turnContext.SendActivityAsync(MessageFactory.Attachment(oauth.ToAttachment()));
                return;
	}
        // Other code here that needs the tokenResponse
}

Azure config:
image

@Aspyryan Aspyryan added bug Indicates an unexpected problem or an unintended behavior. needs-triage The issue has just been created and it has not been reviewed by the team. labels Dec 4, 2023
@atmoraes1
Copy link

I'm having the same problem when using the Emulator, the sample codes are not working because the GetToken endpoint is returning Not Found, so it is asking for authentication on every turn.

@sandeepvootoori
Copy link

We are seeing the same issue, any pointers on what can be done to mitigate this?

@Aspyryan
Copy link
Author

@sandeepvootoori I got it fixed by asking the users to use the bot for the first time via the new teams client. The old client was the culprit

@brnowakowski
Copy link

We are having the same problem. Got any progress update?

@Aspyryan
Copy link
Author

Aspyryan commented Mar 12, 2024

@brnowakowski not had any more information from Microsoft, they said they were 'tracking' it but yea I guess nothing will happen. You need to make sure people are logged out and use the new teams client to do the authentication first.

@tracyboehrer tracyboehrer added the Area: Teams The issue is related to Teams support label Mar 19, 2024
@tomaszoida
Copy link

We seem to have the same problem.
We have based an app on this sample: Microsoft-Teams-Samples/samples/msgext-search-sso-config/csharp at main · OfficeDev/Microsoft-Teams-Samples · GitHub. In bot messages web api we are trying to get an access token based on a connection defined in Azure Bot resource. And there we have the problem, because bot framework api does not always return the token. We have two environments staging: integration and test. In integration environment the app works only for some users. On testing environment we did not manage to make it work at all.

We use the following code to get access token and the tokenResponse is sometimes null:
image

We have noticed that the code above calls the following endpoint: https://api.botframework.com/api/usertoken/GetToken?userId=29%........&connectionName=OAuthBotSettings&channelId=msteams&code=
And that endpoint either returns token with http status 200 or more often returns http status 404, which results in tokenResoponse being null. The problem occurs for some users in integration environment. The strangest thing is that even for user that gets token successfully, when we change connection name to different value, the user gets 404 response, even though the connections are literally the same with only difference in just name.

There is clearly problem with that endpoint, which never returns any specific response with 404 status code explaining what specifically was not found: user/conversation, connection or something else.

Logging in new teams client (web) does not solve the problem in my case.

@atmoraes1
Copy link

atmoraes1 commented Apr 3, 2024

@Aspyryan see if this comment by me solves your issue, some IdP deny the request if the client is marked as confidential (aka should use client secrets).

The problem is Azure Portal requires you to type in a secret, but it is not sent in the request.

In other words, IdP expects client secret but the Token Service doesn't send it. The solution is to DISABLE confidential clients when using Bot Framework OAuth2.

IMHO this library has not been receiving the attention it deserves. A lot of issues are ignored.

@Aspyryan
Copy link
Author

Aspyryan commented Sep 6, 2024

@atmoraes1 How would I Disable the confidential clients? It stopped working again :/

@screwdrivercx
Copy link

I've been struggling with this same issue for weeks on Nodejs SDK. Does anyone have any update or possible solution?

@atmoraes1 I tried to enable Allow public client flows on the app registration and still not able to get some users' tokens. Could you please provide the steps to disable confidential clients?

@nilzlzh
Copy link

nilzlzh commented Dec 18, 2024

i got the the same error,dose anyone have some solution?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: Teams The issue is related to Teams support bug Indicates an unexpected problem or an unintended behavior. needs-triage The issue has just been created and it has not been reviewed by the team.
Projects
None yet
Development

No branches or pull requests

8 participants