Initial OIDC call fails for SSO MS Teams Bot app

[cbelsole]

I am using MS teams to hook up SSO to Frontegg. The initial OIDC request fails with the response:

{
  "id": "67872f4a3926f95b946143b6",
  "type": "oidc_token.exchange.failed",
  "payload": {
    "reasons": [
      "Client ID and ClientSecret are missing"
    ],
    "type": "authorization_code"
  },
  "actor": {
    "type": "anonymous"
  },
  "timestamp": "2025-01-15T03:45:14.520Z",
  "vendorId": "3f0131df-cfc5-4d89-87c8-641a05ec740c",
  "traceId": "54016bfc67cea5bc29499272695147bc",
  "summary": {
    "action": "OIDC token exchange failed",
    "description": "OIDC token exchange failed"
  },
  "status": "error",
  "httpContext": {
    "url": "http://localhost:4000",
    "ip": "20.42.0.65"
  }
}

App ID: f84031e8-31e4-4935-8af3-bba93dcb3d61

I am using the Oauth 2 Generic Provider to create the connection.

After the initial failure, the app tries to get a refresh token and fails with the response:

{
    "error": "invalid_resource",
    "error_description": "AADSTS500011: The resource principal named api://botid-f84031e8-31e4-4935-8af3-bba93dcb3d61 was not found in the tenant named Trunk Tools. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: 744ac688-2013-4c81-bdde-94884370ff00 Correlation ID: 064595b0-d09c-4225-aa82-fd7157ef9077 Timestamp: 2025-01-14 17:53:37Z",
    "error_codes": [
        500011
    ],
    "timestamp": "2025-01-14 17:53:37Z",
    "trace_id": "744ac688-2013-4c81-bdde-94884370ff00",
    "correlation_id": "064595b0-d09c-4225-aa82-fd7157ef9077",
    "error_uri": "https://login.microsoftonline.com/error?code=500011"
}

I was able to recreate the issue with this sample.

[sayali-MSFT]

@cbelsole ,Thank you for your inquiry about your Teams app development issue!

We are checking the issue. We will get back to you shortly.

[sayali-MSFT]

Hello @cbelsole,Could you kindly verify whether the application with the ID botid-f84031e8-31e4-4935-8af3-bba93dcb3d61 is properly registered in the tenant?
Additionally, could you confirm that the identifier api://botid-f84031e8-31e4-4935-8af3-bba93dcb3d61 has been correctly set in the application manifest, as shown below?

"webApplicationInfo": {
  "id": "${{AAD_APP_CLIENT_ID}}",
  "resource": "api://botid-${{AAD_APP_CLIENT_ID}}"
}

Furthermore, if you are using a third-party app, please ensure that the Client ID and Client Secret for the third-party app are correctly configured. Could you confirm this as well?

[cbelsole]

@sayali-MSFT What do you mean by "properly registered in the tenant"?

The webApplicationInfo is correct. If I change it, it raises a resource error, and when I put it back the error is resolved.

I confirmed that the client id and secret are correctly configured.

Can you share the raw requests you are sending to the OICD endpoint?

[cbelsole]

I setup Ngrok connections for the connection parameters on the Azure bot connection page so I could inspect the request and the test connection workflow worked. When I sent a message to the Teams application in the webapp it doesn't look like it's firing off the OAuth calls. This makes sense because the tokenExchange action does not seem to be firing correctly.

[cbelsole]

What part of teams fires off the signin/tokenExchange action?

[cbelsole]

I have gotten past my original error. I needed to pass the client secret and id on the token URL. Now the OAuth flow is triggering, but it is never completing. I tracked this down to the continueDialogue function in the dialogueContext which only continues if there is an active dialogue. This value is always undefined. Any advice for holding onto dialogue state?

[sayali-MSFT]

What part of teams fires off the signin/tokenExchange action?

The Teams client is responsible for firing off the signin/tokenExchange action during the SSO (Single Sign-On) process for Adaptive Cards Universal Actions in a bot. The Teams client processes the tokenExchangeResource value and uses the Teams client token to obtain an on-behalf-of token or exchangeable token from Microsoft Entra ID.

Reference Document-https://learn.microsoft.com/en-us/microsoftteams/platform/task-modules-and-cards/cards/Universal-actions-for-adaptive-cards/sso-adaptive-cards-universal-action#add-code-to-handle-an-access-token

I have gotten past my original error. I needed to pass the client secret and id on the token URL. Now the OAuth flow is triggering, but it is never completing. I tracked this down to the continueDialogue function in the dialogueContext which only continues if there is an active dialogue. This value is always undefined. Any advice for holding onto dialogue state?

We will check this with internal team and let you know the update.

[cbelsole]

@sayali-MSFT Any update on this?

[sayali-MSFT]

@cbelsole -Just wanted to inform you that internal team is working on this issue, and we are tracking it closely.
Once we get any update on it, we will inform you accordingly.

[cbelsole]

@sayali-MSFT I think I resolved my issue so I can start the token exchange flow. There was a key called identifierUris in the app manifest I had to add the prefix botid- to. Now I am facing another issue when we get the token exchange action the user token client gives us an error message saying authorization url template should point to https://login.microsoftonline.com. Our authorization is hosted by Frontegg at https://xxx.us.frontegg.com/oauth/authorize. Is there a way to override this config?

[mattpardee]

@sayali-MSFT to add to Chris' last comment, it seems like every part of the process that happens between Microsoft and Frontegg works correctly because:

1. There are no errors between the user authenticating with Frontegg and the handoff between Frontegg and going back to Teams
2. The signin/tokenExchange message is sent to our servers after [1]

Per [2], our understanding based on this document is this tokenExchange message is meant to swap Microsoft's initial token with another one and retained on our servers for further interactions with the user - such as sending a message from our servers back to the Teams user interacting with our bot.

1. Is this correct?
2. Why does there need to be a swap at all?

The problem we're experiencing is that after this whole process of auth'ing with Frontegg, receiving the signin/tokenExchange message which the TeamsSSOTokenExchangeMiddleware handles, another sign in request is still sent back to the user.

The error that Chris identified above from the official middleware is a smell that something is off here, as we're dubious that Teams isn't properly handling this 3rd party OAuth scenario. But we have quintuple checked our configurations, spun up new configurations based on official documentation, followed the sample code provided, and the "Test Connection" functionality in the Azure OAuth config panel properly returns a token as you observed during our call.

We're really at a loss here. Can you investigate our configurations again to see if something is off from the official documentation or provide any further guidance with known working 3rd-party OAuth Teams sample code? Appreciate the help here.

[sayali-MSFT]

Hello @mattpardee, Thank you for sharing the detailed information. We will review this with our internal team and provide you with an update shortly.