-
Notifications
You must be signed in to change notification settings - Fork 195
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade from v1 to V2 sdk - getAuthToken problem #2445
Comments
Hi @dmcweeney. Thanks for providing such detailed information and code in your question! I'd like to understand a little more about the auth flow you are using in your app. If you are calling authentication.getAuthToken(), you should receive a token back directly in practically all cases (assuming the app's Microsoft Entra app registration is configured appropriately and the user has consented). There shouldn't be any need to call any of the authentication.notifySuccess() or authentication.notifyFailure() methods -- those are only used in conjunction with authentication.authenticate() when the app needs to authenticate with a 3rd party identity provider (or show a consent dialog). Can you tell me more about how the code you shared (which uses Thanks! |
Hi @AE-MS , As you say above the code kicks in when the app needs to be consented. The consent check code is:
isConsented is called by this piece of code:
The following auth-start code is called from :
And the auth-end code is listed above. The following is some of logs printed out: PC-CONFIG][ERROR][AuthService]: isConsented - getAuthToken returned error: NOTE even if I put in some delays after the authentication.authenticate returns successfully and before I call isConsented again the resourceRequiresConsent error is thrown by getAuthToken. |
Thank you for the extra detail, that helps provide more info on how your call to Just to check a few easy things first:
|
Hi @AE-MS,
I am only testing in Teams - both desktop and web and for the web both teams.microsoft.com and teams.cloud.microsoft.
Yes I'm even more confused now that I was before I started this morning. I tried earlier using my own work account in our own tenant to test this in the Teams desktop app - removed the consent permissions and waited a while etc - and it worked - getAuthToken returned a token, it went through the consent flow and when returned getAuthToken returned a token and api calls to the backend could be made. Using my own work account I tried the exact same steps through the web app - teams.microsoft.com - removed the consent permissions and waited a while etc - added the app and the consent flow worked, Using a demo account I tried the exact same steps through the web app - teams.microsoft.com - and the behavior is as documented above - getAuthToken throws a resourceRequiresConsent error before and after the consent flow! SO why would getAuthToken throw a resourceRequiresConsent error when the app is not consented for a demo tenant user but yet return a token for my work account (even though the app has not been consented). Totally confused now! |
I agree that is a confusing experience! It has me confused! 😅 Since it seems like it is specific to Teams, I've added the tags for the Teams dev support team to take a look at this. You should be hearing from them on this thread soon. FYI @Wajeed-msft |
@dmcweeney -Thanks for reporting your issue. |
Hi @sayali-MSFT, any updates or progress? |
@dmcweeney -Sorry for the delay. We are working on this from our end but are encountering some issues. We will check with the engineering team and provide you with an update |
@dmcweeney -We got the reply from engineering team, In the sample code provided by the above, you are passing |
Hi @sayali-MSFT, Thanks from passing on the response from the engineering team. I'm slightly confused though.
Agreed but this is not what we are seeing.
By resource I presume they are referring to the AAD appId specified in the webApplicationInfo.id property of the Teams app manifest? I've treble checked this and this is the app id I use for the consent flow. It also does not explain the behaviour I highlighted in the initial issue description.
So why would logging out and logging back in again result in getAuthToken() working? Also why the different behaviours when consenting with my own tenant account versus consenting with a cdx demo account? I'm more than happy to show ye folks in a demo on a Teams call if needs be. Thanks Donal |
@dmcweeney -We will discuss this internally with the team and let you know the update. |
Hi @sayali-MSFT, Thanks for the update. For the sake of completeness I tried changing the getAuthToken silent param from true to false and yes indeed Teams kicks in and asks for consent as follows: Teams asks for consent via redirect - however it only asks to consent email, profile, offline_access, and OpenId as documented here. In addition to the above permissions, our app also needs User.Read and User.ReadBasic.All permissions, so when the user tries to readd the tab app, our consent flow is started in a popup dialog. So there is definitely something relevant going on in the reload of the Teams app after the initial consent of the basic permissions. Thanks, Donal |
Hi @sayali-MSFT , wondering is there an update from engineering on this? |
Hi,
We are currently trying to upgrade as existing Teams tab app from the Teams 1.9 SDK to the 2.25 SDK.
As part of the exercise we have updated all the deprecated api calls to the new structure.
In the updated code the auth/consent flow works as before, however after the auth/consent flow completes the Teams
getAuthToken()
still returns theresourceRequiresConsent
error. I can keep repeating this loop andgetAuthToken()
will keep returningresourceRequiresConsent
.If at this point I sign out of Teams and log back in and try and readd the tab app,
getAuthToken()
will work and return the correct token for calling the backend api.The app registration has not changed - it is registered as a web application with the correct scopes, api permissions, permissions etc.
The app itself is a web app with a corresponding backend api that it uses.
Question - what or how does Teams kick into the auth flow when
authentication.notifySuccess
is called - is it relying on MSALPublicClientApplication.handleRedirectPromise
? I tried to change the code to use this in the auth start/end flow as per the samples however this is only supported in an AAD app registered as an SPA.Original auth end code that worked with 1.9 sdk:
Current code:
I also turned on Teams SDK debug logging and the
notifySuccess()
result is passed back to the Teams parent window but there are no errors or warnings logged that might shed some light on why the auth is not getting picked up.Note I have tried calling
notifySuccess()
with and without the tokens but it didn’t make any difference.I know I am missing something obvious and simple - any ideas greatly appreciated.
The text was updated successfully, but these errors were encountered: