From 46ac3ed393e5884b10b591080dc37be8c04f89a4 Mon Sep 17 00:00:00 2001 From: rentu <5545529+SLdragon@users.noreply.github.com> Date: Mon, 13 Mar 2023 08:17:01 +0000 Subject: [PATCH] docs: add note for auth code flow limitations on mobile (#721) Co-authored-by: turenlong --- graph-toolkit-contact-exporter/README.md | 6 ++++++ hello-world-tab/README.md | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/graph-toolkit-contact-exporter/README.md b/graph-toolkit-contact-exporter/README.md index e232ebde..892d572b 100644 --- a/graph-toolkit-contact-exporter/README.md +++ b/graph-toolkit-contact-exporter/README.md @@ -13,6 +13,12 @@ Contact Exporter sample APP provides an easy way to export your teams contact in - A Microsoft 365 account. If you do not have Microsoft 365 account, apply one from [Microsoft 365 developer program](https://developer.microsoft.com/en-us/microsoft-365/dev-program) - Latest [Teams Toolkit Visual Studio Code Extension](https://aka.ms/teams-toolkit) +## Note +- This template has adopted [Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow) to implement SSO. There's a known limitation with mobile platforms such as iOS and a few Android versions where users have to sign in again as the state was not stored due to [third party cookie being blocked by the browser](https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more). + +- Due to system webview limitations, users in the tenant with conditional access policies applied cannot consent permissions when conduct an OAuth flow within the Teams mobile clients, it would show error: "xxx requires you to secure this device...". + +To achieve full SSO experience, we will recommend you to implement OBO flow to pass your token to a server. See more [here](https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/tab-sso-code#pass-the-access-token-to-server-side-code). ## What you will learn in this sample: - How to use TeamsFx to build frontend hosting on Azure for your tab app. diff --git a/hello-world-tab/README.md b/hello-world-tab/README.md index 04a5fa1f..0a53b756 100644 --- a/hello-world-tab/README.md +++ b/hello-world-tab/README.md @@ -17,6 +17,13 @@ Hello World Tab shows you how to build a tab app and how to get user login infor - A Microsoft 365 account. If you do not have Microsoft 365 account, apply one from [Microsoft 365 developer program](https://developer.microsoft.com/en-us/microsoft-365/dev-program) - [Teams Toolkit Visual Studio Code Extension](https://aka.ms/teams-toolkit) or [TeamsFx CLI](https://aka.ms/teamsfx-cli) +## Note +- This template has adopted [Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow) to implement SSO. There's a known limitation with mobile platforms such as iOS and a few Android versions where users have to sign in again as the state was not stored due to [third party cookie being blocked by the browser](https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more). + +- Due to system webview limitations, users in the tenant with conditional access policies applied cannot consent permissions when conduct an OAuth flow within the Teams mobile clients, it would show error: "xxx requires you to secure this device...". + +To achieve full SSO experience, we will recommend you to implement OBO flow to pass your token to a server. See more [here](https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/tab-sso-code#pass-the-access-token-to-server-side-code). + ## What you will learn in this sample: - How to use TeamsFx to build frontend hosting on Azure for your tab app.