0

I am building a teams app which is using a non-AAD based service to Authenticate. I would like to get the Teams Icon in my Configurable Tab. What are the option I have? I can not register an app, as the Teams app is going to be deployed on different tenants. Can I use microsoftTeams.authentication.getAuthToken for graph api(/teams/${teamsid}/photo/$value) without registering an app but on behalf of user ? or is there any easier way to get the teams icon.

const authTokenRequest: microsoftTeams.authentication.AuthTokenRequest = {
                successCallback: function (token: string) {
                  //const decoded: { [key: string]: any; } = jwt.decode(token);
                  //localStorage.setItem("name", decoded.name);
                  localStorage.setItem("token", token);
                   const response = await axios.get(apiConfig.endpoint + "/api/" + functionName, {
                        headers: {
                          authorization: "Bearer " + accessToken?.token || "",
                        },
                      });
                      return response.data;
                },
                failureCallback: function (error: any) {
                  console.log("Failure on getAuthToken: " + error);
                }
              };
              microsoftTeams.initialize(() => {
                microsoftTeams.getContext((r) => {
                  microsoftTeams.authentication.getAuthToken(authTokenRequest);
                });
              });

Through this I get below error: Attempting to handle auth response: error:invalid_resource|AADSTS500011: The resource principal named api://xxxxx/botid-xxxx was not found in the tenant named xxxx. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant., resource:api://xxxxx/botid-xxxx, error mapped to action:resourceDisabled

user25879
  • 129
  • 7
  • Could you please confirm if the below answer solved your query? – Meghana-MSFT Nov 30 '21 at 12:16
  • @Meghana-MSFT, NO, I am already having an Identity Provider. Registering an App on AD and asking for the credential again through user is not ideal. Is there any Silent Authentication which Takes the current user authentication after giving the Admin Consent? I uploaded my Package on Teams App Catalog and it is granted admin consent also. But I get above error. – user25879 Dec 01 '21 at 15:50
  • Admin consent should be granted to calling graph API to get the icon. From what it looks, you are not even requesting graph API access (it in your application registration). You CANNOT call graph API with the token you get from teams. You need to trade this token to another access token using on-behalf-of flow. Check the link below. – Nikolay Dec 01 '21 at 23:28
  • Yeah, I am first trying to get access token. As soon as my code hit getAuthToken, I see a screen pop up for consent and when I click continue I see above error. I got some idea, where possiblly I can improve my solution. I will try it out and will update here. – user25879 Dec 02 '21 at 08:20
  • For this to work, you need your app registered. In azure AD. There is no other way AFAIK. – Nikolay Dec 02 '21 at 09:40

1 Answers1

1

You must have your app registered to be able to use graph API. It is absolutely no problem that the app will be installed on a different tenant, you just need to select "multitenant" option when registering the app to enable this scenario.

As far as I understand, logo pictures / icons are considered company data, so you need user consent to get it. For this reason, the app needs to be registered, and the user (or user admin) must agree to give the app access to the team info when adding your app.

Nikolay
  • 10,752
  • 2
  • 23
  • 51
  • I am already having authentication through a different Identity Provider. Is there any way through which I don't need to ask user to login again to get access token for Graph? I added a code in my question, but that gives me error. See in the original post. – user25879 Dec 01 '21 at 15:41
  • It is perfectly possible using single-sign-on in teams (SSO). You must have your application registered, even if it is admin who is giving the consent. And when registering, you need to state that your app wants teams profile (icon). Then, when admin consents, he will consent to this and not to sign-in. Read more about SSO: https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-aad-sso. The second step is to implement on-behalf-of flow. Please check the article in the above link. But it all works 100% without user having to log in explicitly. – Nikolay Dec 01 '21 at 23:22
  • I read this document, but it says at the end: **Non-AAD authentication The above-described authentication solution only works for apps and services that support AAD as an identity provider. Apps that want to authenticate using non-AAD based services must continue using the pop-up-based web authentication flow.** – user25879 Dec 02 '21 at 08:07
  • Yes, this is correct. In your case (if using this schema) the user will be authenticated twice - the first time using your custom authentication in your application, and the second time using single-sign-on in teams and azure ad. But since the second time the authentication is silent, he should not notice it. In general, if you are developing app for teams, it does not make much sense to have custom authentication, since all users are already authenticated by teams. – Nikolay Dec 02 '21 at 09:11
  • So If I understand correctly, I need to call authentication twice in this case : ``` function HandleLogin(){ //Non AAD microsoftTeams.authentication.authenticate({ url: window.location.origin + `/auth-start.html?loginUrl=${auth.getLoginUrl()}&ClientId=${auth.clientId}&RedURi=${auth.redirectUri}`, successCallback: function (result) { .... }, failureCallback: function (reason) { } }); //Here goes the Silent authentictaion for AD microsoftTeams.authentication.authenticate({..............}) } ``` – user25879 Dec 02 '21 at 09:29
  • In the scenario I'm talking about (single-sign-on) you don't need to call anything client side. You just use the token given you by teams. I mean, you don't need any login page. Your user is already authenticated by teams. – Nikolay Dec 02 '21 at 09:31
  • I am checking all settings at my Teams app - app registration settings. I see some localhost entries over there. I dont see that error anymore. I guess the localhost entries was the one causing issues. I will further try to get Teams Icon. Thank you so much guys for all your help. – user25879 Dec 02 '21 at 10:29
  • I dont see that option. – user25879 Dec 13 '21 at 15:42
  • @user25879 - Please check this thread - https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work – Meghana-MSFT Dec 14 '21 at 09:15