Teams Bot Auth + MS Graph in Java

Question

Hello,

You have a perfect working sample about what I'm trying to do on this link : https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/java_springboot/46.teams-auth

I'm trying to migrate the microsoft-graph 2.9.0 version to the latest 5.35.0.

The old code was like this to pass the token to the MS Graph but it's not working anymore with the new version.

private IGraphServiceClient getAuthenticatedClient() {  
        // Create default logger to only log errors  
        DefaultLogger logger = new DefaultLogger();  
        logger.setLoggingLevel(LoggerLevel.ERROR);  
  
        // Build a Graph client  
        return GraphServiceClient.builder()  
            .authenticationProvider(request -> {  
                // Add the access token in the Authorization header  
                request.addHeader("Authorization", "Bearer " + SimpleGraphClient.this.token);  
            })  
            .logger(logger)  
            .buildClient();  
 }  

On this document we can read about the Auth upgrade : https://github.com/microsoftgraph/msgraph-sdk-java/blob/dev/docs/upgrade-to-v3-auth.md

I can't figure out what type of credentials I have to instanciate ? My guess is to use the On-behalf provider => https://learn.microsoft.com/en-us/graph/sdks/choose-authentication-providers?tabs=Java#on-behalf-of-provider

When I try to implement it I have the following error.

 [36mcom.azure.identity.OnBehalfOfCredential  [0;39m  [2m: [0;39m Azure Identity => ERROR in getToken() call for scopes [openid, profile, User.Read]: AADSTS50013: Assertion failed signature validation. [Reason - Key was found, but use of the key to verify the signature failed., Thumbprint of key used by client: 'D994292775296E30185D819A5C4265F255744CE2', Found key 'Start=05/22/2022 20:02:49, End=05/22/2027 20:02:49'].Trace ID: d32ad5ac-e692-4312-bbb0-84025e380100Correlation ID: 554fdf0a-e84c-4fec-bd5e-2c51e51d0fb7Timestamp: 2022-09-21 18:40:45Z  
  

Answer 1

This types of errors are usually caused by wrong OBO implementation.

Please ensure that:

1. You're getting an access token from the middle-tier API for your user.
2. You're using the retrieved access token as assertion for the OBO call between the middle-tier and downstream Api (target resource).
3. If using client credentials, you're [properly creating the client_assertio

n]1 using a registered X.509 cert for each Api.

Answer 2

Thanks for your answer.

I have the following code.
I tried with the clientId/clientSecret of my Bot and I tried with those of my AAD connection.
this.token is the token received by the Bot after the LoginDialog flow.

 OnBehalfOfCredential onBehalfOfCredential = new OnBehalfOfCredentialBuilder()  
        .clientId()  
        .tenantId("common")  
        .clientSecret()  
        .userAssertion(this.token)  
        .build();  

This is my Bot configuration in Azure.

Answer 3

So I found a way to do it.

The thing is I don't need the OBO code because I have the token already.
We only need to pass the token to the GraphServiceClient like this.

private GraphServiceClient<?> getAuthenticatedClient() {  
        // Create default logger to only log errors  
        DefaultLogger logger = new DefaultLogger();  
        logger.setLoggingLevel(LoggerLevel.DEBUG);  
  
          
  
        OkHttpClient client = new OkHttpClient.Builder().addInterceptor(  
        		new CustomHeadersInterceptor("Authorization", "Bearer " + this.token))  
        		.build();  
          
        // Build a Graph client  
        return GraphServiceClient.builder()  
        	.httpClient(client)  
            .logger(logger)  
            .buildClient();  
    }