Share via

Using delegated access on Azure Application which contains a messaging extension

Silvia Mokranova 0 Reputation points
2023-02-22T15:38:14.8766667+00:00

I am developing an application. The user flow is that a user logged in to MS teams selects a message and clicks on my messaging extension. This sends information to my app. The headers contain an Authorization header with a Bearer token and I am trying to use this token to get delegated permissions for microsoft graph api. The error i get is:

 ERROR .identity.OnBehalfOfCredential - Azure Identity => ERROR in getToken() call for scopes [api://.../default] Assertion failed signature validation. [Reason - The key was not found. <...>]

and my code is

String accessToken = exchange.getIn().getHeader("Authorization", String.class);
         if (accessToken != null && accessToken.startsWith("Bearer ")) {
             accessToken = accessToken.split(" ")[1]
         }
        
         List<String> scopes = Arrays.asList("api://" + clientId + "/default");
         final OnBehalfOfCredential onBehalfOfCredential = new OnBehalfOfCredentialBuilder()
                 .clientId(clientId)
                 .clientSecret(clientSecret)
                 .userAssertion(accessToken)
                 .tenantId(tenantId)
                 .build();

         final TokenCredentialAuthProvider tokenCredentialAuthProvider = new TokenCredentialAuthProvider(scopes, onBehalfOfCredential);
         final GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider(tokenCredentialAuthProvider).buildClient();
         final User me = graphClient.me().buildRequest().get()

I am unsure what the problem could be, as the token i get comes directly from ms teams. Not sure what my code is missing as it was taken directy from the documentation

Microsoft Teams | Development
Microsoft Security | Microsoft Graph
Microsoft Teams | Microsoft Teams for business | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 46,371 Reputation points
    2023-02-23T03:23:58.24+00:00

    Hi @Silvia Mokranova

    You should put the scope of the graph API in your collection, because the access token of your middle-tier web API has already been called, and then you only need to use the access token of the middle-tier web API as a parameter to get the graph API access token.

    List<String> scopes = Arrays.asList("https://graph.microsoft.com/.default");

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.