Unable to get ADO user_impersonation scope access token using Azure Bot's OauthConnection to AAD
Hi,
I am trying to develop a Teams Message Extensions app which can unfurl Azure Devops (ADO) urls in to Adaptive Cards (AC). For this, referred this doc Add authentication to your Teams bot .
For this, I have a bot registered and setup the OauthConnection to connect to an AAD app. This AAD app has the permissions to ADO user_impersonation api.
I have added relevant screenshots which depict the same.
I added Azure Dev ops user_impersonation permissions in API Permissions pane of AAD registration. Added an Oauth connection in the bot service pointing to this AAD registration.
But when I test the connection using Test Connection
, it always fails to generate the access token.
Instead of looking for that scope in ADO's registration, it always looks for that scope in Microsoft Graph app.
Following is the error:
{
"error": {
"code": "ServiceError",
"message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27bot-teams-authentication-aad%27+asked+for+scope+%27user_impersonation%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+7cae0886-06d9-4685-a21b-03d28a080200%0d%0aCorrelation+ID%3a+974d834f-1216-48bd-b72a-f278cb284da7%0d%0aTimestamp%3a+2023-08-29+09%3a31%3a03Z&state=518c5d86f0574d48a8df99e9c02d02f4"
}
}
Error excerpt below from above full error log:
The+application+%27bot-teams-authentication-aad%27+asked+for+scope+%27user_impersonation%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.
It should be looking for user_impersonation scope in ADO app (499b84ac-1321-427f-aa17-267ca6975798) but it is looking in MS Graph app (00000003-0000-0000-c000-000000000000).
Following is my test AAD app registration manifest info requiredResourceAccess content:
"requiredResourceAccess": [
{
"resourceAppId": "499b84ac-1321-427f-aa17-267ca6975798",
"resourceAccess": [
{
"id": "ee69721e-6c3a-468f-a9ec-302d16a4c599",
"type": "Scope"
}
]
}
],
Following are the images of the setup:
Can you please help why it is not working?
What can be done to get access token with ADO app audience and scope user_impersonation?