Share via

Cannot get SSO to work in bot framework

Eugene De Villiers 25 Reputation points
2024-05-16T02:05:51.3333333+00:00

I'm adding SSO for a multi-purpose bot.

I followed the SSO example from microsoft to setup an initial POC.

In my development environment I managed to make all SSO work and get the user token like this:

var userTokenClient = turnContext.TurnState.Get<UserTokenClient>();

var tokenResponse = await userTokenClient.GetUserTokenAsync(turnContext.Activity.From.Id, connectionName, turnContext.Activity.ChannelId, String.Empty, cancellationToken).ConfigureAwait(false);

I'm now trying to recreate the whole setup for a production version of the bot, but the exact same setup the tokenRespone is always null.

It is clear in the console that it calls out and gets 404.

info: System.Net.Http.HttpClient.Default.ClientHandler[100]

Sending HTTP request GET https://api.botframework.com/api/usertoken/GetToken?userId=29%3A1g6HMpO9Sgow-U9vMjSS7LYVD4PhRUSbiysOXVvXukY8ndpWWE6rHMM7a3l3e8MHN0k1NLG-Yu3x6AJXIJuyHvQ&connectionName=bot-oauth-stage&channelId=msteams&code=

info: System.Net.Http.HttpClient.Default.ClientHandler[101]

Received HTTP response headers after 270.8012ms - 404

I am able to switch back and forth between my 2 setups with one working and the other not.

I have checked and re-checked the setup with 2 other engineers and we do not seem to have missed anything. I have retried to make a new version several times and always get the same 404 result.

What else could be wrong?

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
9,341 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,038 questions
Accepted answer
  1. Akshay-MSFT 16,916 Reputation points Microsoft Employee
    2024-05-24T06:43:40.4+00:00

    @Eugene De Villiers

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: SSO is not working in Teams bot and responding with Received HTTP response headers after 270.8012ms - 404

    Cause: Developer bot was working up to a point is because there was a token cached for it but not in production environment.

    Solution:

    I was able to test this in my lab but found no issues, later on I tried approaching the service engineering team but have not heard of any such emerging/known issues and was suggested to collect and inspect HTTPS traffic by using a proxying tool like Fiddler.

    Based upon your research I was able to find the following info:

    If there's a cached token, the bot uses the same token. If there's no token available, the Adaptive Card sends an invoke response to the bot service, which sends an OAuth card with the following values that includes a tokenExchangeResource to designate an SSO operation

    The SSO fails when the Teams client ignores thetokenExchangeResourcevalue for any reason, including invalid values, errors retrieving exchangeable tokens, or if Microsoft Entra ID doesn't support the value. Then the Teams client triggers the nominal sign-in or OAuth flow.

    Suggestion: It's recommended that you provide a sign-in URL

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    Thanks,

    Akshay Kaushik

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest