Teams Bot authorization in GCCH using Python

Evans, Dean1 (GE Aerospace) 5 Reputation points
2025-01-21T09:14:26.8133333+00:00

Trying to get a proactive messaging bot working on GCCH. Previous version of this worked seamlessly for many months but on commercial cloud.

Currently the bot only has delegated openid, profile and user.readbasic.all permissions in Graph. I have deleted recreated the bot and app since I have read that this can be an edge case.

  • The bot is set as a SingleTenant
  • The bot web redirect uri is set to : https://tokengcch.botframework.azure.us/.auth/web/redirect
  • The Teams manifest has been added to Teams but when a user is added there is no message received and the following is logged from the token inspection middleware:
2025-01-21T07:58:42.120445574Z: [INFO] [2025-01-21 07:58:42,119] [custom_middleware:INFO] Item: serviceurl, Value: https://smba.infra.gov.teams.microsoft.us/gcch/
2025-01-21T07:58:42.144561251Z: [INFO] [2025-01-21 07:58:42,119] [custom_middleware:INFO] Item: nbf, Value: 1737446321
2025-01-21T07:58:42.144580753Z: [INFO] [2025-01-21 07:58:42,119] [custom_middleware:INFO] Item: exp, Value: 1737449921
2025-01-21T07:58:42.144585953Z: [INFO] [2025-01-21 07:58:42,120] [custom_middleware:INFO] Item: iss, Value: https://api.botframework.us
2025-01-21T07:58:42.144590953Z: [INFO] [2025-01-21 07:58:42,120] [custom_middleware:INFO] Item: aud, Value: <MY-APP-ID>
2025-01-21T07:58:42.144595654Z: [INFO] [2025-01-21 07:58:42,120] [__main__:INFO] New message received from http://app-teams-auth.azurewebsites.us/api/messages
2025-01-21T07:58:42.144604654Z: [INFO] [2025-01-21 07:58:42,136] [aiohttp.access:INFO] 169.254.130.1 [21/Jan/2025:07:58:42 +0000] "POST /api/messages HTTP/1.1" 401 180 "-" "Microsoft-SkypeBotApi (Microsoft-BotFramework/3.0)"

When checking the browser logs there are these messages:

User's image

enter image description here

Auth method

The config file has the bot credentials as below:

class BotCredentials:
    APP_ID = os.getenv('APP_ID')
    APP_PASSWORD = os.getenv('APP_PASSWORD')
    APP_TENANTID = os.getenv('APP_TENANTID')
    APP_TYPE = SingleTenant
    CHANNEL_SERVICE = https://botframework.azure.us
    OAUTH_URL = https://tokengcch.botframework.azure.us/.auth/web/redirect
    TO_CHANNEL_FROM_BOT_LOGIN_URL = https://login.microsoftonline.us/MicrosoftServices.onmicrosoft.us
    TO_CHANNEL_FROM_BOT_OAUTH_SCOPE = https://api.botframework.azure.us
    TO_BOT_FROM_CHANNEL_TOKEN_ISSUER = https://api.botframework.azure.us
    TO_BOT_FROM_CHANNEL_OPENID_METADATA_URL = https://login.botframework.azure.us/v1/.well-known/openidconfiguration
    TO_BOT_FROM_EMULATOR_OPENID_METADATA_URL = https://login.microsoftonline.us/cab8a31a-1906-4287-a0d8-4eef66b95f6e/v2.0/.well-known/openid-configuration
    VALIDATE_AUTHORITY = True

Code instantiating the adapter:

from botbuilder.integration.aiohttp import CloudAdapter, ConfigurationBotFrameworkAuthentication

auth = ConfigurationBotFrameworkAuthentication(CONFIG.BotCredentials)
ADAPTER = CloudAdapter(auth)

Thanks for any help since this has been driving me crazy

Microsoft Teams Development
Microsoft Teams Development
Microsoft Teams: A Microsoft customizable chat-based workspace.Development: The process of researching, productizing, and refining new or existing technologies.
3,562 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Evans, Dean1 (GE Aerospace) 5 Reputation points
    2025-01-22T13:31:05.9466667+00:00

    Finally solved !!

    2 issues:

    [2025-01-22 12:48:54] [__main__:INFO] Item: aud, Value: https://ic3.gov.teams.microsoft.us
    [2025-01-22 12:48:54] [__main__:INFO] Item: iss, Value: https://sts.windows.net/TEANANT-ID/
    
    "accessTokenAcceptedVersion": null,
    # TO
    "accessTokenAcceptedVersion": 2,
    
    
    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.