Authentication for embedded app in Teams Tab

Question

Authentication for embedded app in Teams Tab

Gianluca Candiotti 21

Hello, I'm struggling a bit coming up with a clear approach for managing authentication for our embedded MS Teams application.

Our users are segregated into different companies, and each company may handle provisioning and authentication methods in a different way according to configuration.

When embedding our app in MS Teams, it's not really clear how to show them tailored content or have them be authenticated into our app from within the iframe.

I've checked the auth documentation and videos for MS Teams, but most of it either describes how to get access to Graph data or use SSO with AAD or Microsoft oauth2 to get the users authenticated in the embedded application. But is there a way to let users login to our app with any of our current methods and then redirect back to the tab?

Will the SDK methods allow for such flow, or can anyone point me in the right direction.

Thanks in advance!

Sharon Zhao-MSFT 25,756 Reputation points Microsoft External Staff

2021-07-01T23:53:11.07+00:00

@Gianluca Candiotti ,
As we are mainly responsible for general question of Microsoft Teams, your question related to development is not supported by us. I will add office-teams-app-dev tag. Hope you get better response.
Nilesh 1 Reputation point

2021-09-23T06:01:42.703+00:00
Hi @Gianluca Candiotti ,

I am having the same flow as you have implemented. I am new to this and I am expecting a guidance from you.

Since we have a SAAS app and we support DB authentication, external identity providers using SAML and OAuth.
Problem we are facing : When ever user clicks on our tab after switching from other tabs it redirects to our login page. And at present we open our login page within an iframe.

We are trying to overcome this issue with token based mechanism.

Following are challenges and some queries :

Do we open our login page on user click and initiates authentication via Microsoft provided JavaScript code.
And if I return a JWT token on successful authentication in any of the cases (Db/External provider)
does it make sense ?

How to store token in MS team app , so that it can be further used..

How to pass this token from MS team to our app , so that we can validate user and allow them in app ?

Since custom app is being opened in an iframe....

It will be very nice of you, if you can guide me on urgent basis...

2 answers

Your answer

Sharon Zhao-MSFT 25,756 Reputation points Microsoft External Staff

2021-07-01T23:53:11.07+00:00

@Gianluca Candiotti ,
As we are mainly responsible for general question of Microsoft Teams, your question related to development is not supported by us. I will add office-teams-app-dev tag. Hope you get better response.
Nilesh 1 Reputation point

2021-09-23T06:01:42.703+00:00

Hi @Gianluca Candiotti ,

I am having the same flow as you have implemented. I am new to this and I am expecting a guidance from you.

Since we have a SAAS app and we support DB authentication, external identity providers using SAML and OAuth.
Problem we are facing : When ever user clicks on our tab after switching from other tabs it redirects to our login page. And at present we open our login page within an iframe.

We are trying to overcome this issue with token based mechanism.

Following are challenges and some queries :

Do we open our login page on user click and initiates authentication via Microsoft provided JavaScript code.
And if I return a JWT token on successful authentication in any of the cases (Db/External provider)
does it make sense ?

How to store token in MS team app , so that it can be further used..

How to pass this token from MS team to our app , so that we can validate user and allow them in app ?

Since custom app is being opened in an iframe....

It will be very nice of you, if you can guide me on urgent basis...

Answer 1

Wajeed-MSFT 311 Microsoft Employee Moderator

Hi @Gianluca Candiotti - The flow mentioned in Microsoft Teams authentication flow for tabs is applicable for custom login providers as well.

Here are the steps:

Provider Login button to the user. Call microsoftTeams.authentication.authenticate() with list of providers to choose from.

microsoftTeams.authentication.authenticate({  
    url: window.location.origin + "/tab-auth/choose-provider",  
    width: 600,  
    height: 535,  
    successCallback: function (result) {  
        getUserProfile(result.accessToken);  
    },  
    failureCallback: function (reason) {  
        handleAuthError(reason);  
    }  
});

Provide option for user to choose from different authentication methods. See this image - authentication pop-up
On click of selction of provider you can redirects user to respective identity provider where user can complete the login.
Make sure to set redirect URL which is on same domain as your '/tab-auth/choose-provider' page.
Once you are redirected after successful login you can call microsoftTeams.authentication.notifySuccess() with parameters like session id/ auth token.
microsoftTeams.authentication.notifySuccess() will close the pop-up and now you can redirect authenticated user to page of your choice.

Please let me know if you need any further help.

Gianluca Candiotti 21 Reputation points

2021-07-08T12:14:14.173+00:00

Hi @Wajeed-MSFT , thanks a lot for providing steps and the additional screenshot!

Gonna give it a try in a few days, got myself busy with something right now. But will definitely get back to you 🙌
Gianluca Candiotti 21 Reputation points

2021-08-05T09:48:09.63+00:00
Hi @Wajeed-MSFT ! I started working on this again, and I still have some questions around it, would appreciate it a lot if you can guide me.

First, after I get an auth token, I would need that value to be set as a cookie inside the iframe since we use that to authorize requests. Is there a recommended way of doing that? I could post a message to the iframe, but I'm not sure if there is another approach.

I tried setting and reading cookies from within the iframe, it works well in web and desktop, but in mobile (iOS), it doesn't read them, so I'm not sure if it's supported or if I have to do something special to make it work. localStorage seems to work well.

In general is localStorage a good way to persist some information? Since customers are segregated in our application in different companies, we need for them to input the company first in order to login. I could ask them that and persist it in localStorage. The problem is that they would need to do this every time they re-open the app. You could also have a configuration page but apparently the settings' interface only supports a specific set of values, and it says it's recommended to use it after the user authenticates so it's a bit confusing how would it work.

Hope the questions make sense and I'm not too far from figuring things out. Thanks a lot for your guidance!

Answer 2

Prasad-MSFT 8,981 Microsoft External Staff Moderator

The issue with reading cookies might be due to SameSite prevention. Please refer this docs for more details https://learn.microsoft.com/en-us/microsoftteams/platform/resources/samesite-cookie-update
You can refer this blog as well
Using localStorage is a good practice. Have first page with company selection, store company value in local storage and have SSO auth flow

Gianluca Candiotti 21 Reputation points

2021-08-19T10:48:27.177+00:00

Hey @Prasad-MSFT , thanks for the reply!

Most of my issues are resolved at this point. I've managed to authenticate users in web, desktop and android platforms, but iOS specifically is not working because of the cookies and I'm not sure how to overcome this limitation. I don't think it's about reading cookies cross domain because it doesn't even work if I set a testing cookie in the Microsoft Teams Tab app itself and try to read it. I'm gonna test the methods described in the blog post you linked but I'm not sure if it will help.

Cookies seems like a very basic capability, I don't wanna switch the whole authentication strategy at this point just because of this constraint in iOS.

If someone could give me a definitive answer about cookies in the iOS application it would help me move on, so I avoid wasting time in something that has a dead end.

Thank you

Share via

Authentication for embedded app in Teams Tab

2 answers

Your answer