Add code to enable SSO

Before you add code to enable SSO, ensure that you've registered your app with Azure AD.

You need to configure your tab app's client-side code to obtain an access token from Azure AD. The access token is issued on behalf of the tab app. If your tab app requires additional Microsoft Graph permissions, you'll need to pass the access token to the server-side, and exchange it for Microsoft Graph token.

configure code for handling access token

This section covers:

Add client-side code

To obtain app access for the current app user, your client-side code must make a call to Teams for getting an access token. You need to update client-side code for using getAuthToken() to initiate the validation process.


Learn more about getAuthToken()
`getAuthToken()` is a method in Microsoft Teams JavaScript SDK. It requests an Azure AD access token to be issued on behalf of app. The token is acquired from the cache, if it is not expired. If it's expired, a request is sent to Azure AD to obtain a new access token.

For more information, see getAuthToken.

When to call getAuthToken

Use getAuthToken() at the time when you need access token for the current app user:

If access token is needed... Call getAuthToken()...
When app user accesses the app From inside microsoftTeams.initialize().
To use a particular functionality of the app When the app user takes an action that requires signing in.

Add code for getAuthToken

Add JavaScript code snippet to the tab app to:

  • Call getAuthToken().
  • Parse the access token or pass it to the server-side code.

The following code snippet shows an example of calling getAuthToken().

microsoftTeams.initialize();
var authTokenRequest = {
  successCallback: function(result) { console.log("Success: " + result); },
  failureCallback: function(error) { console.log("Error getting token: " + error); }
};
microsoftTeams.authentication.getAuthToken(authTokenRequest);

You can add calls of getAuthToken() to all functions and handlers that initiate an action where the token is needed.


Here's an example of the client-side code:

Configure client code

When Teams receives the access token, it's cached and reused as needed. This token can be used whenever getAuthToken() is called, until it expires, without making another call to Azure AD.

Important

As a best practice for security of access token:

  • Always call getAuthToken() only when you need an access token.
  • Teams will cache the access token for you. Don't cache or store it in your app's code.

When you call getAuthToken() and app user's consent is required for user-level permissions, an Azure AD dialog is shown to the app user who is currently signed in.

Tab single sign-on dialog prompt

The consent dialog that appears is for open-id scopes defined in Azure AD. The app user must give consent only once. After consenting, the app user can access and use your tab app for the granted permissions and scopes.

Important

Scenarios where consent dialogs are not needed:

  • If the tenant administrator has granted consent on behalf of the tenant, app users don't need to be prompted for consent at all. This means that the app users don't see the consent dialogs, and can access the app seamlessly.
  • If your Azure AD app is registered in the same tenant from which you're requesting an authentication in Teams, the app user can't be asked to consent, and is granted an access token right away. App users consent to these permissions only if the Azure AD app is registered in a different tenant.

If you encounter any errors, see Troubleshooting SSO authentication in Teams.

Use the access token as an identity token

The token returned to the tab app is both an access token and an ID token. The tab app can use the token as an access token to make authenticated HTTPS requests to APIs on the server-side.

The access token returned from getAuthToken() can be used to establish the app user's identity using the following claims in the token:

  • name: The app user's display name.
  • preferred_username: The app user's email address.
  • oid: A GUID representing the ID of the app user.
  • tid: A GUID representing the tenant that the app user is signing in to.

Teams can cache this information associated with the app user's identity, such as the user's preferences.

Note

If you need to construct a unique ID to represent the app user in your system, see Using claims to reliably identify a user.

Pass the access token to server-side code

If you need to access web APIs on your server, you'll need to pass the access token to your server-side code. The web APIs must decode access token to view claims for that token.

Note

If you don't receive User Principal Name (UPN) in the returned access token, add it as an optional claim in Azure AD. For more information, see Access tokens.

The access token received in success callback of getAuthToken() provides access (for the authenticated app user) to your web APIs. The server-side code can also parse the token for identity information, if needed.

If you need to pass the access token to get Microsoft Graph data, see Extend tab app with Microsoft Graph permissions.

Code for passing access token to server-side

The following code shows an example of passing the access token to the server-side. The token is passed in an Authorization header when sending a request to a server-side web API. This example sends JSON data, so it uses the POST method. The GET is sufficient to send the access token when you're not writing to the server.

$.ajax({
    type: "POST",
    url: "/api/DoSomething",
    headers: {
        "Authorization": "Bearer " + accessToken
    },
    data: { /* some JSON payload */ },
    contentType: "application/json; charset=utf-8"
}).done(function (data) {
    // Handle success
}).fail(function (error) {
    // Handle error
}).always(function () {
    // Cleanup
});

Validate the access token

Web APIs on your server must decode the access token, and verify if it's sent from the client. The token is a JSON Web Token (JWT), which means that validation works just like token validation in most standard OAuth flows. The web APIs must decode access token. Optionally, you can copy and paste access token manually into a tool, such as jwt.ms.

There are a number of libraries available that can handle JWT validation. Basic validation includes:

  • Checking that the token is well-formed
  • Checking that the token was issued by the intended authority
  • Checking that the token is targeted to the web API

Keep in mind the following guidelines when validating the token:

  • Valid SSO tokens are issued by Azure AD. The iss claim in the token should start with this value.
  • The token's aud1 parameter will be set to the app ID generated during Azure AD app registration.
  • The token's scp parameter will be set to access_as_user.

Example access token

The following is a typical decoded payload of an access token.

{
    aud: "2c3caa80-93f9-425e-8b85-0745f50c0d24",
    iss: "https://login.microsoftonline.com/fec4f964-8bc9-4fac-b972-1c1da35adbcd/v2.0",
    iat: 1521143967,
    nbf: 1521143967,
    exp: 1521147867,
    aio: "ATQAy/8GAAAA0agfnU4DTJUlEqGLisMtBk5q6z+6DB+sgiRjB/Ni73q83y0B86yBHU/WFJnlMQJ8",
    azp: "e4590ed6-62b3-5102-beff-bad2292ab01c",
    azpacr: "0",
    e_exp: 262800,
    name: "Mila Nikolova",
    oid: "6467882c-fdfd-4354-a1ed-4e13f064be25",
    preferred_username: "milan@contoso.com",
    scp: "access_as_user",
    sub: "XkjgWjdmaZ-_xDmhgN1BMP2vL2YOfeVxfPT_o8GRWaw",
    tid: "fec4f964-8bc9-4fac-b972-1c1da35adbcd",
    uti: "MICAQyhrH02ov54bCtIDAA",
    ver: "2.0"
}

Code samples

Sample name Description C#/.NET Node.js
Tab SSO Microsoft Teams sample app for tabs Azure AD SSO View View,
Teams Toolkit
Tab, Bot and Message Extension (ME) SSO This sample shows SSO for Tab, Bot and ME - search, action, linkunfurl. View View

Next step

See also