Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MS Teams] - Single-tenant bots don't work in new Teams client #11153

Open
pavelperkin opened this issue Jun 25, 2024 · 7 comments
Open

[MS Teams] - Single-tenant bots don't work in new Teams client #11153

pavelperkin opened this issue Jun 25, 2024 · 7 comments
Assignees
@Prasad-MSFT
Labels
needs-author-feedback Needs more info from the customer. teams-developer-support Question related to extensibility (Bot, ME, Tab) would be marked under this label

Comments

@pavelperkin
Copy link

Steps to reproduce

I have a multi-tenant bot that I'd like to convert into single-tenant.
This bot uses REST API and delegated permissions - built from scratch without using any frameworks.
I was able to get an access token using https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token endpoint
But I can't post even a simple "Hello World" message using this token to perform requests to https://smba.trafficmanager.net/teams/v3/conversations/CONVERSATION-ID/activities

The response I get is 401 Unauthorized

{ "message": "Authorization has been denied for this request." }

Expected behavior

Single-tenant bots work exactly like multi-tenant bots

Actual behavior

Single-tenant bots don't support basic functionality

Error details

No response
@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link
Contributor

Hi pavelperkin! Thank you for bringing this issue to our attention. We will investigate and if we require further information we will reach out in one business day. Please use this link to escalate if you don't get replies.

Best regards, Teams Platform

@Prasad-MSFT Prasad-MSFT self-assigned this Jun 26, 2024
@Prasad-MSFT Prasad-MSFT added teams-developer-support Question related to extensibility (Bot, ME, Tab) would be marked under this label and removed needs-triage 🔍 labels Jun 26, 2024
@Prasad-MSFT
Copy link
Collaborator

The 401 Unauthorized error indicates that the access token you are using does not have the necessary permissions to perform the action you are trying to execute. Since you are using delegated permissions, you need to ensure that the token you acquire has the required scopes to post messages to a conversation.

You should decode the access token you obtained from the OAuth 2.0 token endpoint using a tool like jwt.ms to verify the scopes included in the token. Make sure it includes the necessary permissions to post messages to conversations.

@pavelperkin
Copy link
Author

Thank you @Prasad-MSFT
Here is my decoded token, and unlike Graph API token, I don't see any permissions in this REST API token:

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "qXXXs",
  "kid": "qXXXs"
}.{
  "aud": "https://api.botframework.com",
  "iss": "https://sts.windows.net/7XXX0/",
  "iat": 17......92,
  "nbf": 17......92,
  "exp": 17......92,
  "aio": "EXXXAA=",
  "appid": "2XXX8",
  "appidacr": "1",
  "idp": "https://sts.windows.net/7XXX0/",
  "idtyp": "app",
  "oid": "3XXX5",
  "rh": "0.AXXXry7AAA.",
  "sub": "30XXXb5",
  "tid": "7XXX0",
  "uti": "AXXX3AA",
  "ver": "1.0",
  "xms_idrel": "7 12"
}

Which value are you referring to?

To obtain this token, I am sending a POST request to https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token with

{
  "grant_type": "client_credentials",
  "client_secret": "XXX",
  "client_id": "YYY",
  "scope": "https://api.botframework.com/.default"
}

And the response comes:

{
	"token_type": "Bearer",
	"expires_in": 3599,
	"ext_expires_in": 3599,
	"access_token": "eyXXX1w"
}

@Prasad-MSFT
Copy link
Collaborator

Could you please try getting the token using https://login.microsoftonline.com/botframework.com/oauth2/v2.0/token request with Post method with below mentioned key and values as the image attached.

image

Then, add your bot to the Teams and run the REST API as below:
image

@pavelperkin
Copy link
Author

Sure. Because my app is a single-tenant application, I get 400 Bad request response

Body:

{
	"error": "unauthorized_client",
	"error_description": "AADSTS700016: Application with identifier '297XXX58' was not found in the directory 'Bot
 Framework'. This can happen if the application has not been installed by the administrator of the tenant or consented 
to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Trace ID:
 17745ef6-897e-4b7d-b3a2-6dc478ce2501 Correlation ID: 2e290edf-431b-4ee4-8d69-d88ba20d7a91 
Timestamp: 2024-06-28 14:51:40Z",
	"error_codes": [
		700016
	],
	"timestamp": "2024-06-28 14:51:40Z",
	"trace_id": "17745ef6-897e-4b7d-b3a2-6dc478ce2501",
	"correlation_id": "2e290edf-431b-4ee4-8d69-d88ba20d7a91",
	"error_uri": "https://login.microsoftonline.com/error?code=700016"
}

@pavelperkin
Copy link
Author

@Prasad-MSFT can you pelase comment on my response. Thank you in advacne

@Prasad-MSFT
Copy link
Collaborator

Prasad-MSFT commented Jul 4, 2024
edited
Loading

@pavelperkin - Could you please confirm whether or not you have added your bot to the Teams before running the REST API to POST messages?

@Prasad-MSFT Prasad-MSFT added the needs-author-feedback Needs more info from the customer. label Jul 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Prasad-MSFT Prasad-MSFT

Labels
needs-author-feedback Needs more info from the customer. teams-developer-support Question related to extensibility (Bot, ME, Tab) would be marked under this label
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pavelperkin @Prasad-MSFT