Microsoft Teams : Config Tab SSO First Time Consent Challenge
On SSO
In this post I'll walk you through a challenge I've faced which might break your Microsoft Teams app acquisition flow specially if you are building an App Source Mutli-tenant application. Microsoft Teams offers a basic SSO which is easy to configure if you follow the guideline and steps explained in the below article:
https://docs.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-aad-sso
So where is the problem, I can name a few but I would focus on one specific use case when you add the tab first time, the Azure AD app need to capture user or admin consent so it would:
- Prompt that you need to trust the app
- When you click continue a consent dialog will popup and you would be able to consent or cancel
- The entire Teams tab will be refreshed and when you try to get authenticate the current user everything works as expected.
I know so far I didn't list any problems, the corner case if your Tab configuration screen requires some sort of SSO to retrieve some information form your protected APIs and save the tab settings before rendering the tab.
In this case the step #3 will force your Microsoft Teams tab to refresh and you would need to restart adding the tab once again, in the second time this would work perfectly, see the screen capture below to get a clear idea of the experience:
Not a big issue to be honest but If you are building an multi-tenant app people might think there is something wrong with the app. If you dig deeper you can see that Authentication is handled by the Parent windows which is Microsoft Teams app itself
So in short we don't have much control of how the parent would handle the authentication, my first thought was to ditch the whole ms-teams.js library and do the authentication on my own ! which is not recommended. I noticed that there is a silent parameter in the AuthRequest, if I pass it getAuthToken will fail and won't prompt the user to consent.
The solution I end up using is to implement the consent flow on my own so the built-in authentication mechanism won't refresh the whole tab and won't break the acquisition journey and if the silent authentication is a success that means the user/admin has already consented to the required permissions