Is it possible to receive the access token specified for tenantId by MS Teams bot (message extension)?

2
votes

In my case I need to receive and save the access token specified for tenantId inside my MS Teams bot (message extension) in order to get access to Graph API in further. There are a lot of information about adding the on-behalf-of-user authentication flow to the bot (https://docs.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/add-authentication?tabs=dotnet%2Cdotnet-sample). In this case we need to register the additional app (identity provider) on Azure portal and connect it to the bot (OAuth Connection Settings)... But, for my case, I need to implement the client credentials authenticaion flow and receive an access token using credentials (AppId and secret) of the bot app, registered on Azure portal. In order to achive this goal, I can use msal4j library, for example:

public static String getAppAccessToken(String[] scopes) {
        ConfidentialClientApplication cca;
        try {
            cca = ConfidentialClientApplication.builder(applicationId, ClientCredentialFactory.createFromSecret(applicationSecret))
                    .authority("https://login.microsoftonline.com/<<tenantId>>/")
                    .build();
        } catch (MalformedURLException e) {
            return null;
        }

        Set<String> scopeSet = Set.of(scopes);

        ClientCredentialParameters clientCredentialParam = ClientCredentialParameters.builder(
                scopeSet)
                .build();

        CompletableFuture<IAuthenticationResult> future = cca.acquireToken(clientCredentialParam);
        return future.join().accessToken();
    }

using this approach I receive the token which has expired after a while. Questions:

  1. is it possible to receive the access token (for specific tenantId) which hasn't expired, using the client credentials authenticaion flow inside MS Teams Bot?
  2. should I use Bot Framework SDK or msal4j library for implementing the client credentials authenticaion flow?
  3. the additional identity provider app (apart from Bot app) on Azure portal is required forthe client credentials authenticaion flow?
1
azure-active-directorybotframeworkmicrosoft-teamsmicrosoft-graph-teamsmsal.js
I used MSAL and it worked for me with client credentials flow. Also you may want to see any other alternate methods available from Teams BOT specific as well.Dev
@Dev, Did you receive the not expired token using MSAL and the client credentials flow?Semen L

1 Answers

0
votes

Q1 : Is it possible to receive the access token (for specific tenantId) which hasn't expired, using the client credentials authentication flow inside MS Teams Bot?

=>Access tokens are prone to expire after sometime due to security mechanism, since OAuth 2.0 client credentials grant flow provides access token instead of impersonating a user this is must have for security reasons. To generate new access tokens you would require refresh token which isn't available when you use client credentials flow but its available when used auth code grant.

Q2: Should I use Bot Framework SDK or msal4j library for implementing the client credentials authentication flow?

=>There shouldn't be an issue, You can generate token using bot authentication if required permissions are given to bot app.

Q3: The additional identity provider app (apart from Bot app) on Azure portal is required for the client credentials authentication flow?

=>If you have an existing app id associated with bot, you don't need to create one. I see docs doesn't mention this, but you don't require to create a new app in portal. You can just go and use your app(bot) in Azure Active Directory, and give required permission => generate token => Send token to graph API and get the result.