Forum Discussion
Teams Bot Graph API
I'm developing a very simple Teams bot that needs to make use of graph api in the backend. Since bots don't support silent authentication, I'm forced to authenticate my user inside the bot and acquir...
The OAuth protocol is an Authorization protocol, not Authentication. The authentication is an extension to it. And we do have 2 separate applications - Teams and the bot - even though these two apps "talk" to each-other transparently to the user.
Just because the user authenticated to Teams, it does not mean that your bot is allowed to do stuff in the name of the user (impersonate the user), by accessing resources with Graph API.
When the user is asked to "authenticate" to the bot, we should actually read "the bot need the user's authorization in order to perform operations in the name of the user". Only upon user's authorization can the bot make Graph API calls in the name of the user.