Forum Discussion
Access session (UniversalBot.loadSession) and it's userData from tab
Every request to your services includes the id and aadObjectId, which are guaranteed to be of the authenticated Teams user. They can be used as keys to look up credentials or any cached state in your service. In addition, each request contains the Azure Active Directory tenant ID of the user, which can be used to identify the user’s organization.
You can take a look at below link for more details.
https://docs.microsoft.com/en-us/microsoftteams/platform/messaging-extensions/how-to/add-authentication#authentication
Thank you for your reply!
I have configured a configurable tab like this:
"configurableTabs": [ { "configurationUrl": "<a href="https://XXXXXXXX.ngrok.io/tab/configure" target="_blank">https://XXXXXXXX.ngrok.io/tab/configure</a>", "canUpdateConfiguration": true, "scopes": [ "team" ] } ]I am using Node/express:app.get("/tab/configure", (req, res) => { res.render("configure") });And I get called via GET-Request:req.url: "/tab/configure" req.method: "GET" req.rawHeaders: "["Host","XXXXXXXX.ngrok.io", "Accept","text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8", "Accept-Encoding","gzip, deflate, br", "Referer","<a href="https://teams.microsoft.com/iframe-container.html" target="_blank">https://teams.microsoft.com/iframe-container.html</a>", "Upgrade-Insecure-Requests","1", "User-Agent","Mozilla/5.0" (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.362 Chrome/66.0.3359.181 Electron/3.1.13 Safari/537.36", "X-Forwarded-Proto","https","X-Forwarded-For","XXX.XXX.XXX.XXX"]"Where can I access the id and aadObjectId? Do I miss something? I cannot see any header or URL-argument containing authentication information.When I dump the result of microsoftTeams.getContext on my configuration page, there is also no id or aadObjectId, and as stated in the docs this information must not be used for user authentication anyway.Thank you and regards,DominikYou can refer this https://github.com/microsoft/BotBuilder-Samples/blob/0bc30ed8ecdd8c82f2e20c48cc72426dd2100bc0/samples/javascript_nodejs/52.teams-messaging-extensions-search-auth-config/bots/teamsMessagingExtensionsSearchAuthConfigBot.js#L36
Here is a link for complete solution
https://github.com/microsoft/BotBuilder-Samples/tree/0bc30ed8ecdd8c82f2e20c48cc72426dd2100bc0/samples/javascript_nodejs/52.teams-messaging-extensions-search-auth-config
Hope it helpsThank you!
So with this I can access the session before teams retrieves an URL to the configuration page, so that I can attach an oAuth access token (or the id/aadObjectId) as URL parameter which later can be accessed when handling the GET-Request of the configuration page itself? May this be insecure?
Where is the documentation about that? I can see that the C#-equivalent is OnTeamsMessagingExtensionConfigurationQuerySettingUrlAsync (found at https://github.com/microsoft/botbuilder-dotnet/blob/master/libraries/Microsoft.Bot.Builder/Teams/TeamsActivityHandler.cs), but I cannot find any reference documentation for this. How does this interfere with the configured configurationUrl in the manifest?
I will try and play around with this.
Regards,
Dominik
