Forum Discussion
custom tab-app authentication
Hello,
I have one general point and request clarification on this thread.
As we know there are 2 ways to perform authentication in custom tab in teams.
1. we invoke ms-teams java-script microsoftTeams.authentication.authenticate() which will open the popup window and accomplish the full OAuth flow
2. Another way of authenticating the custom-tab is obtaining the on-behalf-of token from
ms-teams client using microsoftTeams.authentication.getAuthToken()
This would NOT involve any account-selection-popup, meaning ms-teams client will only broker and obtain the token for the account that has signed into ms-teams.
If my custom-app wants to get token for different account and not the one used to sign-into ms-teams, I can NOT accomplish it in this flow which is also called "Use Single Sign-on authentication"
Am I correct in my understanding with respect to this flow?
Thanks.
4 Replies
Yes single sign on uses the account with which you have signed in to teams. You cannot have a user use a different account to sign in to a tab that uses SSO. If you want to allow users to sign in to a tab using other account (other than the once signed in to teams) you will need to implement Simple Authentication
Thanks Varaprasad-MSFT for your clarification. Appreciate your perfect answer.
As a follow up I have one point to clarify between 2 types of custom-tabs i.e., static tab and configuration tab-authentication .
As long as we are talking about the static-tabs I am totally onboard with the diagram at https://docs.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-flow-tab
My understanding is the same diagram flow can be triggered and accomplished by the "configurable tab"
So, if I put it hands-on way,let's say there are 3 members on one channel where this configurable tab-app is installed.
All 3 members will go through this authentication-flow, consent all the scopes required by the tab on their MS-teams client.
Now, this tab will have OAuth token for all 3 members.
So if the job of this tab-app was to show the latest 5 emails then would the output-UI on the tab screen would be different for all the 3 members ??
That is not matching with my understanding because as far as I know, the "configurable tab" should provide information that is common and helpful to an entire team.
There is no member specific information. So what was the use of delegated-OAuth token ?Should not configurable tab be dealing with only Client-credential authentication flow and get the app-level token using its own client-id/client-secret ?
If it was static-tab, I would totally understand the importance of sign-in.
Appreciate your help.
Thanks.
- Channel tabs will have same behavior for all the users in channel .When you add a tab as channel tab it will be common to all members.
We should add such tabs as channel tabs.
