Forum Discussion
Forms embedded in SharePoint doesn't display in custom Teams app
Hi Petter Skodvin-Hvammen - Thanks for raising the query. The issue with embedding Microsoft Forms in SharePoint and displaying them in a custom Teams app is due to CORS restrictions when acquiring on-behalf-of tokens, leading to HTTP 500 errors. To resolve this, follow these steps:
- Backend Token Acquisition:
- Set up a backend server to handle token acquisition.
- Use the server to make the 'OnBehalfOf' token call for the Microsoft Forms API.
- Store client credentials securely on the server.
- Frontend Code:
- Update the frontend to only use
microsoftTeams.authentication.getAuthToken()for authentication. - Remove direct calls to the AcquireOBOToken API from the frontend.
- App Manifest:
- Ensure your Teams app manifest includes permissions for the Microsoft Forms API.
- Verify allowed domains in the manifest for accessing the Forms API. By handling token acquisition on the backend, you can avoid CORS issues and successfully embed Microsoft Forms in SharePoint and display them in Teams.
Example (Node.js Backend Token Acquisition):
const msal = require('@azure/msal-node');
const config = {
auth: {
clientId: 'YOUR_CLIENT_ID',
authority: 'https://login.microsoftonline.com/YOUR_TENANT_ID',
clientSecret: 'YOUR_CLIENT_SECRET'
}
};
const cca = new msal.ConfidentialClientApplication(config);
async function acquireTokenOnBehalfOf() {
const authResult = await cca.acquireTokenOnBehalfOf({
scopes: ['https://forms.office.com/.default'],
oboAssertion: 'ACCESS_TOKEN_OF_THE_USER'
});
return authResult.accessToken;
}Refer to the Microsoft Teams platform documentation for more details on https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/authentication/authentication and token acquisition.
Dinesh-MSFT Thank you for your explanation and research, but requiring server side components for embedding SharePoint in Teams is not a good solution. This stopped working some time this winter, and I assume it's caused by security hardening in Teams.
SharePoint is the man in the middle here and should be allowed to request obo tokens when embedded in Teams.
All parties involved here are Microsoft first party apps; Teams, SharePoint and Forms. There's no third party code involved in this custom Viva Connections setup, just the teams app manifest/json.
Is it correct that it's SharePoint that enforces the CORS restrictions on the OBO API endpoint?
Hi Petter Skodvin-Hvammen,
As discussed internally, embedding Microsoft Forms in a custom Teams app is not a standard practice and may lead to authentication issues due to the different handling of third-party apps in Teams. To confirm this, we suggest testing the same SharePoint page within the SharePoint tab app in Teams, which is a standard feature, to see if the form is displayed correctly.- I think you guys are missing the OPs point.
if he uses Viva Connections then it's working fine.
if he makes his own Teams app then certain webparts [MS Forms .. Viva Engage] will break b/c of the token.
I am also having similar issue with Viva Engage web part on my intranet homepage. If using Viva connections app then it all loads fine. If I build a separate Teams app then the token for yammer is blocked.
Hi Petter Skodvin-Hvammen,
We are checking this issue internally with engineering team. we will look into it and let you know the update.
