custom tab-app authentication

Brass Contributor

Hello,

 

I have one general point and request clarification on this thread. 

As we know there are 2 ways to perform authentication in custom tab in teams.

 

1.  we invoke ms-teams java-script microsoftTeams.authentication.authenticate()  which will open the popup window and accomplish the full OAuth flow 

 

2.  Another  way of authenticating the custom-tab is  obtaining the on-behalf-of token from

ms-teams client using microsoftTeams.authentication.getAuthToken() 

This would NOT  involve any account-selection-popup, meaning ms-teams client will only broker and obtain the token for the account that has signed into ms-teams.

If my custom-app wants to get token for different account and not the one used to sign-into ms-teams, I can NOT  accomplish it in this flow which is also called "Use Single Sign-on authentication"
Am I correct in my understanding with respect to this  flow?

 

Thanks.

4 Replies

Yes single sign on uses the account with which you have signed in to teams. You cannot have a user use a different account to sign in to a tab that uses SSO. If you want to allow users to sign in to a tab using other account (other than the once signed in to teams) you will need to implement Simple Authentication

Thanks  @Varaprasad-MSFT   for your clarification.  Appreciate your perfect answer.

As a follow up I have one point to clarify between  2 types of custom-tabs i.e.,  static tab and configuration tab-authentication . 

 

As long as we are talking about the static-tabs  I am totally onboard with the  diagram at tab-authentication 

My understanding is the same diagram flow can be triggered and accomplished by the "configurable tab"
So, if I put it hands-on way,

let's say there are 3 members on one channel where this configurable tab-app is installed.
All 3 members will go through this authentication-flow, consent all the scopes required by the tab on their MS-teams client.
Now, this tab will have OAuth token for all 3 members.
So if the job of this tab-app was to show the latest 5 emails then would the output-UI on the tab screen would be different for all the 3 members  ??
That is not matching with my understanding because as far as I know, the "configurable tab" should provide information that is common and helpful to an entire team.
There is no member specific information. So what was the use of delegated-OAuth token ?

 

Should not configurable tab be dealing with only  Client-credential authentication flow and get the app-level token using its own client-id/client-secret ?

 

If it was static-tab, I would totally understand the importance of sign-in.

 

Appreciate your help.

 

 

Thanks.

Channel tabs will have same behavior for all the users in channel .When you add a tab as channel tab it will be common to all members.
We should add such tabs as channel tabs.

@Varaprasad-MSFT 

I totally agree with you that channel tab is common for all members.

And that's why I do not understand, why would channel tab want the delegate OAuth Token of the user ?

Shouldn't they focus only app-level token.

 

Thanks.