custom tab-app authentication

%3CLINGO-SUB%20id%3D%22lingo-sub-1701252%22%20slang%3D%22en-US%22%3Ecustom%20tab-app%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1701252%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20one%20general%20point%20and%20request%20clarification%20on%20this%20thread.%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20we%20know%20there%20are%202%20ways%20to%20perform%20authentication%20in%20custom%20tab%20in%20teams.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%26nbsp%3B%20we%20invoke%20ms-teams%20java-script%26nbsp%3B%3CSTRONG%3EmicrosoftTeams.authentication.authenticate()%3C%2FSTRONG%3E%26nbsp%3B%20which%20will%20open%20the%20popup%20window%20and%20accomplish%20the%20full%20OAuth%20flow%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%26nbsp%3B%20Another%26nbsp%3B%20way%20of%20authenticating%20the%20custom-tab%20is%26nbsp%3B%20obtaining%20the%20%3CSTRONG%3Eon-behalf-of%20token%3C%2FSTRONG%3E%20from%3C%2FP%3E%3CP%3Ems-teams%20client%20using%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EmicrosoftTeams.authentication.getAuthToken()%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThis%20would%20NOT%26nbsp%3B%20involve%20any%20%3CSTRONG%3Eaccount-selection-popup%3C%2FSTRONG%3E%2C%20meaning%20ms-teams%20client%20will%20only%20broker%20and%20obtain%20the%20token%20for%20the%20account%20that%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Ehas%20signed%20into%20ms-teams.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EIf%20my%20custom-app%20wants%20to%20get%20token%20for%20different%20account%20and%20not%20the%20one%20used%20to%20sign-into%20ms-teams%2C%20I%20can%20NOT%26nbsp%3B%20accomplish%20it%20in%20this%20flow%20which%20is%20also%20called%20%22Use%20Single%20Sign-on%20authentication%22%3CBR%20%2F%3E%3CSTRONG%3EAm%20I%20correct%20in%20my%20understanding%20with%20respect%20to%20this%26nbsp%3B%20flow%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1701252%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1712485%22%20slang%3D%22en-US%22%3ERe%3A%20custom%20tab-app%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1712485%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20single%20sign%20on%20uses%20the%20account%20with%20which%20you%20have%20signed%20in%20to%20teams.%20You%20cannot%20have%20a%20user%20use%20a%20different%20account%20to%20sign%20in%20to%20a%20tab%20that%20uses%20SSO.%20If%20you%20want%20to%20allow%20users%20to%20sign%20in%20to%20a%20tab%20using%20other%20account%20(other%20than%20the%20once%20signed%20in%20to%20teams)%20you%20will%20need%20to%20implement%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fplatform%2Ftabs%2Fhow-to%2Fauthentication%2Fauth-tab-aad%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ESimple%20Authentication%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1712943%22%20slang%3D%22en-US%22%3ERe%3A%20custom%20tab-app%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1712943%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F749860%22%20target%3D%22_blank%22%3E%40Varaprasad-MSFT%3C%2FA%3E%26nbsp%3B%20%26nbsp%3Bfor%20your%20clarification.%26nbsp%3B%20Appreciate%20your%20perfect%20answer.%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EAs%20a%20follow%20up%20I%20have%20one%20point%20to%20clarify%20between%26nbsp%3B%202%20types%20of%20custom-tabs%20i.e.%2C%26nbsp%3B%20static%20tab%20and%20configuration%20tab-authentication%26nbsp%3B.%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3EAs%20long%20as%20we%20are%20talking%20about%20the%20%3CSTRONG%3Estatic-tabs%3C%2FSTRONG%3E%26nbsp%3B%20I%20am%20totally%20onboard%20with%20the%26nbsp%3B%20diagram%20at%26nbsp%3B%3CA%20title%3D%22tab-authentication%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fplatform%2Ftabs%2Fhow-to%2Fauthentication%2Fauth-flow-tab%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Etab-authentication%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20understanding%20is%20the%20same%20diagram%20flow%20can%20be%20triggered%20and%20accomplished%20by%20the%20%3CSTRONG%3E%22configurable%20tab%22%3C%2FSTRONG%3E%3CBR%20%2F%3ESo%2C%20if%20I%20put%20it%20hands-on%20way%2C%3C%2FP%3E%3CP%3Elet's%20say%20there%20are%203%20members%20on%20one%20channel%20where%20this%20configurable%20tab-app%20is%20installed.%3CBR%20%2F%3EAll%203%20members%20will%20go%20through%20this%20authentication-flow%2C%20consent%20all%20the%20scopes%20required%20by%20the%20tab%20on%20their%20MS-teams%20client.%3CBR%20%2F%3ENow%2C%20this%20tab%20will%20have%20OAuth%20token%20for%20all%203%20members.%3CBR%20%2F%3ESo%20if%20the%20job%20of%20this%20tab-app%20was%20to%20show%20the%20latest%205%20emails%20then%20would%20the%20output-UI%20on%20the%20tab%20screen%20would%20be%20different%20for%20all%20the%203%20members%26nbsp%3B%20%3F%3F%3CBR%20%2F%3E%3CSTRONG%3EThat%20is%20not%20matching%20with%20my%20understanding%20because%20as%20far%20as%20I%20know%2C%20the%20%22configurable%20tab%22%20should%20provide%20information%20that%20is%20common%20and%20helpful%20to%20an%20entire%20team.%3C%2FSTRONG%3E%3CBR%20%2F%3EThere%20is%20no%20member%20specific%20information.%20So%20what%20was%20the%20use%20of%20delegated-OAuth%20token%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShould%20not%20configurable%20tab%20be%20dealing%20with%20only%26nbsp%3B%20Client-credential%20authentication%20flow%20and%20get%20the%20app-level%20token%20using%20its%20own%20client-id%2Fclient-secret%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20it%20was%20static-tab%2C%20I%20would%20totally%20understand%20the%20importance%20of%20sign-in.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAppreciate%20your%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1728360%22%20slang%3D%22en-US%22%3ERe%3A%20custom%20tab-app%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1728360%22%20slang%3D%22en-US%22%3EChannel%20tabs%20will%20have%20same%20behavior%20for%20all%20the%20users%20in%20channel%20.When%20you%20add%20a%20tab%20as%20channel%20tab%20it%20will%20be%20common%20to%20all%20members.%20%3CBR%20%2F%3EWe%20should%20add%20such%20tabs%20as%20channel%20tabs.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1739101%22%20slang%3D%22en-US%22%3ERe%3A%20custom%20tab-app%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1739101%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F749860%22%20target%3D%22_blank%22%3E%40Varaprasad-MSFT%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20totally%20agree%20with%20you%20that%20channel%20tab%20is%20common%20for%20all%20members.%3C%2FP%3E%3CP%3EAnd%20that's%20why%20I%20do%20not%20understand%2C%20why%20would%20channel%20tab%20want%20the%20delegate%20OAuth%20Token%20of%20the%20user%20%3F%3C%2FP%3E%3CP%3EShouldn't%20they%20focus%20only%20app-level%20token.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

I have one general point and request clarification on this thread. 

As we know there are 2 ways to perform authentication in custom tab in teams.

 

1.  we invoke ms-teams java-script microsoftTeams.authentication.authenticate()  which will open the popup window and accomplish the full OAuth flow 

 

2.  Another  way of authenticating the custom-tab is  obtaining the on-behalf-of token from

ms-teams client using microsoftTeams.authentication.getAuthToken() 

This would NOT  involve any account-selection-popup, meaning ms-teams client will only broker and obtain the token for the account that has signed into ms-teams.

If my custom-app wants to get token for different account and not the one used to sign-into ms-teams, I can NOT  accomplish it in this flow which is also called "Use Single Sign-on authentication"
Am I correct in my understanding with respect to this  flow?

 

Thanks.

4 Replies

Yes single sign on uses the account with which you have signed in to teams. You cannot have a user use a different account to sign in to a tab that uses SSO. If you want to allow users to sign in to a tab using other account (other than the once signed in to teams) you will need to implement Simple Authentication

Thanks  @Varaprasad-MSFT   for your clarification.  Appreciate your perfect answer.

As a follow up I have one point to clarify between  2 types of custom-tabs i.e.,  static tab and configuration tab-authentication . 

 

As long as we are talking about the static-tabs  I am totally onboard with the  diagram at tab-authentication 

My understanding is the same diagram flow can be triggered and accomplished by the "configurable tab"
So, if I put it hands-on way,

let's say there are 3 members on one channel where this configurable tab-app is installed.
All 3 members will go through this authentication-flow, consent all the scopes required by the tab on their MS-teams client.
Now, this tab will have OAuth token for all 3 members.
So if the job of this tab-app was to show the latest 5 emails then would the output-UI on the tab screen would be different for all the 3 members  ??
That is not matching with my understanding because as far as I know, the "configurable tab" should provide information that is common and helpful to an entire team.
There is no member specific information. So what was the use of delegated-OAuth token ?

 

Should not configurable tab be dealing with only  Client-credential authentication flow and get the app-level token using its own client-id/client-secret ?

 

If it was static-tab, I would totally understand the importance of sign-in.

 

Appreciate your help.

 

 

Thanks.

Channel tabs will have same behavior for all the users in channel .When you add a tab as channel tab it will be common to all members.
We should add such tabs as channel tabs.

@Varaprasad-MSFT 

I totally agree with you that channel tab is common for all members.

And that's why I do not understand, why would channel tab want the delegate OAuth Token of the user ?

Shouldn't they focus only app-level token.

 

Thanks.