How to get access token for Graph API in Teams bot-based message extension?

Question

I'm developing a Teams bot-based message extension application using the Teams Toolkit in TypeScript. I need to retrieve all the replies for a message in the current channel. According to the documentation, I need to use the Graph API to get the replies. However, to use the Graph API, I need an access token.

My questions are:

How can I implement OAuth to get the token in a bot-based message extension?
Are there any specific permissions or configurations needed in the Azure portal to enable this?
Is there an alternative way to get the access token or retrieve the replies without using the Graph API?

dinesh-msft · Answer

Hi&nbsp;XDeveloper29&nbsp;- Thanks for raising the query.We will look into it and let you know the updates.Update: Your questions about implementing OAuth and accessing the Graph API in your Teams bot-based message extension. To address your queries:

Implementing OAuth: You can implement OAuth in a bot-based message extension by sending an OAuth Card to the Teams client, which is used to get the access token from Microsoft Entra ID using&nbsp;tokenExchangeResource. Upon the user's consent, the Teams client sends the token received from Microsoft Entra ID to the bot app using token exchange.

Permissions and Configurations: Specific permissions are required in the Azure portal to enable access to the Graph API. You must register your app and ask for specific permission scopes to obtain the access tokens upon the app user's consent.

Alternative Methods: If you're looking for an alternative way to retrieve the replies without using the Graph API, currently, the Graph API is the primary method provided by Microsoft to interact with Teams data programmatically.

For a detailed guide on implementing authentication and obtaining access tokens, please refer to the official Microsoft documentation:

Enable SSO with Microsoft Entra ID - Teams | Microsoft Learn&nbsp;
Microsoft Graph Permissions for App - Teams | Microsoft Learn&nbsp;

If you need any further assistance or have additional questions, please feel free to ask.

xdeveloper29 · Answer

We have created an app using Teams Toolkit and registered a bot on dev.botframework.com. Can we implement OAuth with this setup, or do we need Azure Bot Service for OAuth?

dinesh-msft · Answer

Hi XDeveloper29, you can implement OAuth with your current setup using Teams Toolkit and a bot registered on dev.botframework.com. While Azure Bot Service provides built-in support for OAuth and simplifies the process, it is not strictly necessary for OAuth implementation. You will need to handle the OAuth flow manually, which involves registering your app with an identity provider, setting up the necessary OAuth 2.0 endpoints, and managing tokens within your application.

xdeveloper29 · Answer

Dinesh-MSFT&nbsp;, Can you please share the steps for current setup?

sayali-msft · Answer

XDeveloper29&nbsp;-
If you're using the Teams Toolkit and have your bot registered on dev.botframework.com, you can still implement OAuth without relying entirely on Azure Bot Service's built-in support. Here’s a step-by-step guide to handling OAuth manually in this setup:
1. Register Your Application with an Identity Provider
You need to register your bot application with an identity provider like Azure AD. This will give you the necessary credentials (client ID, client secret) and endpoints for OAuth 2.0.

Azure AD Registration:

Go to the Azure Portal.
Navigate to "Azure Active Directory" &gt; "App registrations" and register a new application.
Note down the Application (client) ID and Directory (tenant) ID.
Under "Certificates &amp; secrets," generate a new client secret.

Configure Redirect URIs:

Under "Authentication" for your registered app, add a redirect URI that matches your bot’s OAuth endpoint (e.g., https://yourdomain.com/oauth2/callback).

API Permissions:

Go to "API permissions" and add the necessary Microsoft Graph API permissions such as ChannelMessage.Read.All or ChannelMessage.ReadWrite.All.

2. Implement OAuth Flow Manually
Since Azure Bot Service simplifies OAuth, you'll handle the OAuth flow manually in your application. Here’s a detailed approach:
a. Create an Authorization URL:
You need to redirect the user to the Microsoft authorization endpoint where they can log in and grant permissions.
&nbsp;

typescriptconst authorizationUrl = `https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?response_type=code&amp;client_id={client-id}&amp;redirect_uri={redirect-uri}&amp;response_mode=query&amp;scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&amp;state={state}`;
&nbsp;

Replace {tenant} with your tenant ID.
Replace {client-id} with your application (client) ID.
Replace {redirect-uri} with your redirect URI.
Replace {state} with a random string to prevent CSRF attacks.

b. Handle Authorization Code Callback:
After the user grants permissions, they will be redirected back to your application with an authorization code.
&nbsp;

import express from 'express'; import axios from 'axios'; const app = express(); app.get('/oauth2/callback', async (req, res) =&gt; { const code = req.query.code as string; if (code) { const response = await axios.post('https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token', null, { params: { client_id: 'your-client-id', scope: 'https://graph.microsoft.com/.default', code: code, redirect_uri: 'your-redirect-uri', grant_type: 'authorization_code', client_secret: 'your-client-secret' } }); const accessToken = response.data.access_token; res.send(`Access token: ${accessToken}`); } else { res.send('Authorization code not found'); } }); app.listen(3000, () =&gt; console.log('Server listening on port 3000'));​
Replace {tenant}, {client-id}, {redirect-uri}, and {client-secret} with your actual values.

c. Use Access Token to Call Microsoft Graph API:
With the access token, you can make authenticated requests to Microsoft Graph API to retrieve messages and replies.
&nbsp;

Registering your app with Azure AD.
Implementing the OAuth authorization flow.
Using the access token to make Graph API requests.

Forum Discussion

How to get access token for Graph API in Teams bot-based message extension?

Share

Resources