Forum Discussion

chisr's avatar
chisr
Copper Contributor
Jul 27, 2022

MS Teams bot - how to download file that was uploaded in teams

I'm using teams bot api. We want to support images - a user will upload images in teams bot conversation, and the image will be sent to our server and converted to base64. The request that my serve...
developer
chisr's avatar
chisr
Copper Contributor
Aug 01, 2022
What permissions do I need? (From Docs it looks like the link should be pre-auth), I use REST API and not the BotBuilder. I also tried with Bearer authorization header - with the token generated by bot credentials:
const params = {
"grant_type": "client_credentials",
"client_id": botId,
"client_secret": secret,
"scope": 'what should be here?'
}
Sayali-MSFT's avatar
Sayali-MSFT
Icon for Microsoft rankMicrosoft
Aug 01, 2022

chisr -Prerequisites for uploading file-
Upload file in Teams using bot - Teams | Microsoft Docs

For Bearer Token Call:

 

 

POST https://login.microsoftonline.com/your_tenant.onmicrosoft.com/oauth2/v2.0/token

 

 

Body: (in form-data or x-www-form-urlencoded format):

  1. client_id: Application ID copied earlier
  2. scope: profile-search (May vary based on the scopes exposed in the resource API)
  3. client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer (Must be same)
  4. client_assertion: Read about certificate credentials to learn how to register your certificate and Signed assertions for encoded assertion to be used here.
  5. grant_type: client_credentials (to acquire token in application context where no human interaction is needed)

Notice that there are no user credentials specified in the request. The token will be acquired in the Application/servicePrincipal context.
OAuth 2.0 client credentials flow on the Microsoft identity platform - Microsoft Entra | Microsoft Docs

.

  • Sayali-MSFT's avatar
    Sayali-MSFT
    Icon for Microsoft rankMicrosoft
    Aug 04, 2022
    chisr-Glad to hear that your issue is resolved.
  • chisr's avatar
    chisr
    Copper Contributor
    Aug 04, 2022

    I found the problem!!!

    The DownloadUrl really has to be public, the problem is that our nodejs code use sanitazion on each input for security -

    expressSanitized.middleware({encoder: 'XSSEncode'})

    The sanitazion added "&amd;" to the downloadUrl - 

    https://***.sharepoint.com/personal/****/_layouts/15/download.aspx?UniqueId=5c****c344&Translate=false&tempauth=eyJ0e........AwMDAwMDAv

     

    That's why I got 403....

    I added unescape function to remove the & and now it works.

    Thanks!

  • chisr's avatar
    chisr
    Copper Contributor
    Aug 02, 2022

    So it is not as written in the Docs. The downloadUrl should be public - pre-authenticated and valid for a few minutes. Else, what is the tempAuth parameter (and it's value..) that exists in the downloadUrl? (maybe only the contentUrl requires an access token)

     

    In another doc there is an explaination about the 'pre-authenticated downloadUrl' :

    "Pre-authenticated download URLs are only valid for a short period of time (a few minutes) and do not require an Authorization header to download"

     

    Maybe I missed some steps to make it public for a few minutes ? (we created the bot here: https://dev.botframework.com/bots/new)

    The bot has to access the files that users upload in the conversation (users can be from many tenants, not from the tenant where the bot was created), without the need to ask and save the user's credentials to sharepoint (maybe bot credentials can also be good, but not user's ones)...

     

    Thanks in advance!