Dec 01 2023 04:55 AM
I'm creating a multi-tenant Teams app on .Net - Using this app for now (https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-sso/csharp).
OBO (OnBehalfOf) flow seems to be recommended in this case. I'm trying to make graph call to get access token with custom claims mapped.
1. Added certificate to the Azure Web App and App registration.
2. Modified the app to use Microsoft.Identity.Web library. Updated to generate a JWT signed token with the cert and use that as client-assertion and added to auth header as well.
3. When I had acceptMappedClaims value as true, the app worked for multiple tenants and able to return custom claims.
I'm trying to configure signing key in Azure AD using Graph API call as mentioned in this - https://learn.microsoft.com/en-us/entra/identity-platform/jwt-claims-customization#configure-a-custo...
//var body = $"assertion={idToken}&requested_token_use=on_behalf_of&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_id={configuration[ClientIdConfigurationSettingsKey]}@{configuration[TenantIdConfigurationSettingsKey]}&client_secret={configuration[AppsecretConfigurationSettingsKey]}&scope=https://graph.microsoft.com/User.Read";
var body = $"assertion={idToken}&client_assertion={token}&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&requested_token_use=on_behalf_of&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_id={configuration[ClientIdConfigurationSettingsKey]}@{configuration[TenantIdConfigurationSettingsKey]}&scope=https://graph.microsoft.com/User.Read";
OBO Flow sample passes id token as assertion and client secret. For certificate, it is mentioned to use client_assertion. So modified the line in SSOAuthHelper.cs and added client assertion. Comment has the unmodified line.
1. Does the idToken needs to be removed from the body?
2. And tried custom signing through the graph call mentioned in the article. Does this need to be run against the app registration in tenant in which the app is hosted or should it be the M365 tenant?
Really appreciate any help on this and please let me know if you need more details.
Dec 01 2023 06:04 AM
@Srihari_333 - Thanks for reporting your issue. We will check this and update you soon.
Dec 04 2023 12:45 AM
Dec 05 2023 11:59 PM
I have removed the assertion and getting this error now.
"AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.". Below are the steps I followed for signing (https://learn.microsoft.com/en-us/entra/identity-platform/jwt-claims-customization#configure-a-custo...)
1. Created a cert and uploaded to the web app
2. Made graph call as mentioned in the article with service principal set to app registration in the Teams/M365 tenant id. And this was successful.
3. Made graph call as mentioned in the article with service principal set to app registration in the Host Tenant id. And got bad request.
Is the 3rd step necessary? Any other steps I'm missing?
I have attached the file SSOAuthHelper.cs file changes I made.
Dec 08 2023 02:33 AM
Dec 08 2023 02:46 AM
Hello @Srihari_333 - Your issue is more related to Identity rather than Teams Platform specific.
Please raise it on Microsoft QnA so that Identity experts can help resolve: