Forum Discussion

marcuswelby's avatar
marcuswelby
Copper Contributor
Sep 21, 2023
Solved

Teams Personal Tab app sending cookies

I have a personal tab app that's a legacy app we want to use in Teams while we create a more "Teams Friendly" version. It's a Java application that uses HTTP Session to store user data. The server se...
microsoft teams
  • marcuswelby's avatar
    marcuswelby
    Sep 28, 2023
    Using samesite=none;secure on the cookies seems to work in Teams/Edge but not in Firefox. I think related to the fact the tab app is in an iframe and any cookies are considered 3rd party since different domain of iframe than parent.
Prasad_Das-MSFT's avatar
Prasad_Das-MSFT
Icon for Microsoft rankMicrosoft
Sep 22, 2023

marcuswelby - The preferred approach for building Teams apps is to use single-page applications (SPAs) and the Teams JavaScript client library. SPAs provide a more seamless user experience within Teams and allow you to leverage the full capabilities of the Teams platform.

By using token-based authentication, you can ensure that the authentication workflow works in Teams without relying on cookies. The token is sent in the request header and can be validated on the server-side.  Token-based authentication involves generating and validating tokens instead of relying on cookies for authentication.

Here's an example of how you can implement token-based authentication in your Java application:

  1. Modify your server code to generate and return a token instead of setting a cookie. You can use a library like JSON Web Tokens (JWT) to generate and sign the tokens.
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;

...

String token = Jwts.builder()
  .setSubject("user123")
  .signWith(SignatureAlgorithm.HS256, "secretKey")
  .compact();

response.addHeader("Authorization", "Bearer " + token);
  1. In your Teams personal tab app, make requests to your server with the token included in the Authorization header.
fetch('https://mysite.com/testapp/page1', {
  headers: {
    'Authorization': 'Bearer ' + token
  }
})
  .then(response => response.json())
  .then(data => {
    // Handle the response data
  })
  .catch(error => {
    // Handle any errors
  });
 

Thanks, 

Prasad Das

------------------------------------------------------------------------------------------ 

If the response is helpful, please click "**Mark as Best Response**" and like it. You can share your feedback via Microsoft Teams Developer Feedback link.

marcuswelby's avatar
marcuswelby
Copper Contributor
Sep 22, 2023
If you read what I posted above I'm trying to leverage some legacy app in a teams tab and can't convert it to SPA (which is what you are suggesting). The application sends back complete HTML pages and uses a cookie to track user information. This is about using a cookie - it has nothing to do with authentication. Can you point to documentation that states that Microsoft Teams does not support sending cookies back to the servers for a Personal Tab App? The ability for a server to return a cookie on the response and have it sent on subsequent requests is basic functionality.
  • Prasad_Das-MSFT's avatar
    Prasad_Das-MSFT
    Icon for Microsoft rankMicrosoft
    Sep 25, 2023

    marcuswelby - Got it. We will check this with engineering team internally and will update you accordingly. Thanks!

    • marcuswelby's avatar
      marcuswelby
      Copper Contributor
      Sep 28, 2023
      Using samesite=none;secure on the cookies seems to work in Teams/Edge but not in Firefox. I think related to the fact the tab app is in an iframe and any cookies are considered 3rd party since different domain of iframe than parent.

Resources