SOLVED

Teams Personal Tab app sending cookies

Copper Contributor

I have a personal tab app that's a legacy app we want to use in Teams while we create a more "Teams Friendly" version. It's a Java application that uses HTTP Session to store user data. The server sends a cookie named JSESSIONID back to the browser and expects the browser to resend that cookie on subsequent interactions. It works fine standalone and in an iframe on another website, but on Teams the cookie isn't sent.

 

Steps to recreate:

1) Create an app with a personal app with a tab that goes to https://mysite.com/testapp/home

2) In the server handler for the above URL check for a cookie named "JSESSIONID". If it doesn't exist send back a cookie with attributes of 

"JSESSIONID": {
"path": "/testapp",
"samesite": "None",
"secure": true,
"value": "TESTME123"
}

The page returned should have hyperlink to https://mysite.com/testapp/page1

3) Click on the link. Outside of teams the server would get the cookie named JSESSIONID in the server code handling the request for "page1".

 

->In the desktop or web client for Teams the cookie is not present on the request sent TO the server from the Tab App in Teams.

 

I know this type of page flow isn't the preferred way to do a Teams app as the single page application is the style of all the examples. Is there any reason you can't have a link back to the server and expect it will send cookies? Are there other response headers or cookie options I should be using so the cookies will be accepted and replayed on subsequent server requests?

 

 

5 Replies

@marcuswelby - Thanks for raising this issue. We will check this internally and will get back to you with updates.

@marcuswelby - The preferred approach for building Teams apps is to use single-page applications (SPAs) and the Teams JavaScript client library. SPAs provide a more seamless user experience within Teams and allow you to leverage the full capabilities of the Teams platform.

By using token-based authentication, you can ensure that the authentication workflow works in Teams without relying on cookies. The token is sent in the request header and can be validated on the server-side.  Token-based authentication involves generating and validating tokens instead of relying on cookies for authentication.

Here's an example of how you can implement token-based authentication in your Java application:

  1. Modify your server code to generate and return a token instead of setting a cookie. You can use a library like JSON Web Tokens (JWT) to generate and sign the tokens.
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;

...

String token = Jwts.builder()
  .setSubject("user123")
  .signWith(SignatureAlgorithm.HS256, "secretKey")
  .compact();

response.addHeader("Authorization", "Bearer " + token);
  1. In your Teams personal tab app, make requests to your server with the token included in the Authorization header.
fetch('https://mysite.com/testapp/page1', {
  headers: {
    'Authorization': 'Bearer ' + token
  }
})
  .then(response => response.json())
  .then(data => {
    // Handle the response data
  })
  .catch(error => {
    // Handle any errors
  });
 

Thanks, 

Prasad Das

------------------------------------------------------------------------------------------ 

If the response is helpful, please click "**Mark as Best Response**" and like it. You can share your feedback via Microsoft Teams Developer Feedback link.

If you read what I posted above I'm trying to leverage some legacy app in a teams tab and can't convert it to SPA (which is what you are suggesting). The application sends back complete HTML pages and uses a cookie to track user information. This is about using a cookie - it has nothing to do with authentication. Can you point to documentation that states that Microsoft Teams does not support sending cookies back to the servers for a Personal Tab App? The ability for a server to return a cookie on the response and have it sent on subsequent requests is basic functionality.

@marcuswelby - Got it. We will check this with engineering team internally and will update you accordingly. Thanks!

best response confirmed by marcuswelby (Copper Contributor)
Solution
Using samesite=none;secure on the cookies seems to work in Teams/Edge but not in Firefox. I think related to the fact the tab app is in an iframe and any cookies are considered 3rd party since different domain of iframe than parent.
1 best response

Accepted Solutions
best response confirmed by marcuswelby (Copper Contributor)
Solution
Using samesite=none;secure on the cookies seems to work in Teams/Edge but not in Firefox. I think related to the fact the tab app is in an iframe and any cookies are considered 3rd party since different domain of iframe than parent.

View solution in original post