Teams tab: Authentication to call Graph API

%3CLINGO-SUB%20id%3D%22lingo-sub-1120348%22%20slang%3D%22en-US%22%3ETeams%20tab%3A%20Authentication%20to%20call%20Graph%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1120348%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3EI%20have%20a%20Teams%20app%20with%20a%20bot%20and%20tabs%20(personal%20%26amp%3B%20channel)%20with%20html%2Fjs%20code.%3C%2FP%3E%3CP%3EI%20have%20read%20that%20an%20OAuth2%20authorization%20process%20is%20required%20to%20call%20Graph%20API%20(for%20instance%2C%20to%20get%20all%20Teams%20users)%2C%20with%20a%20%2B-%20complex%20mechanism%20including%20a%20popup%20window%20for%20the%20user%20to%20enter%20credentials%3CBR%20%2F%3EBut%20I%20found%20a%20way%20to%20call%20Graph%20API%20without%20using%20user%20credentials%2C%20but%20using%20the%20app%20credentials%20(appId%20%26amp%3B%20appPasword)%20I%20have%20in%20my%20bot%20code%3A%3C%2FP%3E%3CP%3E1.%20Ask%20for%20a%20Token%20(POST%20request)%3A%20%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2F%7BtenandId%7D%2Foauth2%2Fv2.0%2Ftoken%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2F%7BtenandId%7D%2Foauth2%2Fv2.0%2Ftoken%3C%2FA%3E%3CBR%20%2F%3EHeader%3A%20'Content-Type'%3A%20'application%2Fx-www-form-urlencoded'%3CBR%20%2F%3EBody%3A%20'client_id%3D%7BappId%7D%26amp%3Bclient_secret%3D%7BappPasword%7D%26amp%3Bscope%3Dhttps%253A%252F%252Fgraph.microsoft.com%252F.default%26amp%3Bgrant_type%3Dclient_credentials'%3CBR%20%2F%3E2.%20Use%20this%20token%20to%20call%20Graph%20API%20(GET%20request)%3A%20%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fusers%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fusers%3C%2FA%3E%3CBR%20%2F%3EHeader%3A%20'Authorization'%3A%20%7BTOKEN%7D%3C%2FP%3E%3CP%3EWith%20that%20I%20have%20all%20the%20users%20(or%20another%20data%20from%20Graph%20API)%20without%20credentials%20step%2C%20since%20%7Btenantid%7D%2C%20%7BappId%7D%20and%20%7BappPassword%7D%20are%20values%20I%20already%20know%3C%2FP%3E%3CP%3EIs%20this%20correct%3F%20Must%20I%20implement%20the%20OAuth2%20process%3F%3C%2FP%3E%3CP%3EThanks%2C%3CBR%20%2F%3EDiego%20Do%C3%B1ate%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1120348%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1121734%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20tab%3A%20Authentication%20to%20call%20Graph%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1121734%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F359599%22%20target%3D%22_blank%22%3E%40Gousia_Begum%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20response.%20I%20tried%20to%20change%20my%20code%20from%20'ActivityHandler'%20to%20'TeamsActivityHandler'%20but%20I%20get%20an%20error%3A%3CBR%20%2F%3EClass%20extends%20value%20undefined%20is%20not%20a%20constructor%20or%20null%3C%2FP%3E%3CP%3EDo%20i%20need%20to%20change%20or%20add%20anything%20else%3F%3C%2FP%3E%3CP%3EAnd%20another%20doubt%2C%20can%20I%20get%20the%20Teams%20userId%20in%20tab%20context%3F%20I%20can%20only%20see%20the%20'userObjectId'%2C%20which%20is%20the%20Azure%20user%20id.%3CBR%20%2F%3EI%20use%20the%20the%20Teams%20userId%20in%20my%20bot%20code%20to%20get%20the%20chatid%20and%20send%20a%20message(connectorClient.conversations.createConversation)%3CBR%20%2F%3EI%20see%20a%20chatId%20in%20the%20context%20of%20my%20Personal%20tab%2C%20but%20it%20is%20empty...%3C%2FP%3E%3CP%3EThanks%2C%3CBR%20%2F%3EDiego%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1121650%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20tab%3A%20Authentication%20to%20call%20Graph%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1121650%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F402611%22%20target%3D%22_blank%22%3E%40diegoSpace%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20If%20you%20want%20to%20fetch%20the%20list%20of%20users%20in%20a%20team%20you%20can%20directly%20use%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fplatform%2Fbots%2Fhow-to%2Fget-teams-context%3Ftabs%3Ddotnet%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ebot%20context%3C%2FA%3E%20for%20that%2C%20you%20do%20not%20need%20to%20do%20a%20graph%20API%20call%20for%20that.%3C%2FP%3E%0A%3CP%3E2.%20Yes%2C%20you%20could%20use%20this%20method%20when%20your%20app%20has%20application%20permissions.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fauth-v2-service%3Fcontext%3Dgraph%252Fapi%252F1.0%26amp%3Bview%3Dgraph-rest-1.0%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EGetting%20access%20token%20without%20a%20user%3C%2FA%3E%20requires%20the%20admin%20of%20your%20tenant%20to%20give%20a%20one-time%20consent%20to%20your%20application.%20Your%20application%20can%20then%20do%20the%20graph%20api%20calls%2C%20it%20is%20permitted%20to%2C%20without%20the%20user.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,
I have a Teams app with a bot (node js) and tabs (personal & channel, html/js).

 

I have read that an OAuth2 authorization process is required to call Graph API (for instance, to get all Teams users), with a +- complex mechanism including a popup window for the user to enter credentials.


But I found a way to call Graph API without using user credentials, but using the app credentials (appId & appPasword) I have in my bot code:

 

1. Ask for a Token (POST request): https://login.microsoftonline.com/{tenandId}/oauth2/v2.0/token
Header: 'Content-Type': 'application/x-www-form-urlencoded'
Body: 'client_id={appId}&client_secret={appPasword}&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&grant_type=client_credentials'


2. Use this token to call Graph API (GET request): https://graph.microsoft.com/v1.0/users
Header: 'Authorization': {TOKEN}

 

With that I have all the users (or another data from Graph API) without credentials step, since {tenantid}, {appId} and {appPassword} are values I already know

 

Is this correct? Must I implement the OAuth2 process?

 

Thanks,
Diego Doñate

4 Replies

@diegoSpace 

1. If you want to fetch the list of users in a team you can directly use the bot context for that, you do not need to do a graph API call for that.

2. Yes, you could use this method when your app has application permissions. Getting access token without a user requires the admin of your tenant to give a one-time consent to your application. Your application can then do the graph api calls, it is permitted to, without the user.

@Gousia_Begum 

Thanks for your response. I changed from 'ActivityHandler' to 'TeamsActivityHandler' and I get the members of the chat where I receive a message.

But it is possible in the bot using TeamsInfo with the context of the incoming message, isn't it? Can I get all the users of Teams client from the bot without this received message? I need to list all Teams users in my tab page. Now I get the list calling the Graph API from bot code, when I receive a custom request from tab code.

Where can I find TeamsInfo docu?

 

And another doubt, can I get the Teams userId and the chat Idin tab context? About the userId, I can only see the 'userObjectId', which is the Azure user id. About the chatId, there is a value in tab context but it is empty...

 

I would need to know these values in my tab page, to call my bot code and do things with them... In my bot I manage users with the Teams userId, and I need it for instance to create a new one2one chat ('connectorClient.conversations.createConversation(...)').

 

Thanks,
Diego

@diegoSpace In order to get the list of users in a team inside a tab, you will need to make a Graph API call from the tab. Tab context does not allow you to fetch the details of all the members in a team. Please refer this document to see what are the different values tab context has.