404 Not found when trying to use Teams SSO to get the user token

[Aspyryan]

Version

SDK Platform: C#
SDK Version: Bot Builder 4.21.0
Active Channels: Teams
Deployment Environment: Azure Bot Service

Describe the bug

404 NOT FOUND when trying to GET the user token from teams with this request:
https://api.botframework.com/api/usertoken/GetToken?userId={user-id}&connectionName=BotOAuth&channelId=msteams
When using my own id I can get a token, but my colleagues cannot, when I send them a link to "test connection" from the Azure Bot page, they can get their token perfectly fine.

Expected behavior

It should return 200 with a token, just what happens with my user-id or return a prompt to allow access?

Additional

I am using the AdapterWithErrorHandler : CloudAdapter with base.Use(new TeamsSSOTokenExchangeMiddleware(storage, configuration["ConnectionName"])); and the main code can be found below. The tokenResponse is null due to the internal request getting a 404 NOT FOUND response.

protected override async Task OnMessageActivityAsync(ITurnContext<IMessageActivity> turnContext, CancellationToken cancellationToken)
{
	var userTokenClient = turnContext.TurnState.Get<UserTokenClient>();
	var tokenResponse = await userTokenClient.GetUserTokenAsync(turnContext.Activity.From.Id, _connectionName, turnContext.Activity.ChannelId, null, cancellationToken).ConfigureAwait(false);

	if (tokenResponse == null)
	{
                // Tried this, but this should be needed when using sso?
		var oauth = new OAuthCard(text: "test", connectionName: _connectionName, new List<CardAction>()
		{
			new CardAction(type: ActionTypes.Signin, title: "test")
		});
				
		await turnContext.SendActivityAsync(MessageFactory.Attachment(oauth.ToAttachment()));
                return;
	}
        // Other code here that needs the tokenResponse
}

Azure config:

[atmoraes1]

I'm having the same problem when using the Emulator, the sample codes are not working because the GetToken endpoint is returning Not Found, so it is asking for authentication on every turn.

[sandeepvootoori]

We are seeing the same issue, any pointers on what can be done to mitigate this?

[Aspyryan]

@sandeepvootoori I got it fixed by asking the users to use the bot for the first time via the new teams client. The old client was the culprit

[brnowakowski]

We are having the same problem. Got any progress update?

[Aspyryan]

@brnowakowski not had any more information from Microsoft, they said they were 'tracking' it but yea I guess nothing will happen. You need to make sure people are logged out and use the new teams client to do the authentication first.

[tomaszoida]

We seem to have the same problem.
We have based an app on this sample: Microsoft-Teams-Samples/samples/msgext-search-sso-config/csharp at main · OfficeDev/Microsoft-Teams-Samples · GitHub. In bot messages web api we are trying to get an access token based on a connection defined in Azure Bot resource. And there we have the problem, because bot framework api does not always return the token. We have two environments staging: integration and test. In integration environment the app works only for some users. On testing environment we did not manage to make it work at all.

We use the following code to get access token and the tokenResponse is sometimes null:

We have noticed that the code above calls the following endpoint: https://api.botframework.com/api/usertoken/GetToken?userId=29%........&connectionName=OAuthBotSettings&channelId=msteams&code=
And that endpoint either returns token with http status 200 or more often returns http status 404, which results in tokenResoponse being null. The problem occurs for some users in integration environment. The strangest thing is that even for user that gets token successfully, when we change connection name to different value, the user gets 404 response, even though the connections are literally the same with only difference in just name.

There is clearly problem with that endpoint, which never returns any specific response with 404 status code explaining what specifically was not found: user/conversation, connection or something else.

Logging in new teams client (web) does not solve the problem in my case.

[atmoraes1]

@Aspyryan see if this comment by me solves your issue, some IdP deny the request if the client is marked as confidential (aka should use client secrets).

The problem is Azure Portal requires you to type in a secret, but it is not sent in the request.

In other words, IdP expects client secret but the Token Service doesn't send it. The solution is to DISABLE confidential clients when using Bot Framework OAuth2.

IMHO this library has not been receiving the attention it deserves. A lot of issues are ignored.

[Aspyryan]

@atmoraes1 How would I Disable the confidential clients? It stopped working again :/

[screwdrivercx]

I've been struggling with this same issue for weeks on Nodejs SDK. Does anyone have any update or possible solution?

@atmoraes1 I tried to enable Allow public client flows on the app registration and still not able to get some users' tokens. Could you please provide the steps to disable confidential clients?