| page_type | products | languages | title | description | extensions | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
sample |
|
|
Microsoft Teams NodeJS Helloworld - Tabs Azure AD SSO Sample |
Microsoft Teams hello world sample app for tabs Azure AD SSO in Node.js |
|
This sample is built on top of the Hello World Node.js sample to show you how to implement Azure AD single sign-on support for tabs. In addition, this sample also shows you how to request additional Graph API permissions from the user (even though most apps will find the single sign-on flow sufficient to authenticate a user).
- Setup an Ngrok account. This will allow you to test locally.
- You will also need to sign up for a reserved subdomain since you will need a permanent address to use as your app's URL in Azure AD.
- Make sure you've downloaded and installed Ngrok on your local machine.
- Create an AAD application in Azure. You can do this by visiting the "Azure AD app registration" portal in Azure.
- Set your application URI to the same URI you've created in Ngrok.
- Ex:
api://contoso.ngrok.io
- Ex:
- Setup your redirect URIs. This will allow Azure AD to return authentication results to the correct URI.
- Visit
Manage > Authentication. - Create a redirect URI in the format of:
https://contoso.ngrok.io/auth/auth-end. - Enable Implicit Grant by selecting
Access TokensandID Tokens.
- Visit
- Setup a client secret. You will need this when you exchange the token for more API permissions from your backend.
- Visit
Manage > Certificates & secrets - Create a new client secret.
- Visit
- Setup your API permissions. This is what your application is allowed to request permission to access.
- Visit
Manage > API Permissions - Make sure you have the following Graph permissions enabled:
email,offline_access,openid,User.Readandprofile. - Our SSO flow will give you access to the first 4 permissions, and we will have to exchange the token server-side to get an elevated token for the
profilepermission (for example, if we want access to the user's profile photo).
- Visit
- Expose an API that will give the Teams desktop, web and mobile clients access to the permissions above
- Visit
Manage > Expose an API - Add a scope and give it a scope name of
access_as_user. Your API url should look like this:api://contoso.ngrok.io/{appID}/access_as_user. In the "who can consent" step, enable it for "Admins and users". Make sure the state is set to "enabled". - Next, add two client applications. This is for the Teams desktop/mobile clients and the web client.
- 5e3ce6c0-2b1f-4285-8d4b-75ee78787346
- 1fec8e78-bce4-4aaf-ab1b-5451cc387264
- Visit
- Set your application URI to the same URI you've created in Ngrok.
- Update your
manifest.jsonfile- Replace
{ngrokSubdomain}with the subdomain you've assigned to your Ngrok account in step #1 above. - Update your
webApplicationInfosection with your Azure AD application ID that you were assigned in step #2 above.
- Replace
- Update your
config/default.jsonfile- Replace the
tab.idproperty with you Azure AD application ID - Replace the
tab.passwordproperty with the "client secret" you were assigned in step #2
- Replace the
- Run Ngrok to expose your local web server via a public URL. Make sure to point it to your Ngrok URI
- Win:
./ngrok http 3333 -host-header=localhost:3333 -subdomain="contoso" - Mac:
/ngrok http 3333 -host-header=localhost:3333 -subdomain="contoso"
- Win:
- Install the neccessary NPM packages and start the app
npm installnpm start- Your app should be running on port 3333
- Package your manifest
gulp package-manifest- This will create a zip file in the manifest folder
- Install in Teams
- Open Teams and visit the app store. Depending on the version of Teams, you may see an "App Store" button in the bottom left of Teams or you can find the app store by visiting
Apps > More Appsin the left-hand app rail. - Install the app by clicking on the
Upload a custom applink in the bottom left-hand side of the app store. - Upload the manifest zip file created in step #1
- Open Teams and visit the app store. Depending on the version of Teams, you may see an "App Store" button in the bottom left of Teams or you can find the app store by visiting
- Once you've installed the app, it should automatically open for you. Visit the
Auth Tabto begin testing out the authentication flow. - Follow the onscreen prompts. The authentication flow will print the output to your screen.
- First you will see a dialog in Teams letting you know you need to grant permission to use the app.
- Then an AAD consent dialog will appear in a seperate window.
- Once you've consented to the permissions, your app will have enough information to authenticate you. This should be enough for most apps.
- The app will then try and access an API server-side for which you have not yet granted permission but fail in doing so. You will then see the "Grant further permissions" button enabled. You can click this to trigger another consent dialog for the additional permissions.
- Once you've granted all the permissions, you can revisit this tab and you will notice that you will automatically be logged in.
Compared to the Hello World sample, this app has four additional routes:
/authrenders the authenticaiton page.- This is the tab called
Auth Tabin personal app inside Teams. The purpose of this page is primarily to execute theauth.jsfile that handles initiates the authentication flow.
- This is the tab called
/auth/tokendoes not render anything but instead is the server-side route for initiating the on-behalf-of flow.- It takes the token it receives from the
/authpage and attemps to exchange it for a new token that has elevated permissions to access theprofileGraph API (which is usually used to retrieve the users profile photo). - If it fails (because the user hasn't granted permission to access the
profileAPI), it returns an error to the/authpage. This error is used to enable the "Grant further permissions" button which opens the/auth/startpage in a seperate window.
- It takes the token it receives from the
/auth/startand/auth/endroutes are used if the user needs to grant further permissions. This experience happens in a seperate window.- The
/auth/startpage merely creates a valid AAD authorization endpoint and redirects to that AAD consent page. - Once the user has consented to the permissions, AAD redirects the user back to
/auth/end. This page is responsible for returning the results back to the/authpage by calling thenotifySuccessAPI. - This workflow is only neccessary if you want authorization to use additional Graph APIs. Most apps will find this flow unnesseccary if all they want to do is authenticate the user.
- This workflow is the same as our standard web-based authentication flow that we've always had in Teams before we had single sign-on support. It just so happens that it's a great way to request additional permissions from the user, so it's left in this sample as an illustration of what that flow looks like.
- The
This Javascript file is served from the /auth page and handles most of the client-side authentication workflow. This file is broken into three main functions:
- getAuthToken
- This function asks Teams for an authentication token from AAD.
- Teams will show a dialog to the user letting them know they need to consent to this app logging them in.
- Once the user has consented to the AAD dialog, this function sends the token to the backend.
- sendTokenToBackend
- Once the user has consented to this app logging them in (authentication), we would like to have access to further API permissions not intially granted in the consent flow (authorization).
- This function sends the token to the backend to exchange for elevated permissions using AAD's on-behalf-of flow. In this case, it sends the token to the
/auth/tokenroute.
- initializeConsentButton
- If this is the first time the user is interacting with the app, chances are they haven't granted the app permission to access their avatar picture (ie:
ProfileGraph API). Therefor we need to enable the "Grant furhter permissions" button. - When clicked, this button opens another dialog (
/auth/start) to ask the user to grant further permissions.
- If this is the first time the user is interacting with the app, chances are they haven't granted the app permission to access their avatar picture (ie:
More information on the Hellow World sample - and for how to get started with Microsoft Teams development in general - is found in Get started on the Microsoft Teams platform with Node.js and App Studio.
For further information on Single Sign-On and how it works, visit our Single Sign-On documentation
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.