Skip to content

Add OAuthFlow with back compat to context.SignIn flows #437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rido-min merged 27 commits into from
Apr 28, 2026
Merged

Add OAuthFlow with back compat to context.SignIn flows #437

Show file tree
Hide file tree
Changes from 21 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
61449e8
wip, migrated new apiclient
rido-min Apr 16, 2026
ee1941a
fixing the build
rido-min Apr 16, 2026
e5fcb8d
refactor ApiClients
rido-min Apr 17, 2026
09f2240
integrate all clients
rido-min Apr 17, 2026
72a3289
Restart APIClients
rido-min Apr 17, 2026
11214d5
Restart APIClient port
rido-min Apr 17, 2026
8ab5b1e
upd docs
rido-min Apr 17, 2026
20df8b7
wire up usertokenclient
rido-min Apr 20, 2026
46a76f9
add design doc for sso
rido-min Apr 20, 2026
e685f8a
SSO with OAuth Flows
rido-min Apr 21, 2026
8d51e00
doc breaking changes
rido-min Apr 21, 2026
7a4502e
Add Teams SSO signin/failure invoke support to OAuthFlow
rido-min Apr 21, 2026
d43e441
Improve OAuth thread safety and nullability handling
rido-min Apr 21, 2026
2ffd576
add another sample
rido-min Apr 21, 2026
1c50358
remove autodiscovery
rido-min Apr 22, 2026
8fc9dbe
Add sequence diagrams and trace summary for SsoBot Silent SSO flows
rido-min Apr 22, 2026
71f20f7
fix slnx
rido-min Apr 22, 2026
0357962
Merge next/core into next/core-restartApiClients
rido-min Apr 22, 2026
ef15a17
Merge branch 'next/core' into next/core-restartApiClients
rido-min Apr 22, 2026
da7da9a
Merge branch 'next/core-restartApiClients' into next/core-apiclients-sso
rido-min Apr 22, 2026
8e8c632
Merge next/core into next/core-apiclients-sso, resolving conflicts
rido-min Apr 22, 2026
a3f0ae7
Update status message, cleanup OAuth, remove SSO middleware
rido-min Apr 22, 2026
5697929
Add DI-based OAuth flow registration for TeamsBotApp
rido-min Apr 23, 2026
06df798
Track pending sign-ins per user in OAuthFlow
rido-min Apr 23, 2026
06699af
Update OAuth flow logic, add 'login' command, update deps
rido-min Apr 24, 2026
172b974
Merge branch 'next/core' into next/core-apiclients-sso
rido-min Apr 28, 2026
2208a5f
Refactor csproj: add Compat, update DataProtection scope
rido-min Apr 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions core/core.slnx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@
<Project Path="samples/CustomHosting/CustomHosting.csproj" Id="de2e42de-3d8f-4a9d-920f-14c7e39fc3c0" />
<Project Path="samples/MeetingsBot/MeetingsBot.csproj" />
<Project Path="samples/MessageExtensionBot/MessageExtensionBot.csproj" />
<Project Path="samples/OAuthFlowBot/OAuthFlowBot.csproj" />
<Project Path="samples/PABot/PABot.csproj" Id="ef8f29ef-fe59-4edf-8a50-6e7ab6699a45" />
<Project Path="samples/SsoBot/SsoBot.csproj"/>
<Project Path="samples/StreamingBot/StreamingBot.csproj" />
<Project Path="samples/TabApp/TabApp.csproj" />
<Project Path="samples/TeamsBot/TeamsBot.csproj" Id="94a35050-6826-446f-9b29-863f2bbc75b7" />
Expand Down
667 changes: 667 additions & 0 deletions core/docs/sso/OAuthFlow-Design.md
View file
Open in desktop

Large diffs are not rendered by default.

167 changes: 167 additions & 0 deletions core/docs/sso/oauthflowbot-trace-2026-04-22-sequence-diagrams.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,167 @@
# 🔐 OAuthFlowBot — Sequence Diagrams (Popup Fallback)

Trace from 2026-04-22 03:12 UTC. Connection `teamsgraph` (Azure AD v2, no SSO configured).
Sign-in completes via **popup window** + `signin/verifyState` — no silent SSO.

---

## 🔑 Login Flow (Popup Sign-In)

```mermaid
sequenceDiagram
actor User as 👤 Rido
participant Teams as 🟣 Teams
participant Bot as 🤖 Bot
participant MSAL as 🔑 MSAL
participant AAD as 🔵 Azure AD
participant TBS as 🟠 Token Service
participant BFC as 🔷 Bot Framework

User->>Teams: Types "login graph"
Teams->>Bot: 📥 POST /api/messages<br/>type=message, text="login graph"
Note over Bot: 🛡️ JWT validated
Note over Bot: 🔀 Route: message/^login graph$

rect rgb(240, 248, 255)
Note over Bot,TBS: Step 1 — Silent token check (miss)
Bot->>MSAL: AcquireTokenForClient
MSAL->>AAD: POST /oauth2/v2.0/token
AAD-->>MSAL: 🔑 App token
Bot->>TBS: 📤 GET /api/usertoken/GetToken<br/>connectionName=teamsgraph
TBS-->>Bot: ❌ 404 No cached token
end

rect rgb(255, 248, 240)
Note over Bot,TBS: Step 2 — Get sign-in resource
Bot->>MSAL: AcquireTokenForClient
MSAL-->>Bot: 💾 Cached
Bot->>TBS: 📤 GET /api/botsignin/GetSignInResource<br/>state={MsAppId, ConnectionName=teamsgraph}
TBS-->>Bot: ✅ 200 signInLink + tokenPostResource<br/>⚠️ No tokenExchangeResource (no SSO)
end

rect rgb(240, 255, 240)
Note over Bot,BFC: Step 3 — Send OAuthCard (popup only)
Bot->>MSAL: AcquireTokenForClient
MSAL-->>Bot: 💾 Cached
Bot->>BFC: 📤 POST /v3/.../activities<br/>🃏 OAuthCard (no tokenExchangeResource)<br/>buttons: [Sign In → popup link]
BFC-->>Bot: ✅ 200
end

Bot-->>Teams: ✅ 200
Teams->>User: Shows Sign In button

rect rgb(255, 250, 230)
Note over User,AAD: Step 4 — User signs in via popup
User->>Teams: Clicks "Sign In" button
Teams->>AAD: Opens popup → AAD login
AAD-->>Teams: Auth code / consent
Teams->>TBS: Posts token via SasUrl
end

rect rgb(245, 240, 255)
Note over Teams,Bot: Step 5 — Teams sends verifyState invoke
Teams->>Bot: 📥 POST /api/messages<br/>type=invoke, name=signin/verifyState<br/>value={ state: "745254" }
Note over Bot: 🛡️ JWT validated
Note over Bot: 🔀 Route: invoke/signin/verifyState
end

rect rgb(255, 245, 245)
Note over Bot,TBS: Step 6 — Verify state and get token
Bot->>MSAL: AcquireTokenForClient
MSAL-->>Bot: 💾 Cached
Bot->>TBS: 📤 GET /api/usertoken/GetToken<br/>connectionName=teamsgraph&code=745254
TBS-->>Bot: ✅ 200 User token returned
end

rect rgb(240, 255, 240)
Note over Bot,BFC: Step 7 — 🎉 OnSignInComplete
Bot->>MSAL: AcquireTokenForClient
MSAL-->>Bot: 💾 Cached
Bot->>BFC: 📤 POST /v3/.../activities<br/>"Connected to Microsoft Graph (teamsgraph)!"
BFC-->>Bot: ✅ 201
end

Bot-->>Teams: ✅ 200 invoke response
Teams->>User: "Connected to Microsoft Graph!"
```

---

## 👤 "my ad user" Flow (token cached)

```mermaid
sequenceDiagram
actor User as 👤 Rido
participant Teams as 🟣 Teams
participant Bot as 🤖 Bot
participant MSAL as 🔑 MSAL
participant TBS as 🟠 Token Service
participant Graph as 📊 Graph
participant BFC as 🔷 Bot Framework

User->>Teams: Types "my ad user"
Teams->>Bot: 📥 POST /api/messages<br/>type=message, text="my ad user"
Note over Bot: 🔀 Route: message/^my ad user

rect rgb(240, 248, 255)
Note over Bot,TBS: Step 1 — Silent token check (hit)
Bot->>MSAL: AcquireTokenForClient
MSAL-->>Bot: 💾 Cached
Bot->>TBS: 📤 GET /api/usertoken/GetToken<br/>connectionName=teamsgraph
TBS-->>Bot: ✅ 200 Cached user token
end

rect rgb(245, 240, 255)
Note over Bot,Graph: Step 2 — Call Graph API
Bot->>Graph: 📤 GET /v1.0/me<br/>🔑 Bearer {user_token}
Graph-->>Bot: ✅ 200 {displayName:"Rido", mail:"rido@teamssdk..."}
end

rect rgb(240, 255, 240)
Note over Bot,BFC: Step 3 — Send profile to user
Bot->>MSAL: AcquireTokenForClient
MSAL-->>Bot: 💾 Cached
Bot->>BFC: 📤 POST /v3/.../activities<br/>📄 Graph /me JSON
BFC-->>Bot: ✅ 201
end

Bot-->>Teams: ✅ 200
Teams->>User: Shows AD user JSON
```

---

## 🚪 Logout Flow

```mermaid
sequenceDiagram
actor User as 👤 Rido
participant Teams as 🟣 Teams
participant Bot as 🤖 Bot
participant MSAL as 🔑 MSAL
participant TBS as 🟠 Token Service
participant BFC as 🔷 Bot Framework

User->>Teams: Types "logout graph"
Teams->>Bot: 📥 POST /api/messages<br/>type=message, text="logout graph"
Note over Bot: 🔀 Route: message/^logout graph$

rect rgb(255, 240, 240)
Note over Bot,TBS: Step 1 — Revoke user token
Bot->>MSAL: AcquireTokenForClient
MSAL-->>Bot: 💾 Cached
Bot->>TBS: 📤 DELETE /api/usertoken/SignOut<br/>connectionName=teamsgraph
TBS-->>Bot: ✅ 200 Token revoked
end

rect rgb(240, 255, 240)
Note over Bot,BFC: Step 2 — Send confirmation
Bot->>MSAL: AcquireTokenForClient
MSAL-->>Bot: 💾 Cached
Bot->>BFC: 📤 POST /v3/.../activities<br/>"Signed out from Graph."
BFC-->>Bot: ✅ 201
end

Bot-->>Teams: ✅ 200
Teams->>User: "Signed out from Graph."
```
Loading
Loading