Teams App Authentication Workflow across multiple devices

Occasional Contributor

 

Hi, 

 

We are developing an app for Teams meeting utilizing the shared meeting stage. As part of this app, we have our own authentication flow using OAuth (https://docs.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-flow-tab). Now the one requirement we have right now is that in a multi-device scenario users should sign in once to the app on any of the devices for the first time post that the user can use the app without signing in again for other devices as well. For example, I add the Meeting App on desktop Teams, do the authentication using OAuth flow and after successful authentication, I should be able to use the same Meeting App on iPad as well without the need of signing in again. Documentation on this topic is not clear. Can you please point to the right documentation on how this can be achieved?

7 Replies

@muditsaxena - Looks like we can not achieve this kind of authentication flow because if you logged-in to any device it stores the authentication details in a cache or memory on that particular device.
So it will always ask for authentication details at least for first time on different devices.

But you can implement SSO where if you are already logged-in to your Teams client, it will not ask for authentication for your tab or bot again on different device.
Single sign-on support for tabs - Teams | Microsoft Docs

Thanks,
Chetan Sharma
-------------------------------------------------------------------------------------------
If the response is helpful, please click "Mark as Best Response" and like it. You can share your feedback via Microsoft Teams Developer Feedback link. Click here to escalate.

We have our own OAuth flow, so are you suggesting we use SSO flow using AAD?

Second, if you look at already published apps like `Jira Cloud` on Teams, they also have their own OAuth flow despite that they are able to achieve the multi-device flow i.e sign-in once on one device and use on other devices. So, how is that achieved?

@muditsaxena - There are multiple ways to implement Authentication.
How are you implementing the authentication?
Could you please share the steps or doc ?

Below are the reference docs for implementing authentication flow in Bot/Tab:
https://docs.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/auth-flow-bot

https://docs.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-flow-tab

@ChetanSharma-msft The links you shared works well for using AAD as SSO/IDP provider while we use Okta as IDP 

 

Let me explain in detail what I am trying to achieve here and my authentication flow. 

 

Authentication flow 

  1. We use OKTA as our IDP. So, OKTA issues us access/refresh token
  2. Using the token above we can access our internal services API 

Teams Authentication Flow (Currently implemented) 

 

  1. User installs app onto Mac App
  2. Gets a configuration page to login 
  3. We use web authentication flow (https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/authentication/authentication#web-... to redirect users to our Okta sign-in pop-up page 
  4. Post successful completion of this flow, we get access token and refresh token. 

 

For the current user post the above installation flow, our app is installed on their other devices as well like iPad, mobile, etc. Now if a user wants to use our app on Mobile Teams Client for example, does he have to go through the same sign-in process again? Or Is there any other way to use the app on other devices without re-entering sign-in credentials?

 

@muditsaxena - SSO is supported for customer owned apps within the AAD tenants only.
If you have already logged-in to your Teams client, you no need to sign-in again in your Bot or Tab, if you have implemented AAD SSO.
www.000webhost.com