In my case I need to receive and save the access token specified for tenantId inside my MS Teams bot (message extension) in order to get access to Graph API in further. There are a lot of information about adding the on-behalf-of-user authentication flow to the bot (https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/add-authentication?tabs=dotnet%2Cdotnet-sample). In this case we need to register the additional app (identity provider) on Azure portal and connect it to the bot (OAuth Connection Settings)... But, for my case, I need to implement the client credentials authenticaion flow and receive an access token using credentials (AppId and secret) of the bot app, registered on Azure portal. In order to achive this goal, I can use msal4j library, for example:
public static String getAppAccessToken(String[] scopes) {
ConfidentialClientApplication cca;
try {
cca = ConfidentialClientApplication.builder(applicationId, ClientCredentialFactory.createFromSecret(applicationSecret))
.authority("https://login.microsoftonline.com/<<tenantId>>/")
.build();
} catch (MalformedURLException e) {
return null;
}
Set<String> scopeSet = Set.of(scopes);
ClientCredentialParameters clientCredentialParam = ClientCredentialParameters.builder(
scopeSet)
.build();
CompletableFuture<IAuthenticationResult> future = cca.acquireToken(clientCredentialParam);
return future.join().accessToken();
}
using this approach I receive the token which has expired after a while. Questions:
Q1 : Is it possible to receive the access token (for specific tenantId) which hasn't expired, using the client credentials authentication flow inside MS Teams Bot?
=>Access tokens are prone to expire after sometime due to security mechanism, since OAuth 2.0 client credentials grant flow provides access token instead of impersonating a user this is must have for security reasons. To generate new access tokens you would require refresh token which isn't available when you use client credentials flow but its available when used auth code grant.
Q2: Should I use Bot Framework SDK or msal4j library for implementing the client credentials authentication flow?
=>There shouldn't be an issue, You can generate token using bot authentication if required permissions are given to bot app.
Q3: The additional identity provider app (apart from Bot app) on Azure portal is required for the client credentials authentication flow?
=>If you have an existing app id associated with bot, you don't need to create one. I see docs doesn't mention this, but you don't require to create a new app in portal. You can just go and use your app(bot) in Azure Active Directory, and give required permission => generate token => Send token to graph API and get the result.