Auth Credentials Improvement (#25)

* Update README.md

* update telemetry header prefix

* sign client token

* undo client token

* cleanup

* add tenantid to token resolve call

* fix oauth ttk config

* fix connection name

* fmt

Author: aacebo

packages/cli/configs/ttk/oauth/aad.manifest.json

@@ -0,0 +1,90 @@
+{
+  "id": "${{AAD_APP_OBJECT_ID}}",
+  "appId": "${{BOT_ID}}",
+  "displayName": "SsoAuthBot${{APP_NAME_SUFFIX}}",
+  "identifierUris": ["api://botid-${{BOT_ID}}"],
+  "signInAudience": "AzureADMultipleOrgs",
+  "api": {
+    "requestedAccessTokenVersion": 2,
+    "oauth2PermissionScopes": [
+      {
+        "adminConsentDescription": "Allows Teams to call the app's web APIs as the current user.",
+        "adminConsentDisplayName": "Teams can access app's web APIs",
+        "id": "${{AAD_APP_ACCESS_AS_USER_PERMISSION_ID}}",
+        "isEnabled": true,
+        "type": "User",
+        "userConsentDescription": "Enable Teams to call this app's web APIs with the same rights that you have",
+        "userConsentDisplayName": "Teams can access app's web APIs and make requests on your behalf",
+        "value": "access_as_user"
+      }
+    ],
+    "preAuthorizedApplications": [
+      {
+        "appId": "1fec8e78-bce4-4aaf-ab1b-5451cc387264",
+        "delegatedPermissionIds": ["${{AAD_APP_ACCESS_AS_USER_PERMISSION_ID}}"]
+      },
+      {
+        "appId": "5e3ce6c0-2b1f-4285-8d4b-75ee78787346",
+        "delegatedPermissionIds": ["${{AAD_APP_ACCESS_AS_USER_PERMISSION_ID}}"]
+      },
+      {
+        "appId": "d3590ed6-52b3-4102-aeff-aad2292ab01c",
+        "delegatedPermissionIds": ["${{AAD_APP_ACCESS_AS_USER_PERMISSION_ID}}"]
+      },
+      {
+        "appId": "00000002-0000-0ff1-ce00-000000000000",
+        "delegatedPermissionIds": ["${{AAD_APP_ACCESS_AS_USER_PERMISSION_ID}}"]
+      },
+      {
+        "appId": "bc59ab01-8403-45c6-8796-ac3ef710b3e3",
+        "delegatedPermissionIds": ["${{AAD_APP_ACCESS_AS_USER_PERMISSION_ID}}"]
+      },
+      {
+        "appId": "0ec893e0-5785-4de6-99da-4ed124e5296c",
+        "delegatedPermissionIds": ["${{AAD_APP_ACCESS_AS_USER_PERMISSION_ID}}"]
+      },
+      {
+        "appId": "4765445b-32c6-49b0-83e6-1d93765276ca",
+        "delegatedPermissionIds": ["${{AAD_APP_ACCESS_AS_USER_PERMISSION_ID}}"]
+      },
+      {
+        "appId": "4345a7b9-9a63-4910-a426-35363201d503",
+        "delegatedPermissionIds": ["${{AAD_APP_ACCESS_AS_USER_PERMISSION_ID}}"]
+      }
+    ]
+  },
+  "info": {},
+  "optionalClaims": {
+    "idToken": [],
+    "accessToken": [
+      {
+        "name": "idtyp",
+        "source": null,
+        "essential": false,
+        "additionalProperties": []
+      }
+    ],
+    "saml2Token": []
+  },
+  "publicClient": {
+    "redirectUris": []
+  },
+  "requiredResourceAccess": [
+    {
+      "resourceAppId": "Microsoft Graph",
+      "resourceAccess": [
+        {
+          "id": "User.Read",
+          "type": "Scope"
+        }
+      ]
+    }
+  ],
+  "web": {
+    "redirectUris": ["https://token.botframework.com/.auth/web/redirect"],
+    "implicitGrantSettings": {}
+  },
+  "spa": {
+    "redirectUris": []
+  }
+}

packages/cli/configs/ttk/oauth/teamsapp.local.yml

@@ -12,122 +12,107 @@ environmentFolderPath: ./env
 # Defines what the `provision` lifecycle step does with Teams Toolkit.
 # Runs first during Start Debugging (F5) or run manually using `teamsfx provision --env local`.
 provision:
-  # Automates the creation of a Teams app registration and saves the App ID to an environment file.
-  - uses: teamsApp/create
-    with:
-        name: OAthBot${{APP_NAME_SUFFIX}}
-    writeToEnvironmentFile:
-        teamsAppId: TEAMS_APP_ID
+    # Automates the creation of a Teams app registration and saves the App ID to an environment file.
+    - uses: teamsApp/create
+      with:
+          name: SsoAuthBot${{APP_NAME_SUFFIX}}
+      writeToEnvironmentFile:
+          teamsAppId: TEAMS_APP_ID
 
-  # Creates a new Microsoft Entra app to authenticate users if
-  # the environment variable that stores clientId is empty
-  - uses: aadApp/create
-    with:
-        # Note: when you run aadApp/update, the Microsoft Entra app name will be updated
-        # based on the definition in manifest. If you don't want to change the
-        # name, make sure the name in Microsoft Entra manifest is the same with the name
-        # defined here.
-        name: OAuthBot${{APP_NAME_SUFFIX}}
-        # If the value is false, the driver will not generate client secret for you
-        generateClientSecret: true
-        # organization's Microsoft Entra tenant (for example, single tenant).
-        signInAudience: AzureADMultipleOrgs
-    # Write the information of created resources into environment file for the
-    # specified environment variable(s).
-    writeToEnvironmentFile:
-        clientId: BOT_ID
-        # Environment variable that starts with `SECRET_` will be stored to the
-        # .env.{envName}.user environment file
-        clientSecret: SECRET_BOT_PASSWORD
-        objectId: AAD_APP_OBJECT_ID
-        tenantId: AAD_APP_TENANT_ID
-        authority: AAD_APP_OAUTH_AUTHORITY
-        authorityHost: AAD_APP_OAUTH_AUTHORITY_HOST
+    # Creates a new Microsoft Entra app to authenticate users if
+    # the environment variable that stores clientId is empty
+    - uses: aadApp/create
+      with:
+          # Note: when you run aadApp/update, the Microsoft Entra app name will be updated
+          # based on the definition in manifest. If you don't want to change the
+          # name, make sure the name in Microsoft Entra manifest is the same with the name
+          # defined here.
+          name: SsoAuthBot${{APP_NAME_SUFFIX}}
+          # If the value is false, the driver will not generate client secret for you
+          generateClientSecret: true
+          # organization's Microsoft Entra tenant (for example, single tenant).
+          signInAudience: AzureADMultipleOrgs
+      # Write the information of created resources into environment file for the
+      # specified environment variable(s).
+      writeToEnvironmentFile:
+          clientId: BOT_ID
+          # Environment variable that starts with `SECRET_` will be stored to the
+          # .env.{envName}.user environment file
+          clientSecret: SECRET_BOT_PASSWORD
+          objectId: AAD_APP_OBJECT_ID
+          tenantId: AAD_APP_TENANT_ID
+          authority: AAD_APP_OAUTH_AUTHORITY
+          authorityHost: AAD_APP_OAUTH_AUTHORITY_HOST
 
-  # Apply the Microsoft Entra manifest to an existing Microsoft Entra app. Will use the object id in
-  # manifest file to determine which Microsoft Entra app to update.
-  - uses: aadApp/update
-    with:
-        # Relative path to this file. Environment variables in manifest will
-        # be replaced before apply to Microsoft Entra app
-        manifestPath: ./aad.manifest.json
-        outputFilePath: ./build/aad.manifest.${{TEAMSFX_ENV}}.json
+    # Apply the Microsoft Entra manifest to an existing Microsoft Entra app. Will use the object id in
+    # manifest file to determine which Microsoft Entra app to update.
+    - uses: aadApp/update
+      with:
+          # Relative path to this file. Environment variables in manifest will
+          # be replaced before apply to Microsoft Entra app
+          manifestPath: ./aad.manifest.json
+          outputFilePath: ./build/aad.manifest.${{TEAMSFX_ENV}}.json
 
-  - uses: arm/deploy # Deploy given ARM templates parallelly.
-    env:
-        # an arbitrary name for the connection
-        OAUTH_CONNECTION_NAME: graph
-    with:
-        # AZURE_SUBSCRIPTION_ID is a built-in environment variable,
-        # if its value is empty, TeamsFx will prompt you to select a subscription.
-        # Referencing other environment variables with empty values
-        # will skip the subscription selection prompt.
-        subscriptionId: ${{AZURE_SUBSCRIPTION_ID}}
-        # AZURE_RESOURCE_GROUP_NAME is a built-in environment variable,
-        # if its value is empty, TeamsFx will prompt you to select or create one
-        # resource group.
-        # Referencing other environment variables with empty values
-        # will skip the resource group selection prompt.
-        resourceGroupName: ${{AZURE_RESOURCE_GROUP_NAME}}
-        templates:
-            - path: ./infra/azure.local.bicep # Relative path to this file
-              # Relative path to this yaml file.
-              # Placeholders will be replaced with corresponding environment
-              # variable before ARM deployment.
-              parameters: ./infra/azure.parameters.local.json
-              # Required when deploying ARM template
-              deploymentName: create-resources-for-OAuthBot-${{TEAMSFX_ENV}}
-        bicepCliVersion: v0.9.1
+    - uses: arm/deploy # Deploy given ARM templates parallelly.
+      env:
+          # an arbitrary name for the connection
+          OAUTH_CONNECTION_NAME: graph
+      with:
+          # AZURE_SUBSCRIPTION_ID is a built-in environment variable,
+          # if its value is empty, TeamsFx will prompt you to select a subscription.
+          # Referencing other environment variables with empty values
+          # will skip the subscription selection prompt.
+          subscriptionId: ${{AZURE_SUBSCRIPTION_ID}}
+          # AZURE_RESOURCE_GROUP_NAME is a built-in environment variable,
+          # if its value is empty, TeamsFx will prompt you to select or create one
+          # resource group.
+          # Referencing other environment variables with empty values
+          # will skip the resource group selection prompt.
+          resourceGroupName: ${{AZURE_RESOURCE_GROUP_NAME}}
+          templates:
+              - path: ./infra/azure.local.bicep # Relative path to this file
+                # Relative path to this yaml file.
+                # Placeholders will be replaced with corresponding environment
+                # variable before ARM deployment.
+                parameters: ./infra/azure.parameters.local.json
+                # Required when deploying ARM template
+                deploymentName: Create-resources-for-SsoAuthBot-${{TEAMSFX_ENV}}
+          bicepCliVersion: v0.9.1
 
-  # Optional: Automates schema and error checking of the Teams app manifest and outputs the results in the console.
-  - uses: teamsApp/validateManifest
-    with:
-        manifestPath: ./appPackage/manifest.json
+    # Optional: Automates schema and error checking of the Teams app manifest and outputs the results in the console.
+    - uses: teamsApp/validateManifest
+      with:
+          manifestPath: ./appPackage/manifest.json
 
-  # Automates the creation and configuration of a Bot Framework registration which is required for a bot.
-  # This configures the bot to use the Azure AD app registration created in the previous step.
-  # Teams Toolkit automatically creates a local Dev Tunnel URL and updates BOT_ENDPOINT when debugging (F5).
-  - uses: botFramework/create
-    with:
-        botId: ${{BOT_ID}}
-        name: OAuthBot
-        messagingEndpoint: ${{BOT_ENDPOINT}}/api/messages
-        description: ''
-        channels:
-            - name: msteams
+    # Automates the creation of a Teams app package (.zip).
+    - uses: teamsApp/zipAppPackage
+      with:
+          manifestPath: ./appPackage/manifest.json
+          outputZipPath: ./appPackage/build/appPackage.${{TEAMSFX_ENV}}.zip
+          outputJsonPath: ./appPackage/build/manifest.${{TEAMSFX_ENV}}.json
 
-  # Optional: Automates schema and error checking of the Teams app manifest and outputs the results in the console.
-  - uses: teamsApp/validateManifest
-    with:
-        manifestPath: ./appPackage/manifest.json
-
-  # Automates the creation of a Teams app package (.zip).
-  - uses: teamsApp/zipAppPackage
-    with:
-        manifestPath: ./appPackage/manifest.json
-        outputZipPath: ./appPackage/build/appPackage.${{TEAMSFX_ENV}}.zip
-        outputJsonPath: ./appPackage/build/manifest.${{TEAMSFX_ENV}}.json
-
-  # Automates updating the Teams app manifest in Teams Developer Portal using the App ID from the mainfest file.
-  # This action ensures that any manifest changes are reflected when launching the app again in Teams.
-  - uses: teamsApp/update
-    with:
-        # Relative path to this file. This is the path for built zip file.
-        appPackagePath: ./appPackage/build/appPackage.${{TEAMSFX_ENV}}.zip
+    # Automates updating the Teams app manifest in Teams Developer Portal using the App ID from the mainfest file.
+    # This action ensures that any manifest changes are reflected when launching the app again in Teams.
+    - uses: teamsApp/update
+      with:
+          # Relative path to this file. This is the path for built zip file.
+          appPackagePath: ./appPackage/build/appPackage.${{TEAMSFX_ENV}}.zip
 
 # Defines what the `deploy` lifecycle step does with Teams Toolkit.
 # Runs after `provision` during Start Debugging (F5) or run manually using `teamsfx deploy --env local`.
 deploy:
-  # Install any dependencies and build the web app using NPM
-  - uses: cli/runNpmCommand
-    name: install dependencies
-    with:
-        args: install --no-audit --workspaces=false
-  # Provides the Teams Toolkit .env file values to the apps runtime so they can be accessed with `process.env`.
-  - uses: file/createOrUpdateEnvironmentFile
-    with:
-        target: ./.env
-        envs:
-          PORT: 3978
-          CLIENT_ID: ${{BOT_ID}}
-          CLIENT_SECRET: ${{SECRET_BOT_PASSWORD}}
+    # Install any dependencies and build the web app using NPM
+    - uses: cli/runNpmCommand
+      name: install dependencies
+      with:
+          args: install --no-audit --workspaces=false
+    # Provides the Teams Toolkit .env file values to the apps runtime so they can be accessed with `process.env`.
+    - uses: file/createOrUpdateEnvironmentFile
+      with:
+          target: ./.env
+          envs:
+              PORT: 3978
+              CLIENT_ID: ${{BOT_ID}}
+              CLIENT_SECRET: ${{SECRET_BOT_PASSWORD}}
+              # an arbitrary name for the connection
+              OAUTH_CONNECTION_NAME: graph