diff --git a/packages/fx-core/resource/package.nls.json b/packages/fx-core/resource/package.nls.json index 45021df7916..22bb737ea4a 100644 --- a/packages/fx-core/resource/package.nls.json +++ b/packages/fx-core/resource/package.nls.json @@ -1052,7 +1052,8 @@ "core.addAuthAction.validation.url": "Invalid URL format. Please enter a valid URL.", "core.oauthScopeQuestion.validation.scope": "Invalid scope format. Please enter a valid scope. Samle: scope1: description for scope1; scope2: description for scope2", "core.authNameQuestion.validation.empty": "Auth name cannot be empty.", - "driver.oauth.microsoftEntraWarning": "If you are using your own Microsoft Entra app, please: 1. Update the application id uri of your Microsoft Entra app to %s, 2. Add %s to redirect uri of your Microsoft Entra app.", + "driver.oauth.microsoftEntraWarning": "Microsoft Entra SSO configuration required for On-Behalf-Of (OBO) token exchange. If you are managing your Microsoft Entra app registration manually, please: 1. Set the Application ID URI to %s only — do not add additional identifier URIs as this breaks the OBO token exchange silently. 2. Add both %s and %s to the web redirect URIs of your app registration. Missing redirect URIs cause error 50011 during SSO. If using the toolkit-managed aad.manifest.json, these settings are configured automatically by the aadApp/update step.", + "driver.oauth.microsoftEntraOboInfo": "SSO+OBO flow configured with Application ID URI: %s. For the On-Behalf-Of exchange to succeed, ensure your Microsoft Entra app has: (a) only this Application ID URI set as identifierUri, (b) the access_as_user delegated scope defined, (c) Teams/Office client apps pre-authorized for that scope, and (d) the idtyp optional claim added to access tokens. If the OBO exchange fails silently, check Entra ID sign-in logs for errors such as 50011 (redirect URI mismatch).", "core.addKnowledgeQuestion.webContent.title": "Web Content", "core.addKnowledgeQuestion.webContent.placeholder": "Enter an absolute URL to a site to be searched for content.", "core.addKnowledgeQuestion.invalidWebContent.message": "Invalid web content. Please provide a valid URL.", diff --git a/packages/fx-core/src/component/driver/oauth/create.ts b/packages/fx-core/src/component/driver/oauth/create.ts index 7057cd5ba33..77689bee2f9 100644 --- a/packages/fx-core/src/component/driver/oauth/create.ts +++ b/packages/fx-core/src/component/driver/oauth/create.ts @@ -24,7 +24,7 @@ import { loadStateFromEnv } from "../util/utils"; import { OauthNameTooLongError } from "./error/oauthNameTooLong"; import { CreateOauthArgs } from "./interface/createOauthArgs"; import { CreateOauthOutputs, OutputKeys } from "./interface/createOauthOutputs"; -import { defaultRedirectUri, logMessageKeys } from "./utility/constants"; +import { additionalRedirectUri, defaultRedirectUri, logMessageKeys } from "./utility/constants"; import { OauthInfo, getAuthInfo, validateSecret, validateUrl } from "./utility/utility"; import { OauthIdentityProviderInvalid } from "./error/oauthIdentityProviderInvalid"; @@ -133,14 +133,20 @@ export class CreateOauthDriver implements StepDriver { oauthRegistrationRes.resourceIdentifierUri ); - void context.ui!.showMessage( - "warn", + const warningMessage = getLocalizedString( + logMessageKeys.microsoftEntraWarning, + oauthRegistrationRes.resourceIdentifierUri, + defaultRedirectUri, + additionalRedirectUri + ); + context.logProvider?.warning(warningMessage); + void context.ui!.showMessage("warn", warningMessage, false); + + context.logProvider?.info( getLocalizedString( - logMessageKeys.microsoftEntraWarning, - oauthRegistrationRes.resourceIdentifierUri, - defaultRedirectUri - ), - false + logMessageKeys.microsoftEntraOboInfo, + oauthRegistrationRes.resourceIdentifierUri + ) ); } diff --git a/packages/fx-core/src/component/driver/oauth/utility/constants.ts b/packages/fx-core/src/component/driver/oauth/utility/constants.ts index b35cdd24c07..d8a752eb8b4 100644 --- a/packages/fx-core/src/component/driver/oauth/utility/constants.ts +++ b/packages/fx-core/src/component/driver/oauth/utility/constants.ts @@ -10,6 +10,7 @@ export const logMessageKeys = { skipUpdateOauth: "driver.oauth.log.skipUpdateOauth", successUpdateOauth: "driver.oauth.log.successUpdateOauth", microsoftEntraWarning: "driver.oauth.microsoftEntraWarning", + microsoftEntraOboInfo: "driver.oauth.microsoftEntraOboInfo", }; export const maxSecretLength = 512; @@ -18,3 +19,6 @@ export const maxDomainPerOauth = 1; export const defaultRedirectUri = "https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect"; + +export const additionalRedirectUri = + "https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect"; diff --git a/templates/vs/csharp/declarative-agent-with-action-from-scratch-oauth/aad.manifest.json.tpl b/templates/vs/csharp/declarative-agent-with-action-from-scratch-oauth/aad.manifest.json.tpl index 7ba0f5eea47..760c574a34b 100644 --- a/templates/vs/csharp/declarative-agent-with-action-from-scratch-oauth/aad.manifest.json.tpl +++ b/templates/vs/csharp/declarative-agent-with-action-from-scratch-oauth/aad.manifest.json.tpl @@ -4,7 +4,6 @@ "displayName": "{{appName}}-aad", "identifierUris": [ {{#MicrosoftEntra}} - "api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}", "${{AADAUTHCODE_APPLICATION_ID_URI}}" {{/MicrosoftEntra}} {{^MicrosoftEntra}} @@ -59,7 +58,8 @@ "web": { "redirectUris": [ {{#MicrosoftEntra}} - "https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect" + "https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect", + "https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect" {{/MicrosoftEntra}} {{^MicrosoftEntra}} "https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect" diff --git a/templates/vs/csharp/declarative-agent-with-action-from-scratch-oauth/appPackage/apiSpecificationFile/repair.yml.tpl b/templates/vs/csharp/declarative-agent-with-action-from-scratch-oauth/appPackage/apiSpecificationFile/repair.yml.tpl index 046e5f0ca1e..d3e8b12ee73 100644 --- a/templates/vs/csharp/declarative-agent-with-action-from-scratch-oauth/appPackage/apiSpecificationFile/repair.yml.tpl +++ b/templates/vs/csharp/declarative-agent-with-action-from-scratch-oauth/appPackage/apiSpecificationFile/repair.yml.tpl @@ -17,7 +17,7 @@ components: authorizationUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/authorize tokenUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/token scopes: - api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read: Read repair records + ${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read: Read repair records {{/MicrosoftEntra}} {{^MicrosoftEntra}} oAuth2AuthCode: @@ -39,7 +39,7 @@ paths: security: {{#MicrosoftEntra}} - aadAuthCode: - - api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read + - ${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read {{/MicrosoftEntra}} {{^MicrosoftEntra}} - oAuth2AuthCode: diff --git a/templates/vsc/js/declarative-agent-with-action-from-scratch-oauth/aad.manifest.json.tpl b/templates/vsc/js/declarative-agent-with-action-from-scratch-oauth/aad.manifest.json.tpl index aeb56cb333b..91dac626ab3 100644 --- a/templates/vsc/js/declarative-agent-with-action-from-scratch-oauth/aad.manifest.json.tpl +++ b/templates/vsc/js/declarative-agent-with-action-from-scratch-oauth/aad.manifest.json.tpl @@ -4,7 +4,6 @@ "displayName": "{{appName}}-aad", "identifierUris": [ {{#MicrosoftEntra}} - "api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}", "${{AADAUTHCODE_APPLICATION_ID_URI}}" {{/MicrosoftEntra}} {{^MicrosoftEntra}} @@ -59,7 +58,8 @@ "web": { "redirectUris": [ {{#MicrosoftEntra}} - "https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect" + "https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect", + "https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect" {{/MicrosoftEntra}} {{^MicrosoftEntra}} "https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect" diff --git a/templates/vsc/js/declarative-agent-with-action-from-scratch-oauth/appPackage/apiSpecificationFile/repair.yml.tpl b/templates/vsc/js/declarative-agent-with-action-from-scratch-oauth/appPackage/apiSpecificationFile/repair.yml.tpl index 046e5f0ca1e..d3e8b12ee73 100644 --- a/templates/vsc/js/declarative-agent-with-action-from-scratch-oauth/appPackage/apiSpecificationFile/repair.yml.tpl +++ b/templates/vsc/js/declarative-agent-with-action-from-scratch-oauth/appPackage/apiSpecificationFile/repair.yml.tpl @@ -17,7 +17,7 @@ components: authorizationUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/authorize tokenUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/token scopes: - api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read: Read repair records + ${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read: Read repair records {{/MicrosoftEntra}} {{^MicrosoftEntra}} oAuth2AuthCode: @@ -39,7 +39,7 @@ paths: security: {{#MicrosoftEntra}} - aadAuthCode: - - api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read + - ${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read {{/MicrosoftEntra}} {{^MicrosoftEntra}} - oAuth2AuthCode: diff --git a/templates/vsc/ts/declarative-agent-with-action-from-scratch-oauth/aad.manifest.json.tpl b/templates/vsc/ts/declarative-agent-with-action-from-scratch-oauth/aad.manifest.json.tpl index aeb56cb333b..91dac626ab3 100644 --- a/templates/vsc/ts/declarative-agent-with-action-from-scratch-oauth/aad.manifest.json.tpl +++ b/templates/vsc/ts/declarative-agent-with-action-from-scratch-oauth/aad.manifest.json.tpl @@ -4,7 +4,6 @@ "displayName": "{{appName}}-aad", "identifierUris": [ {{#MicrosoftEntra}} - "api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}", "${{AADAUTHCODE_APPLICATION_ID_URI}}" {{/MicrosoftEntra}} {{^MicrosoftEntra}} @@ -59,7 +58,8 @@ "web": { "redirectUris": [ {{#MicrosoftEntra}} - "https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect" + "https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect", + "https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect" {{/MicrosoftEntra}} {{^MicrosoftEntra}} "https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect" diff --git a/templates/vsc/ts/declarative-agent-with-action-from-scratch-oauth/appPackage/apiSpecificationFile/repair.yml.tpl b/templates/vsc/ts/declarative-agent-with-action-from-scratch-oauth/appPackage/apiSpecificationFile/repair.yml.tpl index 046e5f0ca1e..d3e8b12ee73 100644 --- a/templates/vsc/ts/declarative-agent-with-action-from-scratch-oauth/appPackage/apiSpecificationFile/repair.yml.tpl +++ b/templates/vsc/ts/declarative-agent-with-action-from-scratch-oauth/appPackage/apiSpecificationFile/repair.yml.tpl @@ -17,7 +17,7 @@ components: authorizationUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/authorize tokenUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/token scopes: - api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read: Read repair records + ${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read: Read repair records {{/MicrosoftEntra}} {{^MicrosoftEntra}} oAuth2AuthCode: @@ -39,7 +39,7 @@ paths: security: {{#MicrosoftEntra}} - aadAuthCode: - - api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read + - ${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read {{/MicrosoftEntra}} {{^MicrosoftEntra}} - oAuth2AuthCode: