Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion packages/fx-core/resource/package.nls.json
Original file line number Diff line number Diff line change
Expand Up @@ -1052,7 +1052,8 @@
"core.addAuthAction.validation.url": "Invalid URL format. Please enter a valid URL.",
"core.oauthScopeQuestion.validation.scope": "Invalid scope format. Please enter a valid scope. Samle: scope1: description for scope1; scope2: description for scope2",
"core.authNameQuestion.validation.empty": "Auth name cannot be empty.",
"driver.oauth.microsoftEntraWarning": "If you are using your own Microsoft Entra app, please: 1. Update the application id uri of your Microsoft Entra app to %s, 2. Add %s to redirect uri of your Microsoft Entra app.",
"driver.oauth.microsoftEntraWarning": "Microsoft Entra SSO configuration required for On-Behalf-Of (OBO) token exchange. If you are managing your Microsoft Entra app registration manually, please: 1. Set the Application ID URI to %s only — do not add additional identifier URIs as this breaks the OBO token exchange silently. 2. Add both %s and %s to the web redirect URIs of your app registration. Missing redirect URIs cause error 50011 during SSO. If using the toolkit-managed aad.manifest.json, these settings are configured automatically by the aadApp/update step.",
"driver.oauth.microsoftEntraOboInfo": "SSO+OBO flow configured with Application ID URI: %s. For the On-Behalf-Of exchange to succeed, ensure your Microsoft Entra app has: (a) only this Application ID URI set as identifierUri, (b) the access_as_user delegated scope defined, (c) Teams/Office client apps pre-authorized for that scope, and (d) the idtyp optional claim added to access tokens. If the OBO exchange fails silently, check Entra ID sign-in logs for errors such as 50011 (redirect URI mismatch).",
"core.addKnowledgeQuestion.webContent.title": "Web Content",
"core.addKnowledgeQuestion.webContent.placeholder": "Enter an absolute URL to a site to be searched for content.",
"core.addKnowledgeQuestion.invalidWebContent.message": "Invalid web content. Please provide a valid URL.",
Expand Down
22 changes: 14 additions & 8 deletions packages/fx-core/src/component/driver/oauth/create.ts
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ import { loadStateFromEnv } from "../util/utils";
import { OauthNameTooLongError } from "./error/oauthNameTooLong";
import { CreateOauthArgs } from "./interface/createOauthArgs";
import { CreateOauthOutputs, OutputKeys } from "./interface/createOauthOutputs";
import { defaultRedirectUri, logMessageKeys } from "./utility/constants";
import { additionalRedirectUri, defaultRedirectUri, logMessageKeys } from "./utility/constants";
import { OauthInfo, getAuthInfo, validateSecret, validateUrl } from "./utility/utility";
import { OauthIdentityProviderInvalid } from "./error/oauthIdentityProviderInvalid";

Expand Down Expand Up @@ -133,14 +133,20 @@ export class CreateOauthDriver implements StepDriver {
oauthRegistrationRes.resourceIdentifierUri
);

void context.ui!.showMessage(
"warn",
const warningMessage = getLocalizedString(
logMessageKeys.microsoftEntraWarning,
oauthRegistrationRes.resourceIdentifierUri,
defaultRedirectUri,
additionalRedirectUri
);
context.logProvider?.warning(warningMessage);
void context.ui!.showMessage("warn", warningMessage, false);

context.logProvider?.info(
getLocalizedString(
logMessageKeys.microsoftEntraWarning,
oauthRegistrationRes.resourceIdentifierUri,
defaultRedirectUri
),
false
logMessageKeys.microsoftEntraOboInfo,
oauthRegistrationRes.resourceIdentifierUri
)
);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ export const logMessageKeys = {
skipUpdateOauth: "driver.oauth.log.skipUpdateOauth",
successUpdateOauth: "driver.oauth.log.successUpdateOauth",
microsoftEntraWarning: "driver.oauth.microsoftEntraWarning",
microsoftEntraOboInfo: "driver.oauth.microsoftEntraOboInfo",
};

export const maxSecretLength = 512;
Expand All @@ -18,3 +19,6 @@ export const maxDomainPerOauth = 1;

export const defaultRedirectUri =
"https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect";

export const additionalRedirectUri =
"https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect";
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
"displayName": "{{appName}}-aad",
"identifierUris": [
{{#MicrosoftEntra}}
"api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}",
"${{AADAUTHCODE_APPLICATION_ID_URI}}"
{{/MicrosoftEntra}}
{{^MicrosoftEntra}}
Expand Down Expand Up @@ -59,7 +58,8 @@
"web": {
"redirectUris": [
{{#MicrosoftEntra}}
"https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect"
"https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect",
"https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect"
{{/MicrosoftEntra}}
{{^MicrosoftEntra}}
"https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ components:
authorizationUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/authorize
tokenUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/token
scopes:
api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read: Read repair records
${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read: Read repair records
{{/MicrosoftEntra}}
{{^MicrosoftEntra}}
oAuth2AuthCode:
Expand All @@ -39,7 +39,7 @@ paths:
security:
{{#MicrosoftEntra}}
- aadAuthCode:
- api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read
- ${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read
{{/MicrosoftEntra}}
{{^MicrosoftEntra}}
- oAuth2AuthCode:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
"displayName": "{{appName}}-aad",
"identifierUris": [
{{#MicrosoftEntra}}
"api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}",
"${{AADAUTHCODE_APPLICATION_ID_URI}}"
{{/MicrosoftEntra}}
{{^MicrosoftEntra}}
Expand Down Expand Up @@ -59,7 +58,8 @@
"web": {
"redirectUris": [
{{#MicrosoftEntra}}
"https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect"
"https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect",
"https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect"
{{/MicrosoftEntra}}
{{^MicrosoftEntra}}
"https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ components:
authorizationUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/authorize
tokenUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/token
scopes:
api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read: Read repair records
${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read: Read repair records
{{/MicrosoftEntra}}
{{^MicrosoftEntra}}
oAuth2AuthCode:
Expand All @@ -39,7 +39,7 @@ paths:
security:
{{#MicrosoftEntra}}
- aadAuthCode:
- api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read
- ${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read
{{/MicrosoftEntra}}
{{^MicrosoftEntra}}
- oAuth2AuthCode:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
"displayName": "{{appName}}-aad",
"identifierUris": [
{{#MicrosoftEntra}}
"api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}",
"${{AADAUTHCODE_APPLICATION_ID_URI}}"
{{/MicrosoftEntra}}
{{^MicrosoftEntra}}
Expand Down Expand Up @@ -59,7 +58,8 @@
"web": {
"redirectUris": [
{{#MicrosoftEntra}}
"https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect"
"https://teams.microsoft.com/api/platform/v1.0/oAuthConsentRedirect",
"https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect"
{{/MicrosoftEntra}}
{{^MicrosoftEntra}}
"https://teams.microsoft.com/api/platform/v1.0/oAuthRedirect"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ components:
authorizationUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/authorize
tokenUrl: https://login.microsoftonline.com/${{AAD_APP_TENANT_ID}}/oauth2/v2.0/token
scopes:
api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read: Read repair records
${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read: Read repair records
{{/MicrosoftEntra}}
{{^MicrosoftEntra}}
oAuth2AuthCode:
Expand All @@ -39,7 +39,7 @@ paths:
security:
{{#MicrosoftEntra}}
- aadAuthCode:
- api://${{OPENAPI_SERVER_DOMAIN}}/${{AAD_APP_CLIENT_ID}}/repairs_read
- ${{AADAUTHCODE_APPLICATION_ID_URI}}/repairs_read
{{/MicrosoftEntra}}
{{^MicrosoftEntra}}
- oAuth2AuthCode:
Expand Down