Power Platform Community Forum Thread Details

Problem Context:
I am integrating Copilot Studio with the Microsoft Bot Framework to enable OAuth-based manual authentication using Azure Active Directory v2. The bot prompts the user to authenticate by sending an OAuth card (application/vnd.microsoft.card.oauth)

What I've Done/Attempted:

Verified the bot successfully sends the following OAuth card to the user for authentication:

{ "type": "message", "attachments": [ { "contentType": "application/vnd.microsoft.card.oauth", "content": { "text": "To continue, please login", "connectionName": "CONNECTION_ID", "buttons": [ { "type": "signin", "title": "Login", "value": "https://token.botframework.com/api/oauth/signin?signin=SIGNIN_ID" } ] } } ] }
After the user completes authentication, I attempted to handle the token exchange by sending an event activity with the following payload to Copilot Studio:

{ "type": "event", "name": "signin/tokenExchange", "value": { "token": "USER_AUTH_TOKEN" }, "from": { "id": "USER_ID", "name": "USER_NAME" }, "serviceUrl": "https://directline.botframework.com/" }

Issue Faced:
Despite completing the sign-in process and sending the signin/tokenExchange event, the bot does not seem to process or respond to this event. There is no confirmation that the token exchange has been accepted or that authentication was successful.
The bot sends the OAuth card correctly, and the sign-in URL (https://token.botframework.com/api/oauth/signin?...) works as expected. The issue arises after the user signs in, during the token exchange step. The signin/tokenExchange event does not appear to trigger the expected response in Copilot Studio.

Has anyone successfully implemented manual authentication with Copilot Studio and Azure Active Directory v2 in a custom chanel? Is the structure of the signin/tokenExchange event correct? Are there additional configurations or steps needed for Copilot Studio to process the token exchange?

Categories:

General topics

Integrating Copilot Studio with the Microsoft Bot Framework for manual authentication using Azure Active Directory v2 involves a few critical steps, and the issue you're facing might be due to missing configurations or nuances in the token exchange process. Here are the key steps, possible issues, and resolutions:

Key Steps to Ensure Proper Implementation

1. OAuth Card Configuration

Your OAuth card JSON looks correct, and you’ve already verified that the card is being sent successfully.

Double-check the connectionName in the card. It must match the name of the OAuth Connection configured in the Azure Bot Channel Registration.

2. Sign-In URL

The sign-in URL (e.g., https://token.botframework.com/api/oauth/signin?...) should be correctly generated by the Bot Framework.

Ensure that the signInAudience in your Azure AD app is set correctly:
- For work/school accounts, use "AzureADMyOrg".
- For all users, use "AzureADMultipleOrgs"

3. Token Exchange Event

The signin/tokenExchange event is critical to this process. Verify the following:

Event Type: Ensure the type is set to "event".

Event Name: The name must be exactly "signin/tokenExchange".

Payload: The value field should include the token and any additional information required by your bot. Your structure appears correct:

{
  "type": "event",
  "name": "signin/tokenExchange",
  "value": { "token": "USER_AUTH_TOKEN" },
  "from": { "id": "USER_ID", "name": "USER_NAME" },
  "serviceUrl": "https://directline.botframework.com/"
}

Possible Issues and Resolutions

1. Token Exchange Endpoint Configuration

Problem: If the bot is not handling the signin/tokenExchange event, it might not have the logic implemented to process this event.

Solution: Ensure that your bot is configured to handle the signin/tokenExchange event in the Bot Framework SDK. For example, in a C# bot:

protected override async Task OnEventActivityAsync(ITurnContext<IEventActivity> turnContext, CancellationToken cancellationToken)
{
    if (turnContext.Activity.Name == "signin/tokenExchange")
    {
        var tokenExchangeRequest = turnContext.Activity.Value as TokenExchangeRequest;
        if (tokenExchangeRequest != null)
        {
            // Handle token exchange logic here
            await turnContext.SendActivityAsync("Token exchange successful!");
        }
    }
}

2. Bot Framework Token Service Configuration

Problem: The connectionName in the OAuth card is not linked to a valid OAuth connection in the Azure Bot Channel Registration.

Solution:
- Navigate to your Azure Bot Channel Registration.
- Ensure the OAuth Connection Settings are correctly configured with your Azure AD app details.
- Verify that the connectionName in your bot matches the name in the Azure Bot Service configuration.

3. Copilot Studio Integration Limitations

Problem: Copilot Studio might not fully support the custom handling of signin/tokenExchange events if it relies solely on pre-defined connectors or logic.

Solution:
- Use a custom connector or Azure Function to handle the signin/tokenExchange event and forward the processed authentication state to Copilot Studio.
- Alternatively, modify your bot to store the authentication state and pass the relevant token to Copilot Studio when responding to user queries

4. Direct Line Service URL

Problem: The serviceUrl in the event payload might not match the expected endpoint for your bot in the Direct Line channel.

Solution: Verify that the serviceUrl in the signin/tokenExchange event matches the URL for your bot's Direct Line channel. You can find this in the Azure Bot Channels Configuration.

5. Check Authentication Flow Logs

Enable diagnostic logging in your bot to capture the incoming signin/tokenExchange event and verify whether it's being processed correctly.

Debugging Steps

Verify OAuth Configuration: Double-check the connectionName, Azure AD app settings, and Bot Framework channel configurations.

Enable Bot Framework Emulator: Test the bot locally with the Bot Framework Emulator to ensure that the signin/tokenExchange event is being triggered and handled properly.

Check Logs: Enable and review logs from the Azure Bot Service and Copilot Studio to pinpoint where the process might be failing.

Direct Line Configuration: Ensure that the serviceUrl and Direct Line settings are consistent and correctly configured.

Conclusion

Your configuration seems mostly correct, but the bot needs explicit logic to handle the signin/tokenExchange event. Ensure the bot processes this event correctly, and that all OAuth settings in Azure are aligned with your bot's implementation. If the issue persists, debugging the bot's activity logs and enabling diagnostic settings in Azure can provide more insight