@adilei According to https://learn.microsoft.com/en-us/microsoft-copilot-studio/advanced-end-user-authentication?tabs=web... you should supply User.AccessToken. I'm using the rest api, and it is a bit unclear how to do it. I guess the bearer token in the header still is reserved for the directLineSecret? Should i supply it in a body? If so what key should I use? Also, is there any documentation for this. I'm making a native iOS app, and most documentations seems to be about web
@adilei Is it possible to see why this gives 400? Do you know anyone who has access to see what goes on on the server?
Yes I did. I even unchecked the box "Require users to sign in". Still get a 400.
it's not a documented pattern (yet), and the payload structure seems fine. Have you tried removing the app registration details from the copilot? i.e. put "placeholder" instead of client ID and secret. Don't forget to publish after saving.
@adilei 400 is bad request. So could something be wrong with the syntax somewhere? Is there any documentation avilable that states that the body should be
{ "token": <accesstoken> }
?
It would be great to get a link to that documentation.
And I removed the Token exchange URL, but I still get 400, and no 200. So something is still wrong.
I put the accesstoken here: https://jwt.io/
It gave
"scp": "openid People.Read People.Read.All profile User.Read User.Read.All email"
So openid and profile seems to be part of the accesstoken. If jwt.io is the right place to do it?
1. Your Token exchange URL is wrong. Generally speaking, It should be set to the custom scope that you create for the app registration, but more specifically, the sasUrl pattern doesn't need it, so better to remove it altogether (don't forget to publish)
2. You should be able to obtain a token for "profile" and "openid" using MSAL. I don't know why you're seeing this behavior, but I would advise decoding the access token. There's a chance that MSAL is adding those tokens anyway, but you should verify
BTW: when using the sasUrl pattern, there's actually no need to connect the copilot with an app registration. You can just put "placeholder" in the client id and secret.
In the Microsoft Entra admin center for the app, the Api permissions look like:
1) Yes - see image.
2) profile, openid - see image.
3) Only "user.read":
var scopes: [String]? = ["user.read"]
Is that the problem?
That I should add profile and openid there?
I tested
var scopes: [String]? = ["user.read", "openid", "profile"]
but then I get:
Error Domain=MSALErrorDomain Code=-50000 "(null)" UserInfo={MSALErrorDescriptionKey={(
openid,
profile,
"offline_access"
)} are reserved scopes and may not be specified in the acquire token call., MSALInternalErrorCodeKey=-42000}
I will get back to the 3 questions soon.
I just noted that I get a lot of old sasUrl:s in the different attachments.
The last one, where the expiry time hasn't gone out yet, gives a 400 instead of a 401.
The last 3 looks like this, with the statusCode printed first on each line:
401 sasUrlString = https://token.botframework.com/api/sas/postToken?expiry=1715001358&id=key1&state=7cb8799dca9d450fb576c4191ca52c3b&hmac=PqyO%2b74GkIalB%2fjh68zWy%2bwPcT1Hh0%2fKX11WAcnccrI%3d
401 sasUrlString = https://token.botframework.com/api/sas/postToken?expiry=1715001364&id=key1&state=3d65f236306846a4b03275e8063ef943&hmac=gtKpnBKMYNJpyDWgeJtijj0LNz%2fSIdrBke%2bBIwfIFKU%3d
400 sasUrlString = https://token.botframework.com/api/sas/postToken?expiry=1715001498&id=key1&state=2179a809364d4301b7006e3b3ac1f8d3&hmac=1cAe93zpLsWV6pBFEY1Ld8iSd%2flYrLZk2ta2UZWK%2bOE%3d
So the 401 is an unauthorized, because of the expiry. That is logical.
But the last one which hadn't expired, gave a 400 - a bad request.
So it is authorized, but gives a bad request.
How come?
The sasUrl should be correct.
Is the body wrong then.
I used
{
"token": accessToken
}
Usually 400 means some kind of syntax error in the request, right?
WarrenBelz
146,771
Most Valuable Professional
RandyHayes
76,287
Super User 2024 Season 1
Pstork1
66,091
Most Valuable Professional