Skip to main content

Notifications

Community site session details

Community site session details

Session Id : EC6EFYlKpddb4wNf9GvqiL
Copilot Studio - General
Unanswered

End-user authentication

Like (0) ShareShare
ReportReport
Posted on 1 May 2024 15:12:53 by 35

@adilei  According to https://learn.microsoft.com/en-us/microsoft-copilot-studio/advanced-end-user-authentication?tabs=web... you should supply User.AccessToken. I'm using the rest api, and it is a bit unclear how to do it. I guess the bearer token in the header still is reserved for the directLineSecret? Should i supply it in a body? If so what key should I use? Also, is there any documentation for this. I'm making a native iOS app, and most documentations seems to be about web

  • JohanT Profile Picture
    35 on 27 May 2024 at 08:52:00
    Re: End-user authentication

    @adilei Is it possible to see why this gives 400? Do you know anyone who has access to see what goes on on the server?

  • JohanT Profile Picture
    35 on 14 May 2024 at 08:32:51
    Re: End-user authentication

    Yes I did. I even unchecked the box "Require users to sign in". Still get a 400.

    Screenshot 2024-05-14 at 10.31.17.png

  • adilei Profile Picture
    on 10 May 2024 at 08:47:52
    Re: End-user authentication

    it's not a documented pattern (yet), and the payload structure seems fine. Have you tried removing the app registration details from the copilot? i.e. put "placeholder" instead of client ID and secret. Don't forget to publish after saving.

  • JohanT Profile Picture
    35 on 09 May 2024 at 09:02:56
    Re: End-user authentication

    @adilei 400 is bad request. So could something be wrong with the syntax somewhere? Is there any documentation avilable that states that the body should be

    { "token": <accesstoken> }

    ?

    It would be great to get a link to that documentation.

  • JohanT Profile Picture
    35 on 07 May 2024 at 11:30:59
    Re: End-user authentication

    And I removed the Token exchange URL, but I still get 400, and no 200. So something is still wrong.

  • JohanT Profile Picture
    35 on 07 May 2024 at 11:28:01
    Re: End-user authentication

    I put the accesstoken here: https://jwt.io/

    It gave

    "scp": "openid People.Read People.Read.All profile User.Read User.Read.All email"

    So openid and profile seems to be part of the accesstoken. If jwt.io is the right place to do it?

  • adilei Profile Picture
    on 06 May 2024 at 19:14:23
    Re: End-user authentication

     

    1. Your Token exchange URL is wrong. Generally speaking, It should be set to the custom scope that you create for the app registration, but more specifically, the sasUrl pattern doesn't need it, so better to remove it altogether (don't forget to publish)

    2. You should be able to obtain a token for "profile" and "openid" using MSAL. I don't know why you're seeing this behavior, but I would advise decoding the access token. There's a chance that MSAL is adding those tokens anyway, but you should verify

     

    BTW: when using the sasUrl pattern, there's actually no need to connect the copilot with an app registration. You can just put "placeholder" in the client id and secret. 

  • JohanT Profile Picture
    35 on 06 May 2024 at 14:54:55
    Re: End-user authentication

    In the Microsoft Entra admin center for the app, the Api permissions look like:

    Screenshot 2024-05-06 at 16.53.44.png

  • JohanT Profile Picture
    35 on 06 May 2024 at 14:51:27
    Re: End-user authentication

    1) Yes - see image.

    2) profile, openid - see image.

    3) Only "user.read":

    var scopes: [String]? = ["user.read"]

    Is that the problem?

    That I should add profile and openid there?

    I tested 

    var scopes: [String]? = ["user.read", "openid", "profile"]

    but then I get:

    Error Domain=MSALErrorDomain Code=-50000 "(null)" UserInfo={MSALErrorDescriptionKey={(
     openid,
     profile,
     "offline_access"
    )} are reserved scopes and may not be specified in the acquire token call., MSALInternalErrorCodeKey=-42000}

     

    Screenshot 2024-05-06 at 16.44.37.png

  • JohanT Profile Picture
    35 on 06 May 2024 at 13:41:30
    Re: End-user authentication

    I will get back to the 3 questions soon.

    I just noted that I get a lot of old sasUrl:s in the different attachments.

    The last one, where the expiry time hasn't gone out yet, gives a 400 instead of a 401.

    The last 3 looks like this, with the statusCode printed first on each line:

    401 sasUrlString = https://token.botframework.com/api/sas/postToken?expiry=1715001358&id=key1&state=7cb8799dca9d450fb576c4191ca52c3b&hmac=PqyO%2b74GkIalB%2fjh68zWy%2bwPcT1Hh0%2fKX11WAcnccrI%3d
    401 sasUrlString = https://token.botframework.com/api/sas/postToken?expiry=1715001364&id=key1&state=3d65f236306846a4b03275e8063ef943&hmac=gtKpnBKMYNJpyDWgeJtijj0LNz%2fSIdrBke%2bBIwfIFKU%3d
    400 sasUrlString = https://token.botframework.com/api/sas/postToken?expiry=1715001498&id=key1&state=2179a809364d4301b7006e3b3ac1f8d3&hmac=1cAe93zpLsWV6pBFEY1Ld8iSd%2flYrLZk2ta2UZWK%2bOE%3d

     So the 401 is an unauthorized, because of the expiry. That is logical.

    But the last one which hadn't expired, gave a 400 - a bad request.

    So it is authorized, but gives a bad request.

    How come?

    The sasUrl should be correct.

    Is the body wrong then.

    I used

    {
    "token": accessToken
    }

    Usually 400 means some kind of syntax error in the request, right?

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Understanding Microsoft Agents - Introductory Session

Confused about how agents work across the Microsoft ecosystem? Register today!

Warren Belz – Community Spotlight

We are honored to recognize Warren Belz as our May 2025 Community…

Congratulations to the April Top 10 Community Stars!

Thanks for all your good work in the Community!

Leaderboard

#1
WarrenBelz Profile Picture

WarrenBelz 146,771 Most Valuable Professional

#2
RandyHayes Profile Picture

RandyHayes 76,287 Super User 2024 Season 1

#3
Pstork1 Profile Picture

Pstork1 66,091 Most Valuable Professional

Leaderboard