You’re offline. This is a read only version of the page.
35
@adilei According to https://learn.microsoft.com/en-us/microsoft-copilot-studio/advanced-end-user-authentication?tabs=web... you should supply User.AccessToken. I'm using the rest api, and it is a bit unclear how to do it. I guess the bearer token in the header still is reserved for the directLineSecret? Should i supply it in a body? If so what key should I use? Also, is there any documentation for this. I'm making a native iOS app, and most documentations seems to be about web
I put the accesstoken here: https://jwt.io/
It gave
"scp": "openid People.Read People.Read.All profile User.Read User.Read.All email"
So openid and profile seems to be part of the accesstoken. If jwt.io is the right place to do it?
1. Your Token exchange URL is wrong. Generally speaking, It should be set to the custom scope that you create for the app registration, but more specifically, the sasUrl pattern doesn't need it, so better to remove it altogether (don't forget to publish)
2. You should be able to obtain a token for "profile" and "openid" using MSAL. I don't know why you're seeing this behavior, but I would advise decoding the access token. There's a chance that MSAL is adding those tokens anyway, but you should verify
BTW: when using the sasUrl pattern, there's actually no need to connect the copilot with an app registration. You can just put "placeholder" in the client id and secret.
1) Yes - see image.
2) profile, openid - see image.
3) Only "user.read":
Share
Report
All responses (
Answers (
var scopes: [String]? = ["user.read"]Is that the problem?
That I should add profile and openid there?
I tested
var scopes: [String]? = ["user.read", "openid", "profile"]but then I get:
Error Domain=MSALErrorDomain Code=-50000 "(null)" UserInfo={MSALErrorDescriptionKey={(
openid,
profile,
"offline_access"
)} are reserved scopes and may not be specified in the acquire token call., MSALInternalErrorCodeKey=-42000}
I will get back to the 3 questions soon.
I just noted that I get a lot of old sasUrl:s in the different attachments.
The last one, where the expiry time hasn't gone out yet, gives a 400 instead of a 401.
The last 3 looks like this, with the statusCode printed first on each line:
401 sasUrlString = https://token.botframework.com/api/sas/postToken?expiry=1715001358&id=key1&state=7cb8799dca9d450fb576c4191ca52c3b&hmac=PqyO%2b74GkIalB%2fjh68zWy%2bwPcT1Hh0%2fKX11WAcnccrI%3d
401 sasUrlString = https://token.botframework.com/api/sas/postToken?expiry=1715001364&id=key1&state=3d65f236306846a4b03275e8063ef943&hmac=gtKpnBKMYNJpyDWgeJtijj0LNz%2fSIdrBke%2bBIwfIFKU%3d
400 sasUrlString = https://token.botframework.com/api/sas/postToken?expiry=1715001498&id=key1&state=2179a809364d4301b7006e3b3ac1f8d3&hmac=1cAe93zpLsWV6pBFEY1Ld8iSd%2flYrLZk2ta2UZWK%2bOE%3dSo the 401 is an unauthorized, because of the expiry. That is logical.
But the last one which hadn't expired, gave a 400 - a bad request.
So it is authorized, but gives a bad request.
How come?
The sasUrl should be correct.
Is the body wrong then.
I used
{
"token": accessToken
}Usually 400 means some kind of syntax error in the request, right?
#1
Romain The Low-Code...
25
#1
Pablo Roldan
25
#3
stampcoin
10
