Token Service Gives a 500 Service Error When Exchanging Token

[pelanzag]

Github issues should be used for bugs and feature requests. Use Stack Overflow for general "how-to" questions.

Version

4.22.2 DotNet C#

Describe the bug

I'm trying to set up SSO for my bot and a website.

• The website is an Azure Web App that already has its own AAD Auth Set up.

• The bot is hosted on Azure and also uses AAD. Auth is already working with the OAuthCard and Sign In button.

The idea is to keep users from having to authenticate 2 times, one for the website and another for the embedded bot. From what I've read with SSO I can pass the auth token that I received from the website to the bot and the bot will exchange this token for one of its own. Everything on behalf of the user.

This is what I've done so far:

Bot's App Registration

1. I have "Exposed an API" and created a scope: MY_BOTS_API/customScope
2. I have added the Web App Id to the list of Authorized Clients.

Bot Service

1. On the Configuration section I set up an OAuth 2 Connection with:

• ClientId: <Bot's Entra App Registration App Id>
• ClientSecret: <Bot's Entra App Registration App Secret>
• Authorization URL: <MY_AUTH_PROXY_AUTHORIZATION_URL>
• Token URL: <MY_AUTH_PROXY_TOKEN_URL>
• Refresh URL: <MY_AUTH_PROXY_TOKEN_URL>
• Token Exchange URL: MY_BOTS_API/CUSTOM_SCOPE
• Scope: My Bot App's Scopes (openId, etc.)

2. Tested Connection from the portal and it works, I get a token.

Web App

1. I authenticate against my Web App's AAD endpoint using MSAL with SCOPE = ''MY_BOTS_API/CUSTOM_SCOPE" and get an AccessToken1. I can see that the aud claim matches the one I set on my Connection's Token Exchange URL
2. Using the react web chat I intercept the OAuth Card TokenExchangeResource
3. Reply with an Invoke TokenExchangeRequest and pass in the AccessToken1

Using the C# debugger, I can see that my bot does receive the request, however the exchange fails with a 500 error. Specifically, the error occurs at the ExchangeTokenAsync(turnContext, settings.ConnectionName, turnContext.Activity.From.Id, tokenExchangeRequest, cancellationToken) call.

Looking deeper I can see that the actual error occurs on the following REST API call:
REQUEST

• METHOD: POST
• URI: https://api.botframework.com/api/usertoken/exchange?userId=123456&connectionName=OutlookDataGenAIBotAuthProxy&channelId=emulator
• HEADERS: Authorization "Bearer <MY_BOTS_ACCESS_TOKEN>"
• BODY:

{
"token": <THE_ACCESS_TOKEN_FROM_MY_WEB_APP>
"uri":""
} 

Which returns the following error:
RESPONSE

{
  "error": {
    "code": "ServiceError",
    "message": "Unexpected error occurred during Token Exchange"
  }
}

What can be going on?

To Reproduce

Reproducing the exact thing might be tricky as it's tied to my own configuration. But following the explanation above with two other app registrations might work.

Expected behavior

I expect the TokenExchangeRequest to work, meaning the bot's OAuthCard is skipped as the user will be already authenticated.