botbuilder-dotnet icon indicating copy to clipboard operation
botbuilder-dotnet copied to clipboard
verified publisher icon microsoft

TeamsActivityHandler does not provide handling signin/failure

Open tracyboehrer opened this issue 1 year ago • 7 comments

For example:

Type: invoke Name: signin/failure

Value: {{ "code": "resourcematchfailed", "message": "Resource match failed" }}

tracyboehrer avatar Jul 22 '24 18:07 tracyboehrer

Hi, I've just run into this exact problem trying to implement SSO auth with teams-ai. When testing connection in Azure portal it's successful, but when running the bot locally through Teams and ngrok I get a 501 Not Implemented response with these exact values. Any information on how to proceed?

c-nielson avatar Nov 13 '24 18:11 c-nielson

@c-nielson If you are using Teams AI, I would reach out on the repo. They handle SSO a bit differently I think. For a Bot Framework bot, one of the main causes of this is the API Key on the OAuth Identity. It must be "api://botid-{appid}"

tracyboehrer avatar Nov 13 '24 18:11 tracyboehrer

You mean for the OAuth connection? Yes, I have it set up that way for both the OAuth in the bot as well as the App ID URI for the app registration. I'll reach out to Teams AI and see if they have any insight. Thanks!

c-nielson avatar Nov 13 '24 18:11 c-nielson

What worked for me was deleting Token Exchange URL value in OAuth Connection Settings.

donatas-xyz avatar Jun 04 '25 08:06 donatas-xyz

@donatas-xyz This results in Teams using the OAuth flow (as opposed to SSO). It's a subtle difference and still results in a token.

It has been a struggle determining the exact causes of this error. When I experienced it recently debugging Python SSO, it was because the Teams manifest ID's didn't match the actual configuration. But there could be other causes.

tracyboehrer avatar Jun 04 '25 12:06 tracyboehrer

Hi. I also have this error. It's quite strange because I'm running two identical web apps with identical bot services and app registrations in Azure. I'm only getting this error on one instance. I double checked every setting and the service principal logins in the enterprise application menu. I am happy to provide any information that may help resolve the issue. But I don't know where to start.

My webapp is using Python SDK and I implemented SSO with help of this configuration https://github.com/OfficeDev/Microsoft-Teams-Samples/blob/main/samples/bot-conversation-sso-quickstart/BotSSOSetup.md

activity: signin/failure, invoke, value={'code': 'resourcematchfailed', 'message': 'Resource match failed'}

maaisde avatar Jun 14 '25 19:06 maaisde

Hi, it's me again. I've investigated the case a little more closely and discovered a discrepancy between my application-side return and the logs in Application Insights, as well as in the sign-in logs of the service principal. The status in my application-side return is 501 but in the Azure portal logs it is allways successful.

My application-side return/event: activity: signin/failure, activity_id: f:c3314505-31de-7019-6263-97b07fcb3773, invoke, value={'code': 'resourcematchfailed', 'message': 'Resource match failed'} --> response.status=501

Application Insights: Image

Service principal logins with connected bot service app registration (via enterprise applications: Image

maaisde avatar Jun 16 '25 12:06 maaisde