Teams app

.gitignore

@@ -45,6 +45,9 @@ flask_session
 tmp**cwd
 /tmp_images
 nul
+
+# Teams manifest
+application/teams_app/manifest.json
 /.github/plans
 *.xlsx
 /artifacts/tests

application/single_app/app.py

@@ -20,6 +20,7 @@
         sys.stderr = codecs.getwriter('utf-8')(sys.stderr.buffer, 'strict')
 
 import app_settings_cache
+from functions_appinsights import *
 from config import *
 from semantic_kernel import Kernel
 from semantic_kernel_loader import initialize_semantic_kernel
@@ -31,7 +32,6 @@
 from functions_documents import *
 from functions_search import *
 from functions_settings import *
-from functions_appinsights import *
 from functions_activity_logging import *
 
 import threading
@@ -102,6 +102,13 @@
 app.config['VERSION'] = VERSION
 app.config['SECRET_KEY'] = SECRET_KEY
 
+if ENABLE_TEAMS_SSO:
+    app.config.update(
+        SESSION_COOKIE_SECURE=True,        # required if you use SameSite=None
+        SESSION_COOKIE_SAMESITE="None",
+        SESSION_COOKIE_HTTPONLY=True,
+    )
+
 # Ensure filesystem session directory (when used) points to a writable path inside container.
 if SESSION_TYPE == 'filesystem':
     app.config['SESSION_FILE_DIR'] = globals().get('SESSION_FILE_DIR', os.environ.get('SESSION_FILE_DIR', '/app/flask_session'))

application/single_app/config.py

@@ -98,29 +98,6 @@
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
-# Security Headers Configuration
-SECURITY_HEADERS = {
-    'X-Content-Type-Options': 'nosniff',
-    'X-Frame-Options': 'DENY',
-    'X-XSS-Protection': '1; mode=block',
-    'Referrer-Policy': 'strict-origin-when-cross-origin',
-    'Content-Security-Policy': (
-        "default-src 'self'; "
-        "script-src 'self' 'unsafe-inline' 'unsafe-eval'; "
-        #"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://code.jquery.com https://stackpath.bootstrapcdn.com; "
-        "style-src 'self' 'unsafe-inline'; "
-        #"style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://stackpath.bootstrapcdn.com; "
-        "img-src 'self' data: https: blob:; "
-        "font-src 'self'; "
-        #"font-src 'self' https://cdn.jsdelivr.net https://stackpath.bootstrapcdn.com; "
-        "connect-src 'self' https: wss: ws:; "
-        "media-src 'self' blob:; "
-        "object-src 'none'; "
-        "frame-ancestors 'self'; "
-        "base-uri 'self';"
-    )
-}
-
 # Security Configuration
 ENABLE_STRICT_TRANSPORT_SECURITY = os.getenv('ENABLE_HSTS', 'false').lower() == 'true'
 HSTS_MAX_AGE = int(os.getenv('HSTS_MAX_AGE', '31536000'))  # 1 year default
@@ -210,6 +187,7 @@ def get_allowed_extensions(enable_video=False, enable_audio=False):
 MICROSOFT_PROVIDER_AUTHENTICATION_SECRET = os.getenv("MICROSOFT_PROVIDER_AUTHENTICATION_SECRET")
 LOGIN_REDIRECT_URL = os.getenv("LOGIN_REDIRECT_URL")
 HOME_REDIRECT_URL = os.getenv("HOME_REDIRECT_URL")  # Front Door URL for home page
+
 AZURE_ENVIRONMENT = os.getenv("AZURE_ENVIRONMENT", "public") # public, usgovernment, custom
 
 WORD_CHUNK_SIZE = 400
@@ -232,6 +210,12 @@ def get_allowed_extensions(enable_video=False, enable_audio=False):
     AUTHORITY = f"https://login.microsoftonline.com/{TENANT_ID}"
     authority = AzureAuthorityHosts.AZURE_PUBLIC_CLOUD
 
+# Teams SSO Configuration
+ENABLE_TEAMS_SSO = os.getenv("ENABLE_TEAMS_SSO", "false").lower() == "true"
+TEAMS_FRAME_ANCESTORS = os.getenv("TEAMS_FRAME_ANCESTORS", "") # e.g. "https://teams.microsoft.com https://*.teams.microsoft.com" - should be set to Teams domains if in airgap, otherwise can be left blank to allow from any domain since we validate the origin in the frontend against allowed Teams domains
+CUSTOM_TEAMS_ORIGINS_RAW = os.getenv("CUSTOM_TEAMS_ORIGINS", "")  # JSON array of valid domains for Teams SSO if in airgap, otherwise this is pulled from Teams, e.g. ["https://teams.microsoft.com", "https://*.teams.microsoft.com"]
+CUSTOM_TEAMS_ORIGINS = json.loads(CUSTOM_TEAMS_ORIGINS_RAW) if CUSTOM_TEAMS_ORIGINS_RAW else []
+
 if AZURE_ENVIRONMENT == "custom":
     OIDC_METADATA_URL = CUSTOM_OIDC_METADATA_URL_VALUE or f"https://login.microsoftonline.com/{TENANT_ID}/v2.0/.well-known/openid-configuration"
     resource_manager = CUSTOM_RESOURCE_MANAGER_URL_VALUE
@@ -248,13 +232,44 @@ def get_allowed_extensions(enable_video=False, enable_audio=False):
     video_indexer_endpoint = "https://api.videoindexer.ai.azure.us"
     search_resource_manager = "https://search.azure.us"
     KEY_VAULT_DOMAIN = ".vault.usgovcloudapi.net"
+    if ENABLE_TEAMS_SSO and not TEAMS_FRAME_ANCESTORS:
+        # In US Government, we need to restrict the frame ancestors to the specific Teams domains to allow the SSO flow to work, since we can't rely on the frontend to validate the origin against the public Teams domains.
+        TEAMS_FRAME_ANCESTORS = "https://teams.microsoft.us https://*.teams.microsoft.us"
 else:
     OIDC_METADATA_URL = f"https://login.microsoftonline.com/{TENANT_ID}/v2.0/.well-known/openid-configuration"
     resource_manager = "https://management.azure.com"
     credential_scopes=[resource_manager + "/.default"]
     cognitive_services_scope = "https://cognitiveservices.azure.com/.default"
     video_indexer_endpoint = "https://api.videoindexer.ai"
     KEY_VAULT_DOMAIN = ".vault.azure.net"
+    if ENABLE_TEAMS_SSO and not TEAMS_FRAME_ANCESTORS:
+        # In public cloud, we can allow from any domain since we validate the origin in the frontend against allowed Teams domains.
+        TEAMS_FRAME_ANCESTORS = "https://teams.microsoft.com https://*.teams.microsoft.com"
+
+# Security Headers Configuration
+SECURITY_HEADERS = {
+    'X-Content-Type-Options': 'nosniff',
+    'X-XSS-Protection': '1; mode=block',
+    'Referrer-Policy': 'strict-origin-when-cross-origin',
+    'Content-Security-Policy': (
+        "default-src 'self'; "
+        "script-src 'self' 'unsafe-inline' 'unsafe-eval'; "
+        #"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://code.jquery.com https://stackpath.bootstrapcdn.com; "
+        "style-src 'self' 'unsafe-inline'; "
+        #"style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://stackpath.bootstrapcdn.com; "
+        "img-src 'self' data: https: blob:; "
+        "font-src 'self'; "
+        #"font-src 'self' https://cdn.jsdelivr.net https://stackpath.bootstrapcdn.com; "
+        "connect-src 'self' https: wss: ws:; "
+        "media-src 'self' blob:; "
+        "object-src 'none'; "
+        f"frame-ancestors 'self' {TEAMS_FRAME_ANCESTORS}; "
+        "base-uri 'self';"
+    )
+}
+
+if not ENABLE_TEAMS_SSO:
+    SECURITY_HEADERS['X-Frame-Options'] = 'DENY'  # Prevent framing if Teams SSO is not enabled
 
 def get_redis_cache_infrastructure_endpoint(redis_hostname: str) -> str:
     """

application/single_app/route_frontend_authentication.py

@@ -1,7 +1,7 @@
 # route_frontend_authentication.py
 
-from unittest import result
 from config import *
+from functions_appinsights import log_event
 from functions_authentication import _build_msal_app, _load_cache, _save_cache, clear_requested_oauth_scopes, get_requested_oauth_scopes
 from functions_debug import debug_print
 from swagger_wrapper import swagger_route, get_auth_security
@@ -32,6 +32,23 @@ def register_route_frontend_authentication(app):
     @app.route('/login')
     @swagger_route(security=get_auth_security())
     def login():
+        # Check if this is a Teams context (via query parameter)
+        # teams=true: Attempt Teams SSO detection
+        # teams=false: Skip Teams SSO, use standard Azure AD flow
+        # No parameter: Default to Teams SSO detection (for backward compatibility)
+        teams_param = request.args.get('teams', 'true')
+        is_teams = teams_param == 'true'
+
+        if is_teams and ENABLE_TEAMS_SSO:
+            # Render a page that will detect Teams and handle SSO
+            from functions_settings import get_settings, sanitize_settings_for_user
+            settings = get_settings()
+            return render_template('login.html', 
+                                 client_id=CLIENT_ID,
+                                 enable_teams_sso=is_teams,
+                                 custom_teams_origins=CUSTOM_TEAMS_ORIGINS,
+                                 app_settings=sanitize_settings_for_user(settings))
+
         # Clear potentially stale cache/user info before starting new login
         session.pop("user", None)
         session.pop("token_cache", None)
@@ -212,6 +229,77 @@ def authorized_api():
 
         return jsonify(result, 200)
 
+    @app.route('/auth/teams/token-exchange', methods=['POST'])
+    @swagger_route(security=get_auth_security())
+    def teams_token_exchange():
+        """
+        Exchange a Teams SSO token for an access token using On-Behalf-Of (OBO) flow.
+        This endpoint receives the Teams SSO token from the frontend and exchanges it
+        for tokens that can access Microsoft Graph and other APIs.
+        """
+        try:
+            # Feature gate: only allow token exchange when Teams SSO is enabled
+            if not ENABLE_TEAMS_SSO:
+                return jsonify({"error": "teams_sso_disabled"}), 404
+
+            data = request.get_json()
+            teams_token = data.get('token') or {}
+
+            if not teams_token:
+                return jsonify({"error": "No token provided"}), 400
+
+            # Build MSAL app
+            msal_app = _build_msal_app(cache=_load_cache())
+
+            # Use OBO flow to exchange the Teams token
+            result = msal_app.acquire_token_on_behalf_of(
+                user_assertion=teams_token,
+                scopes=SCOPE
+            )
+
+            if "error" in result:
+                error_description = result.get("error_description", result.get("error"))
+                log_event(f"Teams token exchange failure: {error_description}", exceptionTraceback=True)
+                return jsonify({
+                    "error": result.get("error"),
+                    "error_description": error_description
+                }), 400
+
+            # Store user identity info from ID token claims
+            session["user"] = result.get("id_token_claims")
+
+            # Save the token cache to session
+            _save_cache(msal_app.token_cache)
+
+            user_name = session['user'].get('name', 'Unknown')
+            log_event(f"Teams SSO: User {user_name} authenticated successfully.")
+
+            # Log the login activity
+            try:
+                from functions_activity_logging import log_user_login
+                user_id = session['user'].get('oid') or session['user'].get('sub')
+                if user_id:
+                    log_user_login(user_id, 'teams_sso')
+            except Exception as e:
+                debug_print(f"Could not log Teams login activity: {e}")
+
+            # Return success with user info
+            return jsonify({
+                "success": True,
+                "user": {
+                    "name": user_name,
+                    "email": session['user'].get('preferred_username'),
+                    "id": session['user'].get('oid')
+                }
+            }), 200
+
+        except Exception as e:            
+            debug_print(f"Teams token exchange error: {str(e)}")
+            return jsonify({
+                "error": "token_exchange_failed",
+                "error_description": "An unexpected error occurred during token exchange."
+            }), 500
+
     @app.route('/logout/local')
     @swagger_route(security=get_auth_security())
     def local_logout():