feat(microsoft-teams): microsoft: Obtain tenantId by decoding the access token instead of calling the /organizations endpoint #4024
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit updates the Microsoft Teams post-connection logic to decode the access token using JWT. It introduces a new interface for the decoded token structure and retrieves the tenant ID directly from the decoded token instead of making an API call. This change improves efficiency by reducing unnecessary network requests and streamlining the connection configuration process. **Key Changes:** - Added JWT decoding for Microsoft Teams access tokens. - Introduced `MicrosoftDecodedToken` interface to define the structure of the decoded token. - Updated connection handling to extract tenant ID from the decoded token. **Affected Areas:** - Microsoft Teams connection logic in `post-connection.ts`.
|
Your mrge subscription is currently inactive. Please reactivate your subscription to receive AI reviews and use mrge. |
![propel-code-bot[bot]](https://avatars.githubusercontent.com/in/1179004?s=60&v=4){kind=small}
| providerConfigKey: connection.provider_config_key | ||
| }); | ||
| const accessToken = (connection.credentials as OAuth2Credentials).access_token; | ||
| const decoded = jwt.decode(accessToken) as MicrosoftDecodedToken; |
There was a problem hiding this comment.
[Security]
The JWT is being decoded without verification, which is a potential security risk. Since you're using the JWT's claims for retrieving the tenant ID, you should verify the token's authenticity using jwt.verify() instead of jwt.decode(). This helps prevent accepting manipulated or forged tokens.
bodinsamuel
approved these changes
May 12, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates the Microsoft Teams post-connection logic to decode the access token using JWT. It introduces a new interface for the decoded token structure and retrieves the tenant ID directly from the decoded token instead of making an API call. This change improves efficiency by reducing unnecessary network requests and streamlining the connection configuration process.
Microsoft Teams Authentication Optimization: JWT Token Decoding for TenantID
This PR optimizes the Microsoft Teams authentication flow by replacing an API call with direct JWT token decoding. Instead of making a network request to the '/v1.0/organization' endpoint, the code now extracts the tenant ID directly from the access token. This approach reduces latency, eliminates a potential failure point, and improves overall connection efficiency by removing an unnecessary network dependency.
Key Changes:
• Replaced
APIcall to /v1.0/organization withJWTtoken decoding• Created comprehensive
MicrosoftDecodedTokeninterface for token structure• Extracted tenant
ID(tid) directly from the decoded token• Removed dependency on axios for this operation
Affected Areas:
• Microsoft Teams post-connection handler
• Authentication flow for Microsoft Teams integration
Potential Impact:
Functionality: More reliable tenant ID retrieval with fewer dependencies on external API calls
Performance: Reduced latency by eliminating an HTTP request during connection setup
Security: Potential security concern due to using jwt.decode() without proper token verification
Scalability: Improved scalability by reducing external API dependencies and network traffic
Review Focus:
• Security concern: Using jwt.decode() without verification
• Completeness of the
MicrosoftDecodedTokeninterface• Error handling when token is not decodable
• Type assertion safety when handling the decoded
JWTTesting Needed
• Verify tenant
IDextraction works for tokens from different Microsoft tenants• Test with various token structures to ensure the interface is complete
• Verify error handling when token cannot be decoded properly
• Test with expired/invalid tokens to ensure graceful failure
Code Quality Assessment
packages/server/lib/hooks/connection/providers/microsoft-teams/post-connection.ts: Well-structured with clear type definitions. The interface is comprehensive but could potentially be simplified if not all properties are needed.
Best Practices
Code Organization:
• Well-defined interfaces
• Type safety
Error Handling:
• Defensive coding with type and existence checks
Performance:
• Reducing
APIcalls• Local processing instead of network requests
Possible Issues
• Security vulnerability from using jwt.decode() without verification
• Token structure might change in Microsoft API updates
• Interface may need updates if Microsoft adds/removes fields from their tokens
This summary was automatically generated by @propel-code-bot