Teams Hacktogether: Getting access

For our Teams app we wanted to access the applications from the My Apps page, but how do you access data from an app that does not have a public api? Let me start by saying that accessing an internal api, like I’ll be showing is never recommended to use in production. Only use this information for proof-of-concepts, like what we are building.

Browser developer tools to the rescue

I opened the developer tools in the browser to find out that the My Apps page seems to be a client side app, that loads something that end with /tiles. And since I was looking for the content of the tiles on that page, that was exactly what I needed. https://api.myapplications.microsoft.com/api/v2/me/tiles

Part 1: Find the correct URL ✅

Load data in Insomnia

I then copied this url to Insomnia (my favorite http client app) and gave it a go. Expecting it to fail, and it did. The api did not yet know who I was, and could not show the correct information. I copied the Authorization from the dev tools and tried again. That made the server give me all the needed information.

But how did the app get that token, and how would I do the same from my own application? The Authorization header starting with Bearer eyJhbGciOiJSU0EtT gave me a good hint. It’s a bearer token, and they use a jwt token (seeing the eyJ start).

As with a lot of Microsoft products, I suspected this app to use MSAL which is the Microsoft build library they are actively promoting when you want people to login to your (web)application. It seemed only reasonable that they would use this in their own apps as well.

And would you look at that, the developer tools showed me that the browser had some msal entries in the local storage.

Figuring out the correct scope

MSAL can be used to get access tokens for Graph and custom API’s that are build for your company. But as it turns out you can also use it to request tokens for unrelated apps as long as you know what to ask it.

With some MSAL “hacking” in the past, I knew what to look for and eventually figured out that if you want access to the above api, you need a token for some special scope. To access the user profile you would need User.Read, for this app you need ..........(check-the-source)......../workspace.read.

We got access

By using just the dev tools, we knew where to load the tiles and how we should get a token.

With this new found information we continued on our journey to Show the My Apps inside Teams.

Journey

If you think this was interesting, you should definitely check out the other posts on this topic.

Series: Teams Hacktogether

• Teams Hacktogether: Getting access
• Teams Hacktogether: Idea
• Teams Hacktogether: Toolkit
• Teams Hacktogether: Blazor
• Teams Hacktogether: Entry
• Hiding in plain Graph, an issue with Azure AD Audit log