Leveraging MS SSO for teams tab secure?
I have an app I want to embed as a tab in MS Teams. Users may already have an account outside of teams and I use magic login link to typically to log users in. I want to know if I can leverage teams tab SSO to log users into their existing account. So my idea is:
User has an account with my app already. It is associated with their organization email.
They access my app in Teams and grant permissions necessary, my app gets an auth token and validates it
If that is successful, I find the user's account associated with their email and log them in with a magic login link
If an email associated with their account is not found, I would ask them to register first
I'm wondering if this is a valid use case for teams tab sso? Is it enough to trust that the validated token means the user is good and can be logged in? I know typically there is a "sign in with microsoft" idp option but that is a larger lift. Was wondering if there are big security red flags here.
Here are the MS teams docs: https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/tab-sso-overview
It talks about the token as both an auth token and an identity token so it leads me to think this is a valid use case but I am not super familiar with auth systems. The main concern is I don't want to give users access to an account that isn't theirs but this seems unlikely to happen.
