I'm using sample Azure MSGraph Bot Authentication (https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=csharp), without any code changes (only changing APP id's and connection name). I have an html page with WebChat example, and in the back of Azure portal, i have MSGraph authentication. Here are the steps, that working wrong:
In other words, my authentication session keeps alive in other browser and on the other machines, for other domain users. How can i prevent this?
(...) If userID is not specified, it will default to a random user ID. Multiple users sharing the same user ID is not recommended; their user state will be shared. (API documentation)
You are setting the userID to YOUR_USER_ID
, which means that state will be shared over all users. This is causing your problems and is a security risk when you are authenticating users.
Remove the line which states userID
in your code, as seen in the example below. If there is no userID
set, it will default to a random user ID.
window.WebChat.renderWebChat(
{
directLine: window.WebChat.createDirectLine({
token: 'YOUR_DIRECT_LINE_TOKEN'
}),
userID: 'YOUR_USER_ID', <!-- REMOVE THIS LINE -->
username: 'Web Chat User',
locale: 'en-US',
botAvatarInitials: 'WC',
userAvatarInitials: 'WW'
},
document.getElementById('webchat')
);