Search code examples
azureasp.net-coreazure-active-directorybotframeworkpulumi

Azure Bot channel error "There was an error sending this message to your bot: HTTP status code Unauthorized"

I'm getting Unauthorized error when try to send message from azure Bot channel to api. I have deployed azure app and Bot channel with pulumi. In azure application I have noticed that there is a warning in authentication section about Implicit Grant.

Implicit Grant

If I disable Implicit Grant setting from azure portal then Bot channel works fine. I'm creating azure application with default settings as per pulumi documentation but there is no option to remove this Implicit Grant settings

I have created Azure application and Bot channel with pulumi using this link

public static AzureAD.Application Create()
{
    var name = "app-name";
    var azureApp = new AzureAD.Application(name, new AzureAD.ApplicationArgs
    {
        Name = name
        // Tried combinations of the following lines, but it makes no difference
        //, Type = "native"
        //, Oauth2AllowImplicitFlow = false
    });
    
    CreatePrincipal(azureApp);
    
    return azureApp;
}
    
private static void CreatePrincipal(AzureAD.Application azureApp)
{
    var name = "app-principal";
    new AzureAD.ServicePrincipal(name, new AzureAD.ServicePrincipalArgs
    {
        ApplicationId = azureApp.ApplicationId
    });
}

public static ChannelsRegistration Create(ResourceGroup resourceGroup, AzureAD.Application teamsBotAzureApp)
{
    var channelName = "Channel";
    var channel = new ChannelsRegistration(channelName, new ChannelsRegistrationArgs
    {
        Location = "global",
        ResourceGroupName = resourceGroup.Name,
        Sku = "F0",
        MicrosoftAppId = teamsBotAzureApp.ApplicationId,
        Endpoint = "https://azurefunction.com/api/BotMessagesHandler"
    });
    
    CreateChannel(resourceGroup, channel);
    
    return channel;
}
Solution

  • In azure ad, the setting of Implicit Grant is controlled by the parameters in the Manifest(you can also set them in the UI, then they will be changed in the manifest), Access tokens corresponds to oauth2AllowImplicitFlow, ID tokens corresponds to oauth2AllowIdTokenImplicitFlow.

    If you create the app with pulumi, you can set the Oauth2AllowImplicitFlow = false to disable the Access tokens, but looks there is no oauth2AllowIdTokenImplicitFlow in the pulumi inputs, so you could not disable the ID tokens via pulumi.

    You could try the workarounds below.

    1.From the warning, it says You should remove these settings or register the appropriate redirect URI. So you could try to create the app with a redirect URI(i.e. ReplyUrls ) with the code like below, see if it works without disabling the ID tokens.

    ReplyUrls = 
            {
                "https://replyurl",
            }

    2.If it is accepted, you could use the Microsoft Graph SDK to update the application after creating it. Set the enableIdTokenIssuance to false in implicitGrantSettings of web property, then the ID tokens will be disabled.