Search code examples
botframeworkmicrosoft-teams

Microsoft Teams App - Add Authentication and Authorization for Task/Fetch Card Action

Located in the BotBuilder-Samples GitHub repo: https://github.com/microsoft/BotBuilder-Samples

There is a sample app: 54.teams-task-module. This app demonstrates a task/fetch action with a Url to a Custom Form which is rendered by a Razor Page.

https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/54.teams-task-module

In the Bot, the OnTeamsTaskModuleFetchAsync method is overridden to return a TaskModuleResponse which tells the system to fetch the URL passed back to Teams in the response.

https://github.com/microsoft/BotBuilder-Samples/blob/main/samples/csharp_dotnetcore/54.teams-task-module/Bots/TeamsTaskModuleBot.cs

 protected override Task<TaskModuleResponse> OnTeamsTaskModuleFetchAsync(ITurnContext<IInvokeActivity> turnContext, TaskModuleRequest taskModuleRequest, CancellationToken cancellationToken)
    {
        var asJobject = JObject.FromObject(taskModuleRequest.Data);
        var value = asJobject.ToObject<CardTaskFetchValue<string>>()?.Data;

        var taskInfo = new TaskModuleTaskInfo();
        switch (value)
        {
            case TaskModuleIds.YouTube:
                taskInfo.Url = taskInfo.FallbackUrl = _baseUrl + "/" + TaskModuleIds.YouTube;
                SetTaskInfo(taskInfo, TaskModuleUIConstants.YouTube);
                break;
            case TaskModuleIds.CustomForm:
                taskInfo.Url = taskInfo.FallbackUrl = _baseUrl + "/" + TaskModuleIds.CustomForm;
                SetTaskInfo(taskInfo, TaskModuleUIConstants.CustomForm);
                break;
            case TaskModuleIds.AdaptiveCard:
                taskInfo.Card = CreateAdaptiveCardAttachment();
                SetTaskInfo(taskInfo, TaskModuleUIConstants.AdaptiveCard);
                break;
            default:
                break;
        }

        return Task.FromResult(taskInfo.ToTaskModuleResponse());
    }

I have enabled developer tools in Teams and watched the network requests, as well as overridden every method I can find to try find an extensibility point to inject some sort of token into the request so that the URL can be secured from public anonymous access.

Question: The only way to provide authorization on the Razor Page I see right now is passing the token on the query string and using a custom authorization handler to process the token.

Is there a better way to inject a token or any other info into the task/fetch request so that the request can be authenticated and authorized?

Solution

  • From my comments: Looking at it as "Web inside Adaptive" and revisiting the sample project and your information it does seem the "CustomForm" razor page is initializing the Teams JavaScript SDK.

    This DOES mean I can authenticate this content using the SSO as you mentioned.

    I had only thought it would work in a TAB, not inside a bot card.Solved, follow the tabs javascript SDK guidance.