How to implement user authentication in a Microsoft Team Chat Bot without AAD access?
I'm working on a Bot using MS Bot Framework SDK 4. I have a unique endpoint exposed in the Bot API called POST api/messages.
[Route("api/messages")]
[ApiController]
public class BotController : ControllerBase
{
private readonly IBotFrameworkHttpAdapter _adapter;
private readonly IBot _bot;
public BotController(IBotFrameworkHttpAdapter adapter, IBot bot)
{
_adapter = adapter;
_bot = bot;
}
[HttpPost, HttpGet]
public async Task PostAsync()
{
// Delegate the processing of the HTTP POST to the adapter.
// The adapter will invoke the bot.
await _adapter.ProcessAsync(Request, Response, _bot);
}
}
As it is possible to see, this endpoint is exposed to the internet, and no authentication mechanism validates if a user is allowed not to access api/messages.
Reading the Bot Framework documentation I read:
When you register a bot in Azure via a Azure Bot resource, Azure creates an Azure Active Directory (Azure AD) registration application. This application has an app ID (MicrosoftAppId) and a client secret (MicrosoftAppPassword).
The problem is due to security policies, I cannot use the AAD (Azure Active Directory) created when Bot Service was created on Portal Azure.
I have read several docs about implementing authentication on the Bot, but as I understand from the docs, I need access to AAD to implement some of them.
Build a bot with SSO authentication
Add authentication to a bot SDK v4
Enable SSO for your app and message extension app
Enable SSO for Adaptive Cards Universal Actions in your bot
Enable authentication using third-party OAuth provider
Is there any way to add some authentication to POST api/messages without using ADD? Some instructions or doc references to follow? Thanks.
At first, we are now trying to integrate Azure Bot into Microsoft Teams, so I'm afraid that AAD is the best authentication mechanism here.
Let's go back to the AAD app created when creating Azure Bot Service. This application is not created for user authentication, but for the service-to-service authentication. You can understand it as, the bot service is also an application host in botframework.com tenant, and the Azure bot service is created in your own tenant, so you created an Azure AD application for this authentication. But we didn't have the document or explanation for this part.
Then when we want to "restrict" the users to interact with the chatbot, for example to ask the bot calling ms graph api to query user mails on behalf of this user, then we need the authentication mechanism to let user sign in, here is the official document for it, and here's the official sample for it.
The last is about the [Route("api/messages")] endpoint. This endpoint is not designed for the Teams app but for the Azure Bot service. We need to set the endpoint like xxx.azurewebsites.net/api/messages in the configuration blade inside the Azure Bot service instance. In the meantime, we also not able to control teams client to call this api when we talk to the bot via teams chat dialog. Therefore, it doesn't make sense to try to protect this api. This api is designed for Bot Service, while your Bot service already got authenticated via the azure AD application you created.
This is my idea for teams bot. Just my own idea, bot service monitor the chat message received in the teams channel or some other channel, then send the message to the application via the endpoint set inside the Azure bot service instance. Your bot application get the message through the api and generate correct message as the reply. The reply might be sent to the teams chat dialog via the chat dialog id.
- Fast & accurate atan/arctan approximation algorithm
- What's the difference between strtok_r and strtok_s in C?
- How memory address for pointer to arrays is same as an element in 2D array?
- Which is the best way to suppress "unused variable" warning
- How to use ellipsis in c's case statement?
- How can I exclude non-numeric keys? CS50 Caesar Pset2
- Fast ceiling of an integer division in C / C++
- Is there an invalid pthread_t id?
- How does SIMD (avx) processing work? for example, if I want 10 32 bit floats how do i fit in a 256 bit avx vector?
- FDCAN problems on STM32G4
- How does the call macro enable mutual recursion between functions f and g in this Hanoi Tower implementation?
- Running test on Rocket core CPU - global variable initialized to 0 is unsuccessful, output wrong value instead
- Interacting with C arrays without knowing the size
- Combination of two strings
- Avoiding strcpy overflow destination warning
- carriage return by fgets
- How to use special characters in C?
- Why does 1.0/100.0 == 0.1/10.0 give True?
- Is it correct to compare pointers in C?
- Force free() to return malloc memory back to OS
- How can I print to standard error in C with 'printf'?
- What is the standard behavior of fread in C on Windows?
- How is strtok removing lines it shouldn't have access to?
- Using array as smart point in C
- Assigning string to malloced 2d char array not working as intended
- How to refactor repetition inside a Makefile?
- Why does an empty preprocessor command still evaluate to something?
- How to implement variable sized array within C struct
- Character array typecasting to integer
- Handling HTTP Headers in a Minimal C HTTP Server