I'm adding authentication to a bot built with Bot Framework SDK v4 (C#) that will work with Microsoft Teams. I've been following add authentication and add SSO tutorials, trying to get it to work. Both of these hyperlinks jump to a requirement I am stuck on, which is to add OAuth connection settings through the Azure Bot Service. I don't have a subscription with Azure and would prefer to avoid it. I just don't want to deal with a subscription to all these services when I need a tiny portion of it. I'm also going to publish the bot on a local server, not to Azure, and I'm pretty sure I only need a standard channel, which should be free.
The tutorials also explain that I need to use Azure Bot Service to generate a Microsoft app id and an app password. It turns out those values can be obtained through a normal app registration, which I need anyways, in Azure AD. They are just app Id and client secret. This is making me wonder if that OAuth connection setting can be created outside of an Azure subscription as well.
As of now, running the 46.teams-auth sample throws me an error explaining that I need a valid connectionName which is obtained by creating an OAuth connection setting.
All I'm trying to do is to implement authentication to a bot that will be used in Teams. So my questions are the following:
What even is the OAuth connection setting and is it necessary to create?
Is it not enough to register the bot application in Azure AD? It's just an API.
Is there any way to create the OAuth connection setting outside of an Azure subscription?
I've already used the Developer Portal, Azure AD, Bot Framework website, and ngrok to successfully test my bot in Teams. Adding authentication is the last step.
Related
I've been in the process of updating a .Net Framework 4.8 web & web API to .Net 6. This app is hosted in Azure App Services and used the authentication settings/easy auth for both Azure AD (with personnel accounts) and Google. We allow unauthenticated request, so users can access the home page and the download for the client.
I'm having issues with this after the .Net 6 update, as User.Identity.IsAuthenticated is not being set and I can't retrieve any claims to pick up the users email address. /.auth/login/aad works and I can see information at /.auth/me.
According to documentation from Microsoft, they say that there shouldn't be any code needed, but that is seems to not be the case: https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service#automatic-authentication-provided-by-app-service
I've also found this https://github.com/AzureAD/microsoft-identity-web/wiki/1.2.0#integration-with-azure-app-services-authentication-of-web-apps-running-with-microsoftidentityweb
Things that aren't working:
builder.Services.AddAuthentication(AppServicesAuthenticationDefaults.AuthenticationScheme)
.AddAppServicesAuthentication();
Also not working (have the Azure Ad section created in the app settings)
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
I have tried many more things over the last couple of days, but can't remember them all.
I would rather have easy auth working with the same end points as this app has a WPF client that is using /.auth/login/aad to login in. I don't want to have to rewrite how auth is done completely in the frontend client.
So how do you set up Easy Auth in Azure App Services and have the claims brought in to the app?
Thank you in advance!
While I did try KK.AspNetCore.EasyAuthAuthentication & MaximeRouiller.Azure.AppService.EasyAuth. I finally had success with NEasyAuthMiddleware! That bridged the gap successfully between the App Services Authentication & populating the claims. Nice and clear instructions on how to implement as well.
I'm trying to integrate Azure BOT Framework inside my Android Mobile App. I thought of implementing a few API's inside BOT and give a response based on my queries. Since my APIs are secured, I need a token to access those API. So thought of prompting a Login dialog, inside the BOT window, and use those login credentials to fetch token and access the APIs. Please let me know if this is the right approach.
NOTE: I tried integrating the Rest API inside the BOT framework and I could able to do it successfully
Yes, using login dialog is the recommended way to get access tokens in Azure bot service. You can config it on Azure portal => your bot/bot => Settings :
You can follow this official doc to config it.
I'm thinking of how to implement Authentication in my Bot Project. My Boss wants Directline API from Azure as our go-to but there is no useful documentation provided by the Microsoft team. Another authentication is OAuth2 from Azure. Are these two similar? I know they both provide an Authentication token. But I would like to hear any suggestions from you guys.
I need to embed my Bot to the React Web-App. My plan is to only use the Bot if the user is logged-in within the App. So if it does whenever the user type/send message to the Bot. I need to authenticate that request and so on.
The Direct Line service (along with other channel connectors) in the bot framework utilizes Oauth. The connector service lives (and handles communication) between the chat client and the bot (your code). This is related to authenticating and handling communication between these endpoints. The bot resource (bot channels registration or web app bot) actually is dependent on an Azure AAD application that gets created along with that resource (uses client secret, etc).
Additionally, user authentication can be done, and there are bot framework SDK samples on how to implement that (let me know if you need examples).
Samples:
Here is the main samples repo with readme.
Here are the .NET
(core) specific ones.
Here is a sample that shows user
authentication using OAuth. Remember this is different than client
(Teams or Slack application for example) or channel authentication.
This is regarding authenticating a user to the bot through OAuth. The
readme contains this link already, but make sure you read and follow
this article on how to add authentication.
Here is a sample
using OAuth but also has calls utilizing that, to make calls to
MSGraph.
I dont want to use "Azure bot service".
I have host bot application to azure, after that got hosted url https://something.azurewebsites.net then registered a bot in bot framework https://dev.botframework.com/bots/new with https://something.azurewebsites.net/api/messages endpoint url, microsoft id and password.
I got microsoft Id and password when I create a new registration in app registration on azure portal,
Then I used that same Microsoft Id and password in visual studio code and republished.
But while testing on bot framework test emulator it shows "Sorry, my bot code is having an issue." and when I am trying on local bot framework emulator with microsoft app Id and password it shows "Cannot post activity. Unauthorized. POST401directline.postActivity"
I am using "bot framework" : 3.9 and ".net framework": 4.6
Test on bot framework
Test on emulator
Setting
App registartion
V3 of Bot Framework SDK is deprecated. It is recommended to use V4.
https://github.com/microsoft/BotBuilder-V3/blob/master/README.md
Regarding this:
then registered a bot in bot framework
https://dev.botframework.com/bots/new with
https://something.azurewebsites.net/api/messages endpoint url,
microsoft id and password.
and
I got microsoft Id and password when I create a new registration in
app registration on azure portal
These are redundant steps. Really, what you should be doing is creating a Bot Channels Registration in the Azure portal or using az bot CLI.
I dont want to use "Azure bot service
This does not make sense. Can you further explain what you mean by this? Those two steps you did above are doing exactly that; creating a Bot Channels Registration. "Typical" bots are two parts; a Bot Channels Registration (to allow connection to your bot from multiple places, take care of authentication, etc) and a web application (your bot code). Which one do you not want to use?
Regarding the emulator/authentication configuration:
I'm sure you know this, but I wanted to confirm that you are aware of the behavior of appid/password in a bot. Also for the benefit of others that might not be.
You can test with the emulator against a localhost running bot or a deployed bot. When testing with a localhost bot, you can test with appid/password or without. If you test without, you must make sure that they are not configured in the appsettings.json (in v4. other versions, etc. may use different configuration types) and not supplied in launching the bot in emulator. If you test with; you must configure in the appsettings.json and supply them when launching the bot in emulator.
Now let's move on to testing the online/deployed bot. In a deployed bot, it will either pick up the appid/password in the appsettings.json or from configuration in the Web App/App Service's settings. These settings must be titled MicrosoftAppId and MicrosoftAppPassword.
So...all this being said, my assumption is that you created two applications (AAD app), and might be mixing up the appid/password. Either that, or it is not quite configured correctly in the Web app (https://something.azurewebsites.net); either in configuration file or in configuration settings in Azure.
I do hope this helps.
I want to enable multiple AD authentication using OAuth Prompt in my BOT that i have developed.Currently, there is only one connection that it is taking through which our project AD is getting hit and the credentials are validated. But, i want the same O-Auth prompt to work for different AD's at a time in the BOT which was created using MS Bot framework V4 SDK in C#.
To clearly explain my query, let me take and example and also let me tell you the steps i have followed for enabling the Authentication in my BOT:
MS Bot deployed to AZURE
In the setting of WebApp Bot created OAuth Connection setting with Name: OauthConnection by providing my AZURE AD client ID and secret during creation. Tested the connection it was successful.
In my BOT code, used OAuthPrompt method for enabling the authentication and to it passed the Connection name as "OauthConnection" which was created in STEP #2
Added this Prompt method to the Dialog stack
Now my Bot code when executed gives me sign in option where if i enter the required credentials, it gets validated against the AZURE AD using the connection name provided in the OAuth Prompt method where in turn the required client ID was given
Now if we observe, The credentials are validated against the AZURE AD of which the connection name was given
What I Want to achieve is:
How to make the OAuth Prompt method such that it supports Multiple ADs simultaneously at a time?
Meaning, if my AD uses the domain as #axct.com and another AD uses domain as #avabt.com currently the oauth prompt if configured using above steps either supports the authentication of AD which uses login as #axct.com or #avabt.com at any given point of time but not both at a time in parallel.
I want to enable it such that it uses both AD for authentication at any given time in parallel such that if i use
john.doe#axct.com and its password during login it should successfully authenticate and return the respective Token at the same time if I use john.john#avabt.com as login credentials with proper password it should still successfully authenticate and return me the Token such that i can retrieve the user name from using the returned token using graph API.
How to achieve this is my query or issue as i am not sure how to do it?
Similarly, how to enable for any given AD like social networking sites, google or any other credentials using single Oauth Prompt method.
Is this can be achieved using Oauth Prompt? If yes please explain in detailed guide step by step manner in solving this issue as i am new to BOT and coding
or this is wrong expectation we have to use another method and not Oauth prompt?
Please explain in detailed guide step by step manner in solving this issue as i am new to BOT and coding.
Language: C#
Bot SDK: V4
Thanks in Advance
Regards
-ChaitanyaNG
Expected Result: Enable multiple AD authentication at a any given point of time using OAuth prompt in BOT SDK V4 code done in C# such that it works in parallel
Actual Result: Only one AD authentication works
Update to the query: 14 Aug 2019 -
To make my query more easily understandable-
How to make/convert my BOT using OAuth Prompt for authentication such that it works as a multi-tenant SaaS application using Azure AD?
Please help me with this query or issue so that i can implement it in my BOT having Water Fall Dialog.
The sample bots are configured to only look for one connection string. This leaves you with two options:
1) you can configure your dialogs to branch based on user input of what type of domain they're going to be using. Then, based on the dialog, for example axctDialog.cs or avabtDialog.cs, an auth prompt could be created, and it would use the connection string you have for it in appsettings. This would mean, however, asking your users to select their domain before signing in, something they might find tedious and extraneous.
2) When you create your Azure AD application (what you created in order to create the connection string on the bot), you create it to be multi-tenant. Much simpler. If you've already created your AAD app, you can go into the app manifest and change the values. For example, signInAudience would need to be set to either AzureADMultipleOrgs or AzureADandPersonalMicrosoftAccount and the endpoint would be common instead of the tenant domain. More details about this can be read here.
Beside your Bot registration (Bot app id and app password), you must have a separate AAD app registered for your bot service.
If that's the case, just register your AAD app as multi tenant.
One thing to note, when you create the OAuth2 settings for this app in your Azure bot service registration (or channel registration), you need to set the "TenantId" setting to be "common" - this doesn't seem to be documented anywhere.
BTW if you just want to build relatively simple bots, check out my recent Github repo. It has built in generic code written to handle auth and token exchange for you and a lot more.