Authenticate a user in Microsoft Teams about botbuilder-microsoftteams HOT 9 CLOSED

Hi @rjgmail88 - it really depends on what information you are looking for. If you only need the AAD object.id of the user sending a message to the bot, then this information is included in the incoming payload of the message. If you want a usable token to do things like make a call to Graph, then you will need to set up an authentication flow similar to this example https://github.com/OfficeDev/microsoft-teams-sample-auth-node - note: the sign in card for a bot mentioned in this example is only available in the Developer Preview mode of Teams. This feature should be moving to the public ring shortly.

from botbuilder-microsoftteams.

@jotrick , thanks. I did some research and found away to grab user info. from conversationId,serviceUrl
by using botbuilder-teams npm.

                (session.message.address).serviceUrl,
                session.message.address.conversation.id;,
                (err, result) => {
                        session.endDialog('%s', JSON.stringify(result));
                    }
                }
            );

I am able to fetch all the information about a user like aadobjectid, name,fullname,email etc. But I'm wondering how by bot is having this info. available in payload. Any ideas ?

The reason I concerned because,
1.My bot has been registered using personal MSA
2.In MS teams I'm logged in as AAD user which is my office email account.
3. I am using 1:1 chat with bot by simply using botId.

from botbuilder-microsoftteams.

Hi - for starters, your code snippet was cut off, so I'm not sure what function you are using, but I'm guessing it is the fetch roster function.

Second, I'm not entirely sure what your concern is. Are you looking for more information or are you concerned as to why your bot has access to this information? If you are looking for more information, then you can authenticate a user in such a way as to get an access token and make Graph calls (we can assist with that). If you are concerned about why your bot has access, it is because you have given the bot "permission" by talking with it.

As for your three points, is the concern that your bot won't be able to link the MSA information with the AAD user? To the system, those are two separate entities so it won't be able to link those unless you devise a way to do that. Bots can be created using MSAs so it is allowed that a bot created by someone outside of your organization can be pulled into that AAD tenant (that is the sort of thing the store is doing). For points 2 and 3, you are logged into Teams with your AAD account and it is that account that is in the chat with the bot in the 1:1 chat - that is what your bot will know you as.

from botbuilder-microsoftteams.

@jotrick , sorry for the inconvenience. Here is the actual code I'm using.

 connector.fetchMembers((session.message.address).serviceUrl, conversationId, (err, result) => {
        if (err) {
            session.endDialog('There is some error to get user from MS teams.');
        }
        else {
            console.log("*******Logged in User by MS teams:******* " + result[0].userPrincipalName);
    }
});

My apologies for not being clear on my concern but those are really around stopping anyone from outside (people who create/use bot using personal MSA but not in our corporate Tenant.) using our enterprise level bot. I am confused if I need to do any 2nd level authentication for this BOT. However, I am not looking for an extra information about the user by any auth token. Here is my currant setup

1. I created a bot and registered Cortana, teams channel with my personal MSA.

2. I created a deep link(with same botID) and provided to all users (10k+) in my office so they can use this BOT in MS teams while in the office. They all will be logged with AAD account in MS teams first.

3. This BOT is dealing with some sensitive information about a user in bot logic so no one from outside of corporate tenant should be able to use this BOT even if they happened to get/hack a deep link. Correct me if I'am wrong here.

ex: Lets say my company is A and some other user from company B happened to know my BOT ID I created at step 1. They can still user my BOT in their MS teams (where they are logged in with their AAD account of their own tenant company B )

How can I stop this ? I hope my concerned is clear this time.

from botbuilder-microsoftteams.

channelData has the tenant id of the user that sent the message. You can use that to restrict the users your bot responds to. Placing this logic in bot middleware (https://docs.botframework.com/en-us/node/builder/chat-reference/interfaces/_botbuilder_d_.imiddlewaremap.html) is a good way to do this filtering.

    "channelData": {
        "tenant": {
            "id": "a5bbb9df-06cc-47f4-8f24-981a2024b94c"
        }
    }

from botbuilder-microsoftteams.

Thanks @aosolis, I am using following Middleware for logging each message from BOT or user. Let me know if this is what you meant or something else.

const logUserConversation = (event) => {
    console.log('******** BOT/User Message: ' + event.text) //+ ', ***** user: ' + event.address.user.name);
};

//Middleware for logging
bot.use({
    receive: function (event, next) {
        logUserConversation(event);
        next();
    },
    send: function (event, next) {
        logUserConversation(event);
        next();
    }
});

from botbuilder-microsoftteams.

Yes, you can add another piece of middleware that will inspect the incoming message and continue processing only if the message came from the tenant you were expecting.

from botbuilder-microsoftteams.

I wrote a StackOverflow post on this a while back that shows how it's done: https://stackoverflow.com/questions/40398565/securing-traffic-from-microsoft-teams-to-a-bot

from botbuilder-microsoftteams.

Thanks @billbliss and @aosolis.

from botbuilder-microsoftteams.