Trying to deploy a bot developed in MS bot framework v4.0 on SharePoint online page. Users need to login to SharePoint to access the bot, therefore, can't add an authentication at bot level as users have to login twice that will result in poor user experience.
Integration is done with the help of token fetched by calling Web Chat Bot connector API with Web Chat channel 'Security Key'. Followed Option 1 in the documentation.
Issue
SharePoint being a client-side app poses a threat of channel 'Security Key' being exposed i.e. it can be fetched in browser's developer tools and can be used to integrate our bot on their website.
I have already Tried
Minify the javascript and add it to the web part, it makes it difficult to read 'Security Key' but not impossible.
Single Sigh-On(SSO), SSO is not possible without an OAutCard at bot level, so trying to avoid it.
Create a trigger/ function app to hide bot connector rest call and only expose token but it requires some additional cost on resources.
I did not find a way to pass SharePoint logged in user context or token from SharePoint to the bot.
Expectation
To secure channel 'Security Key' so that it can't be accessed in the developer tool.
or
Find a way to pass SharePoint logged in user context or token from SharePoint to the bot and validate the same at the bot end.
or
Hide the rest call to bot connector API through a free trigger in SharePoint online.
Open to any other solution or suggestion as well.
There is no way to get the access token in SPFx. The only solution I have found with SPO/SPFx, is to utilize SPFx to give user context to the bot, and do calls via app-only graph application in the bot. You could (in theory) add code logic to limit the calls etc to graph/SharePoint using that context (username, site name, web name).
Related
My chatbot with Microsofts Bot Framework is online and working. It has an API, which is sadly publicly accessible.
But it shouldnt! The API should be secured and only accessible for Microsoft Accounts of my Tenant.
But most of the time the API is accessed by scripts.
Whats the best way to secure?
What is comfortable?
Like other public APIs, your API (your bot) needs to implement some form of user auth in order to validate authorized requests and reject unauthorized requests. Take a look at this sample (the C# version is linked, but the repo has samples in other languages) to see how you can implement user auth using the Microsoft Graph API. In addition to auth, Graph will also allow you to get info about the user, such as their Tenant ID (assuming your user logs-in and grants your bot permission). You can then implement whatever access controls are appropriate for your scenario.
We are creating a chat bot using Azure in SharePoint and using it as iframe in spfx. We need to get the SharePoint current logged in user in azure.
Steps followed to create the chat bot:
Created chatbot using azure bot framework.
Called rest api to interact with SharePoint.
Using Iframe in SharePoint SPFx extension to showcase the chatbot on site.
How to get the SharePoint current Logged-in user in bot framework?
Here is a doc and repo that can help you for share point SSO. OAuth services to support user sign-in and SSO. Below is the sample for S2S and user auth. Check out the whole list https://github.com/Microsoft/BotBuilder-Samples.
Bot-authentication demonstrates how to integrate OAuth providers for user authenticated flows.
As the bot runs in the SPFx environment, you can get the current user info as below sample:
https://github.com/pnp/sp-dev-fx-webparts/blob/master/samples/react-bot-framework-sso/webpart/src/webparts/botFrameworkChatSSO/components/BotFrameworkChatSSO.tsx
const userId = props.context.pageContext.user.loginName;
Or you can call the Rest API or Graph API to get the current user in SPFX.
Connect to SharePoint APIs
Pnp Get Current user
BR
I have to integrate SharePoint with my web app(just want to show the content of the user account).
For that, I have researched and I am looking for the SharePoint integration with REST API through OAuth process, Right now I found a different way where users have to create their SharePoint app and they have to share username and password and then I can get the data with their credential for the users.
The above approach is not a good option.
Please help if someone knows how to get share point content through the OAuth approach with REST.
You are able to connect to Microsoft Graph which hosts an API for the Office365 entities such as Calendar, Mail, Sharepoint etc.
In order to authenticate, you need to follow the OAuth 2.0 flow. This involves the generation of access tokens, which are then used in case of username/password.
More information about the MS Graph API and setting up authentication as well as a number of SDKs can be found: https://learn.microsoft.com/en-us/graph/auth-register-app-v2?view=graph-rest-1.0
I've created a SPFX feature that needs to call an external API. The external API is part of a system that has its own authentication methods outside of SharePoint. Ideally I would like to send details about the current logged in SharePoint user to this API, validate them to ensure that the user is actually logged in in SharePoint, compare the SharePoint user with the external system's user (they'll have the same email addresses) and, once matched, run the external API's code with that user.
Is there any way to go about doing something like this? If not, what is the best way to handle this sort of problem? Do other Microsoft tools like Azure need to be used for this?
The supported way to authenticate SharePoint framework components to a custom API is by using Azure Active Directory (AAD) and OAuth.
You need to AAD-protect your API. You can configure it so it supports two authentication mechanisms: AAD and your current authentication method. For example, if a JWT token is present, you use AAD+OAuth, and if not you use your other authentication method.
The SPFx to API authentication mechanism is described in details in the page Connect to Azure AD-secured APIs in SharePoint Framework solutions.
In summary, you will need the following elements:
Register an application in Azure AD, which represents your API.
Use a server library to protect your API with that AAD application.
Configure your SPFx package so it has permissions to query your API.
Grant the permissions to your SPFx package in the SharePoint central administration.
Use the AadHttpClient in your web part to access your API.
Since I have my users log in and password, can I silently log into their Microsoft Graph?
I want to fetch info from Office 365 API from a server app, so therefor I cannot have a Microsoft Login Window popping up.
Thanks
You want to use the confidential client flow for authenticating the Graph API. See the section "Daemon or Server Application to Web API" in this document for details. Of course you'll need to be the admin of you Azure AD, or have the admin's trust and blessing, in order to use this flow as the user isn't involved in the process themselves.
I've been trying to use it for calendaring apps. The flow login works fine but be aware that there are some limitations on using the Graph API with this authentication flow type (specifically interacting with Unified Groups calendars in my case).