Trying to build a recipe ordering app via SMS using Bot Framework. How can I let the user 'login' to view all his previous recipes?
The user first must sign up through a website using Azure Active Directory B2C. I got the API sample template up and running and it lets me authenticate user through the website...
But I'm not sure how to authenticate this logged in user (on the website) on the bot chat level. How can I make Bot Framework be aware of this logged in user?
It'd be really nice if you could just turn on multi-factor authentication and access the phone number connected to the user but this is not possible programmatically at the moment according to Microsoft.
Any other ideas? I desperately need some way to allow a mobile phone user to authenticate via SMS and access their private data through it. I tried it with Active Directory's .net api sample but no documentation exists on how to make this all work together with Bot Framework...
I ran the pizza bot template and pondered upon the same question.
I ended up taking the user ID and store it along with any information I could get through claims. Then, I a reference for the user that I can look up and do stuff with. Not sure if this helps you.
This is how you can do it:
Generate an authentication URL and send it to your user via the bot. Ask him to login to the service using the URL.
The server would receive the result of that authentication (your API for the bot is now aware of the result) and if successful, you can show the data to the user through the bot.
You might want to take a look to the Facebook Auth sample to get an idea of a potential flow for the Auth scenario.
Hope this helps.
Related
I have a Bot published from Bot Composer into Azure. The bot is a simple QnA Bot. I need to securely embed it within a webpage. The iframe embed code generated has the Bot Key embedded in the URL. How do I secure this so
users cant see the Key,
limit access to users from my tenant?
Thanks in advance.
Generally speaking, if you want to hide something from the end user, you need to place it somewhere where they do not have access to. Normally, you create some kind of script that is running in the backend of your webpage and deals with creating the tokens with your secret key. These "non-critical" tokens need be to be passed to your Web Chat.
The limitation to your tenant user, you need to implement an authentication system.
Ive been researching the MS Graph API lately, and I'm running into a problem. My use case is that I want to read a certain mailbox's mail, and send mail for that mailbox. The mailbox is a non user related box, and is used as a service account for emails.
Ive found 2 possible flows for getting into that mailbox. The user authenticated flow, and the application (and admin consented) flow. For the application, I want to read the emails in the background in a NodeJS app, without user interaction.
When I look into the user consented flow, I find that to make it work the user HAS to log in atleast once, by hand, and consent to some stuff I want to do. I found this page, on how this works, and made it work in my NodeJS app. The problem is, when using this flow, I have to login BY HAND atleast once after starting my NodeJS app. Afterwards I can use the refresh token to refresh the access token, but I dont want to do the login by hand.
The second option, and most suitable option for my NodeJS app, is the application flow. I found this tutorial on how to do that, and I made it all work. I fetch a token, and that token grants me access to the box via the Graph API.
But using the application flow, I found that I have to have the roles (i.e.): "User.ReadAll, Mail.Read, Mail.Send". This gives my application rights to read and send mail FOR ALL users in the account.. Which is WAY too much overkill for my situation.
Now my question; Is there a way for me to use MS Graph, with the application authentication flow, but without having access to all users' mailboxes, only to my specific account I want to read?
Thanks in advance,
Caspar
While linking the documentation reference, I saw that I read over the most important footnote:
Important Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the application permissions of Mail.Read, Mail.ReadWrite, Mail.Send, MailboxSettings.Read, or MailboxSettings.ReadWrite.
So it is possible using the application access policies.
so far I've not been able to get this working with the bot framework. I spent all day but only managed to get .net api example (https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet) working with AD B2C. I'm not sure where it grabs the bearer token that I want to pass to BotUserData...
I've tried following https://azure.microsoft.com/en-us/blog/bot-framework-made-better-with-azure/
but in reality the solution does not build successfully and I've resorted to just taking code from there and into my bot framework sample template....however, when it asks me to login through MS and I do, I am not able to proceed and it doesn't seem like that blog is using the AD B2C policies.
so how do you integrate AD B2C with Bot Framework? Is it possible to call /Account/SignIn URL from bot framework to authenticate the user? Afterwards, how would you capture the token and pass it to BotUserData?
You might want to take a look to the Facebook Auth sample to get an idea of a potential flow for the Auth scenario. For Azure AD, you need to do a similar flow.
Let's say your user send a "Login" message to your bot. The bot should respond with an auth URL and ask the user to login to the service using that URL. You can use the GetAuthorizationRequestURL method of ADAL for that.
Then you will have a Web API which will basically expose an endpoint that will be the reply URL of Azure AD. Once the users completes the login, a message will be posted to your Web API where you will be able to get the authorization code and perform the calls to get the Access Token. After that, you can just do the same they are doing in the Facebook Sample Web API which involves resuming the conversation with the Bot, sending a message with the access token (so it can be persisted in the PerUserInConversationData bag (check this line of code).
After that you have the access token available to perform any call that requires an access token.
Update
There are two new samples that you might want to take a look since they are implementing the workflow being discussed.
GraphBot from the BotBuilder repo.
AuthBot from Mat Velloso
Hope this helps.
Follow this tutorial for Bot side code development, i focus on configuration at B2C and Azure level here:
OAuth Connection
Client id
This is taken from the Application ID field in your B2C app's properties. It's the equivalent of a Microsoft app ID taken from any other AAD app registration.
Client secret
This is generated using the steps in this tutorial.
Select Keys and then click Generate key.
Select Save to view the key. Make note of the App key value. You use the value as the application secret in your application's code.
Use AAD V2 configuration in oAuth settings in bot channel registration - new oauth connection settings.
Fill the above details by following the steps and values we got from them.
Authorization/Token/Refresh URL
I followed on this one with
https://login.microsoftonline.com/tfp///oauth2/v2.0/authorize
for the Authorization URL and
https://login.microsoftonline.com/tfp///oauth2/v2.0/token
for the Token and Refresh URL's.
For I used the URL format (kyleorg.onmicrosoft.com) rather than the GUID format, but using the GUID also seems to work.
is the name of a user flow, like B2C_1_userflow. I created one with this tutorial.
Scopes
Using the scopes openid offline_access I am able to sign in successfully, but to my astonishment the token returned is empty.
Then I found this document which suggests using the client ID itself as a scope.
When I reuse the value from the Client id field in my Scopes field, a token is returned successfully and my bot is able to use the connection.
You can combine this with other scopes as needed, but for the sake of experimentation I highly recommend getting the simplest implementation to work first.
Let me know if these instructions work, and if they don't then we'll see if the difference lies in how we've set up our B2C apps.
As a bonus, I should mention that after you get a token you can paste it into https://jwt.ms/ to decode it and see if it recognized your B2C user correctly. Always refresh the page when pasting a new token to make sure it doesn't keep showing you the information from the last token.
Referred this document.
I'm in the process of building a Google Chrome extension, and have some questions about how to implement security into the application.
I need to access a couple of Google API's so am going to be using OAuth 2.0 for that. So basically from the extension I know which user is logged into the browser.
My extension then needs to get and post data to my (nodejs) API service. I want to ensure that the user requesting data is the same user that is logged into the browser. Is there any way of using the previous Google authentication process to also authenticate communications between the extension and my API? I dont really want the user to have to log in again, to access my API.
I'm sure I'm missing something simple, and I've not been able to find anything that fits this scenario
Follow the OpenID Connect auth flow and you will get an access_token and an id_token. The acess_token you will use to use to make authenticated requests to Google APIs as usual. The id_token will be used as authentication with requests to your server.
When the requests hit your server you will need to validate the token and you can then use the contents of the id_token to identify the user.
User wouldn't have to login on auth process provided if user is already logged in and you are using a web application flow (not chrome.identity APIs) but user would see the consent screen atleast the first time. However you can skip the account selector screen if you already know the email address by providing &login_hint= parameter.
Google AppEngine's "guestbook" tutorial is very nice and clean.
It's awesome how easy I can authenticate my users via Google Accounts.
Now, imagine if my application was a GWT application.
I can make two pages: Login.jsp and MyApp.jsp then "protect" MyApp.jsp with a simple if / else condition, just like in the guestbook tutorial.
Then my web app will use things like gwt-rpc to ajax-communicate with my services. But...
how can I make this services secure? Do I have to pass them username/password every time and check every time the authentication? Can you tell me more about it?
And what about if I want to use my own Users, instead of Google Accounts? How can I keep my user logged in? By saving the logged user's sessionId inside the User entity for example?
Thx
If the user is logged in using the Users API, all the Javascript RPC calls they make will also carry the authentication cookies required. You can simply check if the user is authenticated using the regular Users API, as you would for an interactive request.