I have a Microsoft teams bot and I am looking for the best way for me to authenticate incoming requests since I just have an exposed endpoint. Would it be possible to make the incoming requests from Teams to my bot, have custom headers with custom authentication?
You would need to implement user authentication into your bot to control access to those commands and resources which require access to a specific user's data. Here is the documentation on user auth in bot builder to get you started.
Related
I'm implementing a microsoft teams incoming webhook and I got worried about some bad guy getting the webhook link and sending spams, getting messages from the team and so on. So I'd like to know how secure this feature is? Is there anything that I can do to improve the webhook security?
You can bring Microsoft Teams Incoming Webhook security to the next level using Azure Logic Apps:
It provides following security levels:
Better control over who can create and use a webhook:
You can rely on Azure RBAC built-in roles for Azure Logic App to define your access policy. The configuration of the webhook is done in Azure and no configuration information is available from Microsoft Teams.
More options to authenticate the event emitter: There are different ways to authenticate an emitter and Azure Logic App provides a wide range of options to do that - These methods come in addition to the SAS signature or can replace it.
To name the most requested one in the context of incoming webhooks, we have:
Source IP white listing
Basic authentication / Http headers acces keys
Azure AD OAuth2.0 token
Protect users from the content published into Teams:
With Azure Logic App, you will capture all requests to the webhook because you have control over the endpoint (versus incoming webhooks hosted and exposed via the O365 platform) - When the workflow is triggered, you can add actions steps to your workflow to:
Validate the schema of the payload (in case an inappropriate JSON
content is pushed)
Log this request into an external system - e.g.
you can push this payload or log this event into Azure Monitor and
process the content in Azure Sentinel using Logic App built-in
connectors.
Map / aggregate / curate / enrich / .... the incoming
content and format the message to be pushed in Teams using Adaptive Cards.
Reference doc: https://www.linkedin.com/pulse/bring-microsoft-teams-incoming-webhook-security-next-level-kinzelin/?msclkid=58f6ddafd0eb11eca9ccc0356553ed5c
Does the messaging endpoint of bot need to be anonymous?
Any help is greatly appreciated.
If you are using bot framework v4 SDK and when you register a bot in the Azure portal, for example via the Bot Channels Registration, this authentication automatically performed. So, you don't need to explicitly write any code. If you want to restrict the use of bot to users belonging to your tenant you can add authentication to a bot using OAuth. Please go through this documentation for reference.
My understanding is that requests to your /api/messages endpoint include a JWT bearer token issued by the bot framework. The SDK will check this for you.
This appears to be the code where it performs the validation:
https://github.com/microsoft/botbuilder-js/blob/fc5dcc535855cf453b0ebf373121277d824ff840/libraries/botbuilder/src/botFrameworkAdapter.ts#L1180
If you're implementing without the SDK, then you will need to do the JWT verification.
I have an existing bot code that uses OAuthPrompt dialog that I would like to deploy for Zoom and WebEx that are not supported by Azure Bot Service. As per the documentation and sample code, I have used the adapter for supporting those channels. It works fine. But it does not support OAuthPrompt Dialog, it returns "OAuthPrompt.BeginDialog(): not supported by the current adapter".
When I debugged with the source code (Bot builder SDK /w Adapter), Implementation of OAuthPrompt dialog checks whether adapter implements IExtendedUserTokenProvider interface, currently it is not, so it returns error. How to add OAuth card support without using OAuthPrompt Dialog/Azure Bot Service?
This question is similar to mine:
(Is there any way to use authentication service without azure bot service?)
Following are my thoughts:
Directly send a request to identity provider with redirect URL (my bot endpoint) for OAuth2 code flow. Also update the redirect URI in the App Registration portal with bot endpoint, currently I have provided Redirect URI as "https://token.botframework.com/.auth/web/redirect" for supported channels.
Implement the IExtendedUserTokenProvider in the adapter (similar to Emulator).
Any feedback is appreciated.
I can get it working by having customized OAuthPrompt dialog for Zoom, implementing IExtendedUserTokenProvider in ZoomAdapter (ZoomAdapterWIthErrorHandler). OAuth connection settings (such as identity server endpoint, scopes, redirect uri} are stored in the appSettings.json for the connection name. Supported channels (MS Teams and Slack) will use the SDK provided implementation (OAuthPrompt Dialog) with settings from ConnectionName configured in the Azure, unsupported channels will get the settings from the AppSettings.json file. GetSignInResourceAsync() should have the right implementation that returns the sign-in resource Uri.
I am trying to use Teams outgoing webhook to interact with my web service which requires AAD authentication. In such a case, I am not able to figure out a way to implement the AAD authentication for outgoing webhooks. Does this mean outgoing webhooks cannot be used with AAD authentication?
Copying for better visibility.
Hi Derek, outgoing webhook currently supports only HMAC token to validate incoming request. For AAD authentication, you have to build Bots
I have my own slack team, with its own slackbot user.
I want to create a basic slack bot that will respond to direct messages, and I since I need specific events, I need to use the Events API.
I understand that slack will POST to my server the event that happened with its parameters, but I don't understand what needs to be done with the oauth permissions.
How can I add permissions to the slack app, without submitting the app?
reading the docs, I couldn't find the answer to this..
what am I missing?
You do not need to submit your app to the Slack App Directory. That is optional and only necessary if you want to make your app available to the public.
But you need to install your app to your Slack team before you can use it. During the installation process your app will be authenticated to your Slack team and you will receive a special token based on the scopes you requested.
The authentication process follows the OAuth standard and works similar to the process used by other web services, e.g. Twitter or Facebook.
I use a mini website for each of my Slack apps that has the "Add to Slack" button and is able to run through the OAuth process with Slack. This website is basically another script in addition to the one that will handle the events coming form Slack.
Check out the excellent documentation from Slack on the Slack button and how to use Oauth with Slack.