This is a generalized concept question concerning obtaining information of the user in the bot chat. Preferably this would be through OpenID and to start with using Microsoft Accounts. We would want to be able to read User Display Name, User Email address, User Group Membership, etc. What is the best way to obtain this information in Azure Bot Framework? In MVC using OpenID to obtain ClaimsPrincipal is easy, but can this concept be used in Azure Bot Framework and are there any examples of this process?
There was a lot that went into this, but essentially I used an OAuth Connection on the Bot service to send the user to AADv2 endpoint to obtain the token. I then used that token to send to the GraphServiceClient method (part of Nuget package Microsoft.Graph) to obtain User information. This was granted by giving the app in Azure AD MS Graph User.Read API permissions.
Related
I have a bot running on a hosting page where users are logged in using SSO.
I want to authenticate the user in the bot automatically when the bot starts and I do not want to use anAuthCard to do it. Just want to automatically authenticate the user without prompting anything to him, just using SSO.
I found an article that refers three ways to authenticate an user in the bot:
Sharing the client's user token directly with the bot via ChannelData
Using an OAuthCard to drive a sign-in experience to any OAuth provider
A third option, called Single Sign-On (SSO), that is in development.
And, according to the article my situation is:
WebChat in an authenticated website where the user is already signed in and the website has a token to the same identity provider but to a different app that the bot needs -> in the future, this is single sign-on, but for now you 'll need to use an OAuthCard.
Is there any update about this functionality? How can I authenticate the user into the bot without using an OAuthCard or a SigninCard?
Thanks in advance
Not sure if you have tried the option of using WebChat with Azure Bot Service’s Authentication which provides built-in authentication capability to authenticate chat users with various identity providers such AAD, GitHub, Facebook, etc.
If you are looking for this built-in feature, then probably you need to build your own custom built solution using Google sign-in by passing the token ID of the authenticated users. Or for an Account linking OAuth2 solution as explained in this link: How to implement Login in Dialogflow chatbot.
Microsoft guys Are looking at the issue now. you can track the progress here.
I implemented a solution that worked for me. I have the bot running in a .net core web app
Here's what I did:
Generate an userId before initializing the BotApp
When the user clicks on the button to open the webchat, I'm opening an authenticated controller in a popup that receives the generated userId. The page is authenticated, so you will need to authenticate. I store the userId in my DB, along with access_token and some user information. The controller should be created in the same webapp where the bot is running.
After storing all the information I close the tab and start the BotApp with the generated userId
In bot code you will be able to query your DB (using userId).
To wait until the popup close, you can have a look into this here.
I hope that this helps someone.
Best regards
I want to provide a bot that can only be accesible for certain users within a company. How should I go about that?
Different Channels
Skype for business
I guess this narrows down the problem to only identify the subset of the users as all the users in Skype for business would be from the organization.
MS Teams
Is this similar to the previous case? I understand that anyone with the bot id could chat with the bot.
Other non company restricted channels
I guess with this one the bot will always be exposed to external accounts and I'll need to authenticate before answering any message.
Authentication
How would this work? Would I store a token for each user for each channel were they login? With that check the ADD for attributes in order to decide what to provide to that user?
Unfortunately, there is no way to restrict access to a bot - it will be visible to all users. You will need to build authentication into your bot to limit who can communicate with it. There is documentation you can read for Adding authentication to your bot via Azure Bot Service or to Authenticate requests via Direct Line API 3.0 (also available via Direct Line API 1.1) by use of tokens. You would use this to authenticate AAD credentials.
For my bot all users are part of Azure AD. When chatting with Bot via Skype channel I assumed that bot would be able to get user identity from AD, but I've been reading that this is not true.
Is this possible at all for bot to know who the user is without going through auth process? How about grabbing workstation credentials with Cortana skill?
To my knowledge you won't be able to get AAD workstation credentials through Cortana; you'll have to incorporate an auth process at some point.
Cortana is only available with MSA accounts, and additionally only available in the en-us market (see question: What markets are supported and what is the timeline?).
Newbie question here on Authentication. I am used to incorporating authentication into my app backend server, like Spring Security Authentication for example. I don't really understand how the authentication providers work.
My concern is that somehow each provider can only authenticate its own accounts, ie google can only authenticate for gmail accounts, and Azure Active directory can only authenticate some kind of Microsoft registered account? I am disinclined to oauth because as a user I am always paranoid about signing in for some game or app from an unknown provider becacuse I never am sure whether I just gave my gmail or facebook account password to a rando.
I am fine giving people the option to use Oath, but less comfortable if that's the only option. I would like people to be able to give me whatever email address they want, and a password which they create for my site only.
Also these questions: If I use an authentication provider can I get the actual email address being used to log in? Or do I only get a token?
If I am going to build my own authentication service so I can accept any email domain as user name, what is the easiest to implement in Xamarin forms, and can somebody point me to a tutorial or something?
Advice appreciated thanks.
Yes, you're right, each identity provider provides the ability to authenticate their own users; Google OAuth supports Google accounts, Azure Active Directory supports Microsoft work & school accounts, Microsoft Account supports Microsoft personal accounts, and so on.
You have quite a few options on how to add support for these identity providers in your app, in addition to what we typically call 'local accounts', or accounts created specifically for the given application. I'll list out a few approaches:
You can write all the code yourself to integrate with each identity provider individually, and build-your-own local account solution as well.
You can use an SDK/library in your Xamarin Forms which facilitates using multiple identity providers within your app. The Xamarin.Auth package has historically served this purpose for Xamarin apps. It provides auth capabilities for Facebook, Google, Microsoft, and Twitter.
You can use a dedicated cloud service which provides authentication services for your app. Some examples include Azure Mobile Apps, Firebase Auth, Gigya, and more. The exact identity providers supported and the level of support for Xamarin/Xamarin Forms will vary across each one. Azure AD B2C is another option that I know supports Xamarin Forms as well as Facebook, Google, Twitter, and local accounts (disclaimer: I work on AAD B2C). These services sometimes have free tiers & paid tiers, so you can compare & contrast each.
You could also build your own authentication service using open source code like Identity Server if you wish.
It definitely depends which route you go, but generally speaking each solution will provide you access to some user profile information upon user authentication. For Azure AD B2C, you can configure the claims that are returned to your application in the tokens your app receives. For other services, you may need to make a REST API call to get some user data like the email address.
HTH.
We are currently using Azure Access Control Services (***.accesscontrol.windows.net) to allow customers with personally-managed Microsoft Accounts (Identity Provider) to sign in to our customer self-service portals (Relying Party Applications), which are Angular apps powered by Web API services. In our Access Control Services we are currently passing through the nameidentifier http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier claim from Windows Live ID to the relying party APIs, which match that token to an identity in our applications.
We are looking to support both Enterprise and Personal Microsoft Accounts with the Azure AD v2.0 service, but do not understand how to migrate our existing users to the new system. The code examples suggest that the OWIN middleware returns the NameIdentifier claim from the user's Identity Provider, but if that Identity Provider is the same Microsoft Account (aka Windows Live ID), will that be the same NameIdentifier we are currently receiving via Access Control Services pass-through?
Any help and/or documentation that clarifies how this transition is intended to work would be appreciated.
If the nameidentifier coming out of ACS is the randomly generated value then you're kind of stuck because that value is unique to the ACS/RP/User. If it's returning the actual Live ID then it'll obviously only match if the Azure AD user has the same email address.
I don't know if any documentation out there that describes how to handle this situation. My recommendation is to just require a one-time authentication from each source within the same session and marry the two results. That would basically mean
authenticate to Azure AD
Your app: Hey you don't have any user details, do you want to associate a Live ID?
Authenticate Live ID
Associate Live ID with Azure AD
Then if they want to sign in with either accounts in the future you have a link between the two.