For my bot all users are part of Azure AD. When chatting with Bot via Skype channel I assumed that bot would be able to get user identity from AD, but I've been reading that this is not true.
Is this possible at all for bot to know who the user is without going through auth process? How about grabbing workstation credentials with Cortana skill?
To my knowledge you won't be able to get AAD workstation credentials through Cortana; you'll have to incorporate an auth process at some point.
Cortana is only available with MSA accounts, and additionally only available in the en-us market (see question: What markets are supported and what is the timeline?).
Related
This is a generalized concept question concerning obtaining information of the user in the bot chat. Preferably this would be through OpenID and to start with using Microsoft Accounts. We would want to be able to read User Display Name, User Email address, User Group Membership, etc. What is the best way to obtain this information in Azure Bot Framework? In MVC using OpenID to obtain ClaimsPrincipal is easy, but can this concept be used in Azure Bot Framework and are there any examples of this process?
There was a lot that went into this, but essentially I used an OAuth Connection on the Bot service to send the user to AADv2 endpoint to obtain the token. I then used that token to send to the GraphServiceClient method (part of Nuget package Microsoft.Graph) to obtain User information. This was granted by giving the app in Azure AD MS Graph User.Read API permissions.
We are developing the bot application using Microsoft Bot framework and decided to use a website as a channel.
Question is, our website (Channel) is secured with Azure AD Authentication once user is logged in the website. How we can use the same authenticated user token for the Bot to authenticate the user.
Thanks
Here's a Web Chat sample that shows how to do Single Sign On (SSO) for apps that use Azure Active Directory (AAD)
Note that this is not an easy task, but it is possible.
For other users not using AAD:
SSO for Enterprise Apps sample
SSO for Teams Apps sample
I have a bot running on a hosting page where users are logged in using SSO.
I want to authenticate the user in the bot automatically when the bot starts and I do not want to use anAuthCard to do it. Just want to automatically authenticate the user without prompting anything to him, just using SSO.
I found an article that refers three ways to authenticate an user in the bot:
Sharing the client's user token directly with the bot via ChannelData
Using an OAuthCard to drive a sign-in experience to any OAuth provider
A third option, called Single Sign-On (SSO), that is in development.
And, according to the article my situation is:
WebChat in an authenticated website where the user is already signed in and the website has a token to the same identity provider but to a different app that the bot needs -> in the future, this is single sign-on, but for now you 'll need to use an OAuthCard.
Is there any update about this functionality? How can I authenticate the user into the bot without using an OAuthCard or a SigninCard?
Thanks in advance
Not sure if you have tried the option of using WebChat with Azure Bot Service’s Authentication which provides built-in authentication capability to authenticate chat users with various identity providers such AAD, GitHub, Facebook, etc.
If you are looking for this built-in feature, then probably you need to build your own custom built solution using Google sign-in by passing the token ID of the authenticated users. Or for an Account linking OAuth2 solution as explained in this link: How to implement Login in Dialogflow chatbot.
Microsoft guys Are looking at the issue now. you can track the progress here.
I implemented a solution that worked for me. I have the bot running in a .net core web app
Here's what I did:
Generate an userId before initializing the BotApp
When the user clicks on the button to open the webchat, I'm opening an authenticated controller in a popup that receives the generated userId. The page is authenticated, so you will need to authenticate. I store the userId in my DB, along with access_token and some user information. The controller should be created in the same webapp where the bot is running.
After storing all the information I close the tab and start the BotApp with the generated userId
In bot code you will be able to query your DB (using userId).
To wait until the popup close, you can have a look into this here.
I hope that this helps someone.
Best regards
I want to provide a bot that can only be accesible for certain users within a company. How should I go about that?
Different Channels
Skype for business
I guess this narrows down the problem to only identify the subset of the users as all the users in Skype for business would be from the organization.
MS Teams
Is this similar to the previous case? I understand that anyone with the bot id could chat with the bot.
Other non company restricted channels
I guess with this one the bot will always be exposed to external accounts and I'll need to authenticate before answering any message.
Authentication
How would this work? Would I store a token for each user for each channel were they login? With that check the ADD for attributes in order to decide what to provide to that user?
Unfortunately, there is no way to restrict access to a bot - it will be visible to all users. You will need to build authentication into your bot to limit who can communicate with it. There is documentation you can read for Adding authentication to your bot via Azure Bot Service or to Authenticate requests via Direct Line API 3.0 (also available via Direct Line API 1.1) by use of tokens. You would use this to authenticate AAD credentials.
I have developed a endpoint to be used for an skype bot but I have not hosted it in Azure so in order to be use skype channel I need registered it using Azure Bot Service (Bot Channels Registration). I did it but when I try create a App Password for that then Azure redirect me to Application Page and show me this message (In the image the message appears in Spanish but this is the translation):
The application no longer exists or is not associated with your
account.
I have tried clear the cache of my browser and try using private tab too but nothing happens.
The application no longer exists, or is not associated with your account.
Based on my test, if I login to Application Registration Portal using the account that is not used to create Bot Channels Registration bot service, I get same message. Please check the account you are using to login to Application Registration Portal and make sure that account is same one you used to create your Bot Channels Registration bot service.
Besides, please check if others know your account and delete that app. You can also try to create another Bot Channels Registration bot service and check if same issue appears.
This could be the account issue. But this does happen if you even create the new one. But what I do think is that there may be some sort of problem with the App Registration portal, or to be specific the link between the app registration portal API that generates auto id and password so if you are using the auto create Microsoft App ID and Password you would face this issue. But if you will do that manually from the App registration portal and use that in your bot channel or web app bot it should work fine. Hope that help.