How to secure the traffic from Microsoft Teams to a bot, so that bot could be answering on company specific questions / discussions and would not need to be exposed as anonymous WebAPI?
Bot integration to Teams UIs is easy from bot framework side, but right now there's no documentation for how to isolate bot only for specific enterprise.
Business case - We want to build enterprise specific bot, which could answer questions only specific to that particular enterprise where the questions are coming from. Technically this could be done with app-only access to SharePoint or Microsoft Graph, but we cannot expose this kind of WebAPI anonymously for Internet.
Any design patterns for this?
This is now possible, and I've actually even implemented it for Hubot in CoffeeScript and Node.JS. What I've described below is what it would look like in JavaScript/Node.JS.
Define an environment variable that, when set, filters for a particular tenant ID, OFFICE_365_TENANT_FILTER. (Doing it this way is a handy way of turning this feature on in production but not necessarily during development.)
For Microsoft Teams, the Office 365 tenant ID can be found here: session.message.sourceEvent.tenant.id.
The most elegant way to do it is to check for the tenant ID as middleware, and just drop further processing of the message if the filter is set and it doesn't match:
// [...]
var connector = new builder.ChatConnector({
appId: process.env.MICROSOFT_APP_ID,
appPassword: process.env.MICROSOFT_APP_PASSWORD
});
var bot = new builder.UniversalBot(connector);
// Middleware to check for OFFICE_365_TENANT_FILTER and only continue processing if it matches.
// If OFFICE_365_TENANT_FILTER is not specified, do nothing.
bot.use({
botbuilder: function(session, next) {
var targetTenant = typeof(process.env.OFFICE_365_TENANT_FILTER) !== "undefined" ? process.env.OFFICE_365_TENANT_FILTER : null;
var currentMsgTenant = typeof(session.message.sourceEvent.tenant) !== "undefined" ? session.message.sourceEvent.tenant.id : null;
if (targetTenant !== null) {
if (targetTenant == currentMsgTenant) {
next();
}
else {
console.log("MS Teams: Attempted access from a different Office 365 tenant (" + currentMsgTenant + "): message rejected");
}
}
else {
next();
}
}
});
// [...]
Here's how to do this in C#, the SDK exposes the TenantFilter that allows you to add this action filter to the controller class as shown below.
using Microsoft.Bot.Connector.Teams;
namespace Microsoft.Teams.Samples.HelloWorld.Web.Controllers
{
[BotAuthentication, TenantFilter]
public class MessagesController : ApiController
{
[HttpPost]
public async Task<HttpResponseMessage> Post([FromBody] Activity activity)
The tenant filter will take a comma separated list of tenantIds that will need to be placed in the web.config
<configuration>
<appSettings>
<!--other settings-->
<add key="AllowedTenants" value="*TenantId1,TenantId2,...*"/>
Find your Office 365 tenant ID shows how you can do it through PowerShell.
It is not currently possible to know the tenant-id of the user chatting with the bot right away, unless the bot authenticates the user first. Please take a look at AuthBot. It illustrates how to send a sign-in link to a user and authenticate the user against AAD.
Although not exactly what you are looking for, you can create custom bots which will be scoped to individual Teams.
The security key/HMAC auth will prevent others from accessing the API. With the drawback that you will have to configure the bot with a separate security token for every Team where you want to use it.
Related
First, there has been plenty written on this subject in the context of WebChat, and there are fixes out there that show implementation. Here's a link that is pretty good:
https://blog.botframework.com/2018/07/12/how-to-properly-send-a-greeting-message-and-common-issues-from-customers/
This problem is NOT a WebChat problem, it's a Direct Line problem that uses a 3rd party named LivePerson to host the bot which lives in Azure, and is connected via Direct Line. Hence, I do not control the client code (like I would if I were writing/hosting the bot using html/JavaScript). However, the take away here is "do not use conversationUpdate", which I am using in my bot, but please read on...
I'm hosting my Microsoft v4 Bot in LivePerson using Direct Line. The bot uses Adaptive Dialogs to welcome the user and ask them a question before the user sends any input using the OnConversationUpdateActivity():
public RootDialog(IConfiguration configuration, IMiddlewareApiFacade middlewareApi, IBotTelemetryClient telemetryClient) : base(nameof(RootDialog))
{
var rootDialog = new AdaptiveDialog(nameof(RootDialog))
{
...
Triggers = new List<OnCondition>()
new OnConversationUpdateActivity()
{
Actions = WelcomeUserSteps("${Greeting()}")
}
...
}
private static List<Dialog> WelcomeUserSteps(string message)
{
return new List<Dialog>()
{
// Iterate through membersAdded list and greet user added to the conversation.
new Foreach()
{
ItemsProperty = "turn.activity.membersAdded",
Actions = new List<Dialog>()
{
// Note: Some channels send two conversation update events - one for the Bot added to the conversation and another for user.
// Filter cases where the bot itself is the recipient of the message.
new IfCondition()
{
Condition = "$foreach.value.name != turn.activity.recipient.name",
Actions = new List<Dialog>()
{
new SendActivity(message),
new BeginDialog(nameof(WelcomeDialog))
}
}
}
}
};
}
}
}
This works fine when running the bot locally using the Emulator or running the bot from Test Web Chat in Azure, but it does not work in LivePerson.
I've successfully hooked up and tested the connection to the bot from LivePerson via Direct Line:
However, when the bot is started, and it's accessed via LivePerson's chat, the welcome message does not fire (there should be a welcome message then a question from the bot where the red square is):
Looking at LivePerson's docs, they have an "The Welcome Event" section that talks about the bot greeting the users for bots configured as as "chat" (which is how this bot is configured in LivePerson)
Looking closer at how a chat is considered started for chat conversation bots, the docs state:
A chat conversation is considered started when the chat is routed to an agent. Best practice is for the agent to provide the first response. In this scenario, there is no text from the consumer to parse, thus the default ‘WELCOME’ event is utilized as a start point for the bot to prompt the user to provide input and progress the conversation. Ensure you have an ‘entry point’ in your bot that responds to the default ‘WELCOME’ action send by a new chat customer.
Then this code:
{
// ...
"type": "message",
"text": "",
"channelData": {
"action": {
"name": "WELCOME"
}
}
}
FYI: an "agent" in the context of LivePerson can mean an actual person OR a bot. Both are considered "agents", and when you add a new agent to LivePerson, one of the types available is "bot". So agent does not mean person in this example.
I'm not too sure how my bot (which uses bot framework v4 and Adaptive Dialogs) needs to be configured/implemented to have an entry point that responds to this WELCOME message.
I do know that I cannot use conversationUpdate (or in adaptive dialog speak, OnConversationUpdateActivity()), but I'm not too sure which adaptive dialog (or otherwise) I need to use somehow intercept the json WELCOME message to sent to my bot by LivePerson... OnEventActivity()? OnMessageActivity()? Something else?
Thanks!
The answer is summed up in the blog post I wrote after I figured it out:
https://www.michaelgmccarthy.com/2021/03/13/sending-a-welcome-message-in-the-v4-bot-framework-via-direct-line-and-liveperson/
I want to call a messaging extension (with action command) and access Graph API via a bot for getting different resources of the channel (e.g. retrieve all messages or get replies for my message).
In the examples from Microsoft it is stated as a prerequisite that I have to do the "Bot channels registration" so that the access of the bot to the Graph API via OAuth2 works.
Do I really need this channel registration? Or is there another way?
As a test, I had created a azure free trial, with which I performed the "Bot channels registration" and could also save the ID and secret for the Graph Api access in the registration. With this I had success. Now the 30 days testing period is over and I'm interested in whether it would work without.
Thanks for your help
Update:
Thats my code to initialize graph api:
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(AppId)
.WithClientSecret(AppSecret)
.WithAuthority(new Uri($"https://login.microsoftonline.com/{Tenant}"))
.Build();
string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
AuthenticationResult authenticationResult = await app.AcquireTokenForClient(scopes).ExecuteAsync();
var graphServiceClient = new GraphServiceClient(new DelegateAuthenticationProvider((requestMessage) =>
{
requestMessage
.Headers
.Authorization = new AuthenticationHeaderValue("Bearer", authenticationResult.AccessToken);
return Task.FromResult(0);
}));
For OAuth authentication, you need to register the bot with azure for sure.
I am trying to implement the functionality of the password as shown in this link.
https://github.com/microsoft/BotFramework-WebChat/tree/master/samples/05.custom-components/f.password-input
but how to pass the password activity form the bot to the front end. I am using the c# template for the developing the bot.
As per my understanding, we need to pass a password activity from the bot to the front-end for the execution of the password things as mentioned in the link.
An example would be help-full in knowing how to pass this type of customer activity forms the bot.
Thanks,
I used this sample myself for one of my bots. The bot logic is built in node but I guess it shouldn't be hard to translate to c#
const askPwd =
{
name: 'passwordInput',
type: 'event'
};
await stepContext.context.sendActivity(askPwd);
return await stepContext.prompt(PASSWORD_PROMPT, '');
In c# this will probabaly translate into something like this (I don't know c#):
Activity activity = new Activity
{
Type = ActivityTypes.Event,
Name = "passwordInput"
};
await stepContext.Context.SendActivityAsync(activity, cancellationToken);});
We have a scenario where a user would first login to web application before starting a conversation with Azure Bot.
My question is how do we ensure bot will only allow user to ask financial questions related to his own accounts considering the bot is capable of answer questions related to financial holding of the person logged in.
Basically is there a way to pass principal object to the bot before the conversation starts. If yes how do we pass those details.
The BotFramework currently does not support single sign-on; however, the BotFramework Web Chat Development team has recommended different approaches to create a single sign-on experience and is currently working on developing a sample.
The main approach recommends piggybacking the authentication token on every outgoing message by adding it to the activity's channel data. To do this, you can create a custom middleware that appends the additional data. Take a look at the code snippet below.
const store = window.WebChat.createStore(
{},
({ dispatch }) => next => action => {
if (action.type === 'DIRECT_LINE/POST_ACTIVITY') {
// The channelData submitted here is very similar to HTTP cookies and vulnerable to forgery attack.
// Make sure you use signature to protect it and verify the signature on the bot side.
// To minimize unexpected behaviors, we recommend to treat the "action" object as if it is immutable.
// We use simple-update-in package to update "action" with partial deep cloning.
action = window.simpleUpdateIn(action, ['payload', 'activity', 'channelData', 'token'], () => token);
}
return next(action);
}
);
window.WebChat.renderWebChat({
directLine: window.WebChat.createDirectLine({ token }),
// We will use a custom version of Redux store, which we added middleware to handle backchannel messages.
store
}, document.getElementById('webchat'));
On the bot side, you can retrieve the token from the channel data and use it to make various requests. For more details on adding data to outgoing activities, take a look at this sample.
For more details regarding recommended approaches, take a look at this issue on GitHub. The Web Chat Development team is also using it to track the progress of the sample.
Hope this helps.
Is it possible that the Microsoft Bot Framework Node.js - SDK4 automatically identify a logged in user from a Microsoft account (like a user that is logged in Sharepoint) so that I can use Microsoft Graph services directly on the bot without needing to ask user login and password?
I'm asking that because I have a bot running on a sharepoint page, and in theory, the user already will be logged in on a microsoft account when he starts talking to the bot.
Check this code.
{ ResponseIds.Greeting, (context, data) => {
var greetings = JsonConvert.DeserializeObject<Greetings>
(MainStrings.GREETING);
Random r = new Random( );
int index = r.Next( greetings.messages.Count );
return greetings.messages[index].message.Replace("
{username}",context.Activity.From.Name);
}
Else I have seen an authentication dialog that probably does a similar operation