4

I have created a Bot in Node JS using Microsft Bot Framework and is deployed on Skype for Business (SFB) channel.

Whenever a user interacts with Bot over SFB and asks to fetch some details, I want the Bot to get these details from my companies internal system using the user's authentication token which should have generated when user login to SFB.

So, is there any way to get user's token from SFB which the Bot can use to get the required information on user's behalf? I can't use the Bot credential to get the information requested by the user on his/her behalf. My companies internal system, SFB uses the same Azure AD for user authentication.

I refer the questions Authenticate user across channels in Microsoft bot Framework, Skype for Business channel doesn't pass authentication credentials correctly but that doesn't help me to answer my question.

I referred Authenticate user in Microsoft bot framework link and If I ask the user to authenticate by using something https://blogs.msdn.microsoft.com/tsmatsuz/2016/09/06/microsoft-bot-framework-bot-with-authentication-and-signin-login/ then every time user ask some question, I need to ask the user to authenticate and that won't be a good for user experience as the user has already been authenticated over SFB.

Can someone please help me with some documentation that I can refer to resolve this issue?

Eric Dahlvang
  • 8,252
  • 4
  • 29
  • 50
Gaurav Dhavale
  • 151
  • 1
  • 14

1 Answers1

1

I don't know about getting the token via the Skype channel directly, but I believe you could write UCMA code that would capture communication with a Skype user configured to be your bot, then transmit the conversation to the bot using Directline, with full knowledge of the user transmitted to the bot. You would then capture the result and reply to the user using the UCMA code.

Matt Small
  • 2,182
  • 1
  • 10
  • 16
  • I have internal systems that need user identity (which can be achieved via user authentication) in order to perform the task on user's behalf. What do you mean by Full kowledge of the user? Will the communication information help me to fetch user identity via graph API? Thanks. – Gaurav Dhavale Oct 18 '17 at 21:00
  • I'm not too familiar with UCMA, but if you can get the user token via UCMA, then you can use that to grab the user's information and transmit it to the bot via Directline. – Matt Small Oct 20 '17 at 13:35
  • I want to add some new information that I just came across: When a user communicates with a Bot using SfB, the SfB channel sends the SIP URI of the user along with the message. The Bot could then make a call to MS Graph to get the user's information and do whatever else it needs to do with that information. – Matt Small Oct 20 '17 at 18:25
  • I checked in session object and found ` "bot": { "id": "sip:abababa@ababababb.onmicrosoft.com", "name": "sip:abababa@abababa.onmicrosoft.com" }, "serviceUrl": "https://webpoolbl20r04.infra.lync.com/platformservice/tgt-c1212121221212121fgfgfffgf/botframework" ` . Are you talking about this information? – Gaurav Dhavale Oct 23 '17 at 14:56
  • Yes. abababa@ababababb.onmicrosoft.com should be the email account associated with the user. You can get more details about this user by querying the graph. – Matt Small Oct 24 '17 at 17:58
  • We have web applications in the company where the user must log in to access specific information. Now my use-case is when the user asks some information over SfB channel of Bot, the Bot need to send that request to these web applications on user's behalf. I guess in this scenario, I must send the user's access token along with request object to these web applications. Do you think this email account will help me in this scenario? – Gaurav Dhavale Oct 25 '17 at 14:50
  • When a user logs into SfB, the user is authenticated to use the SfB client with those credentials. The SIP URI (email address) of that user is sent to the Bot as part of the message. The Bot can access the Graph API on AAD to determine if the user's account has permission to access the resource. The user's token will not be available, but if the user has permission, and the Bot has enough permission, the Bot can retrieve that information on the user's behalf. This is not the same as the user himself obtaining the information. It's an admin were performing an action on behalf of a user. – Matt Small Oct 25 '17 at 19:54