2

Trying to deploy a bot developed in MS bot framework v4.0 on SharePoint online page. Users need to login to SharePoint to access the bot, therefore, can't add an authentication at bot level as users have to login twice that will result in poor user experience.

Integration is done with the help of token fetched by calling Web Chat Bot connector API with Web Chat channel 'Security Key'. Followed Option 1 in the documentation.

Issue

SharePoint being a client-side app poses a threat of channel 'Security Key' being exposed i.e. it can be fetched in browser's developer tools and can be used to integrate our bot on their website.

I have already Tried

  1. Minify the javascript and add it to the web part, it makes it difficult to read 'Security Key' but not impossible.
  2. Single Sigh-On(SSO), SSO is not possible without an OAutCard at bot level, so trying to avoid it.
  3. Create a trigger/ function app to hide bot connector rest call and only expose token but it requires some additional cost on resources.
  4. I did not find a way to pass SharePoint logged in user context or token from SharePoint to the bot.

Expectation

  1. To secure channel 'Security Key' so that it can't be accessed in the developer tool. or
  2. Find a way to pass SharePoint logged in user context or token from SharePoint to the bot and validate the same at the bot end. or
  3. Hide the rest call to bot connector API through a free trigger in SharePoint online.

Open to any other solution or suggestion as well.

TimeTraveler
  • 43
  • 7

1 Answers1

1

There is no way to get the access token in SPFx. The only solution I have found with SPO/SPFx, is to utilize SPFx to give user context to the bot, and do calls via app-only graph application in the bot. You could (in theory) add code logic to limit the calls etc to graph/SharePoint using that context (username, site name, web name).

Dana V
  • 1,327
  • 1
  • 5
  • 10