-1

I need a consultation regarding developing authentication feature in MS teams Bot. The Bot is meant to be used in MS Teams Channels primarily, and in order to secure the api/messages endpoint, I am using OAuth

Now if the user is not authenticated an OAuthPrompt is created for the user to login and continue participating in the channel's thread conversation, however, the login prompt is sent in the channel thread, which does not provide a good user experience.

Instead, I would like to send the OAuthPrompt to the user as a private message.

How could go about implementing this? I am referring this documentation and this example core-proactiveMessages could someone please help me in figuring this out or pointing to correct resources, examples. Thanks

Ajinkya Kale
  • 127
  • 1
  • 12
  • Are you using Bot Builder v3? I'm wondering why you think the bot's endpoint needs to be secured if it already has a Microsoft app ID and password. Does this other question apply to you at all? https://stackoverflow.com/questions/62455129/what-is-the-botframework-security-model – Kyle Delaney Jun 24 '20 at 17:54
  • Hi Kyle, I am using Bot Builder v4.9.1 I need to secure the endpoint for two reasons, 1. the downstream API requires user authentication to access the resource, 2. conform to the network security policy – Ajinkya Kale Jun 24 '20 at 18:42
  • Okay, but I need to know what you mean by securing the endpoint since the endpoint is already "secure" thanks to the Microsoft app ID and password. By securing the endpoint do you just mean restricting the conversation to specific users? Do you want your bot to only be available in a specific tenant like in the other question or are your restrictions more user-specific? Is your OAuth prompt just being used to make sure the right users are talking, or is the OAuth token from the prompt actually needed to access those resources you mentioned? – Kyle Delaney Jun 24 '20 at 20:41
  • Hi Kyle, By securing I meant, Bot should only be available to the users within the company only and the OAuth prompt is used to ensure that only the right users are talking – Ajinkya Kale Jun 26 '20 at 19:37
  • Is my answer acceptable? – Kyle Delaney Jun 30 '20 at 18:59
  • Hi Yes, thanks, it does make sense, My follow up question is, what's the best way to test this setup?, I do not want to create a new tenant id – Ajinkya Kale Jul 01 '20 at 19:12
  • If you only have access to one tenant and you want to make sure the bot works in some tenants but not others, you can just change the list of acceptable tenants. To see how the bot responds on an invalid tenant, just remove your tenant from the list. – Kyle Delaney Jul 01 '20 at 23:54
  • Is there a reason you haven't accepted the answer yet? – Kyle Delaney Jul 07 '20 at 22:06

1 Answers1

1

It sounds like you want to restrict the bot to specific tenants just like in this question: What is the botframework security model?

If you're sure you want to restrict the bot to specific users instead of specific tenants, you can still use the middleware from that answer and just adapt it slightly to check the user ID instead of the tenant ID.

Kyle Delaney
  • 11,616
  • 6
  • 39
  • 66