0

I have developed MS Teams Message Extension using Java[Spring Boot] and registered the bot in Botframework Development portal[https://dev.botframework.com/]. It is working fine in local. I tested in local environment using a tunneling application named localtunnel. I tested the extension in MS Teams.

I pushed the code to cloud[AWS] as it was working fine on local and also changed the message endpoint URL to point to our test server. But, unfortunately i am getting " Bot returned unsuccessful status code unauthorized."[You can see the screenshot]. Test server message endpoint doesn't require JWT token, I am able to call it successfully from postman with out giving token.

As per the documentation, this error occurs usually when:

  • The Messaging endpoint specified on the Settings page for your bot in the Bot Framework Portal is incorrect. Make sure you have included the proper path at the end of the URL (e.g., /api/messages).

  • The Messaging endpoint specified on the Settings page for your bot in the Bot Framework Portal does not begin with https or is not trusted by the Bot Framework. Your bot must have a valid, chain-trusted certificate.

  • The bot is configured with missing or incorrect values for app ID or password. Verify that the bot configuration settings specify valid values for app ID and password.

All the points are correct in my case.

In this documentation, It is mentioned about Azure Bot resources in the "Test your bot" section of "Step 4: Test your bot in the cloud".

https://learn.microsoft.com/en-us/azure/bot-service/bot-service-troubleshoot-authentication-problems?view=azure-bot-service-4.0&tabs=csharp#step-3

So in order to test the bot on cloud, is it necessary to register it on Azure Bot services instead of Botframework development portal? Can't we just test it just by registering it on Botframework development portal?

enter image description here

roshan1892
  • 81
  • 1
  • 7
  • Which endpoint are you using to send messages back to Teams? I can't figure out which endpoint to use to POST the response. For example, conversations use `conversations/{$conversationId}/activities`. What do you use for extension responses? – Anthony Mar 26 '23 at 19:34

2 Answers2

0

The dev.botframework.com portal is deprecated, so I'd advise against continuing to use it. The Azure Bot resource is the evolution and replacement of the Bot Channels Registration, so you will need to use it to test your bot in the cloud. It effectively does the same things, but it better handles various new security and tenancy features that the old portal did not.

Furthermore, the documentation you linked mentions that extra security configuration steps must be taken for non-Azure deployments to get your bot to use https. Ensure you do this before filling in the messaging endpoint in your Azure Bot configuration.

AP01
  • 820
  • 1
  • 2
  • 8
  • So it is mandatory to register as an azure bot to test in cloud? I see no info regarding the portal being depreciated in docs as well as in the portal itself[if there was some warning, it would have been better]. After some research, I see that it was depreciated back in 2018. It seems it can only be used to test in local and not in cloud as it is less secure. – roshan1892 May 16 '22 at 10:42
  • I used Azure Bot resource following this doc: https://learn.microsoft.com/en-us/azure/bot-service/abs-quickstart?view=azure-bot-service-4.0&tabs=userassigned and it is working fine for local. Regarding security, I think they are trying to make sure valid infos of bot[appId, appPassword] has been provided in the configuration file of extension. I assume if we redeploy our extension[by updating appId, appPassword, tenantId, appType] and update azure bot to point to cloud endpoint, it should work, right? – roshan1892 May 16 '22 at 10:42
  • Assuming any other Teams or AWS configs are also correct, yes, it should. – AP01 May 16 '22 at 14:49
0

I figure out the issue. Even though message endpoint could be called without any JWT token of our app, code was verifying the token if in case it is present in Authorization header instead of ignoring it. MS Teams sends JWT token in Authorization header of every request to verify it is coming from teams, but extension app was comparing this token sent from teams against our app. Since this token is not created by our app but instead by bot framework, so it was throwing 401 unauthorized.

So make sure your app is in ignoring the token sent in Authorization header for message endpoint.

About the other doubts I had:

  • It is not mandatory to register bot in azure in order to test in cloud, you can register it in development portal as well. Since development portal is depreciated, I highly recommend to use azure as it is highly secure.

  • You can do non azure deployment as well. You can deploy your extension app or message API endpoint in any cloud provider of your choice. But you have to register the bot either in development portal or azure which will call your extension app.

roshan1892
  • 81
  • 1
  • 7