cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Access session (UniversalBot.loadSession) and it's userData from tab

dhoelzl
Copper Contributor

‎Jan 20 2020 02:30 AM

‎Jan 20 2020 02:30 AM

Access session (UniversalBot.loadSession) and it's userData from tab

Hello!

 

Is there any possibility to access the current session (UniversalBot.loadSession with an address object) and the associated userData when handling a request for a tab?

 

There is microsoftTeams.getContent on the tab client side, but that information is insecure and cannot be used for authentication as stated in the docs.

 

When handling a bot request, e.g. handling a messaging extension request for a search which needs authentication to an external IDP, this information can be accessed through the address object from the event object in an onQuery-handler, but so far I could not figure out how to do this when handling a request for a tab. Especially I don't know how to access the address object with which the session can be loaded.

I would need this to use one single authentication flow with the bot but not an additional tab based authentication flow. I want to avoid using microsoftTeams.authentication.authenticate as a second parallel authentication flow to the bot authentication initiated with responding with composeExtension/type "auth"/"openUrl".

 

Using two parallel authentication flows may confuse the user as e.g. when the user first uses the tab flow the bot/messaging extension needs an additional authentication, and when using the bot flow first the tab can be authenticated through localStorage (writing the access token into the localStore in the authentication callback site) on the machine where the authentication took place, but when signed in to Teams simultaneously on another machine, the bot can use the access token there too, as the Teams sessions is the same, but the tab is not authenticated as it cannot access the session.

 

Regards,

Dominik

 

1,226 Views
0 Likes
4 Replies
Reply
4 Replies
subhasish-MSFT

‎Jan 23 2020 03:56 AM

‎Jan 23 2020 03:56 AM

Re: Access session (UniversalBot.loadSession) and it's userData from tab

@dhoelzl 

Every request to your services includes the id and aadObjectId, which are guaranteed to be of the authenticated Teams user. They can be used as keys to look up credentials or any cached state in your service. In addition, each request contains the Azure Active Directory tenant ID of the user, which can be used to identify the user’s organization.
You can take a look at below link for more details.
Add authentication to your messaging extension



 

0 Likes
Reply
dhoelzl

‎Jan 27 2020 01:27 AM - edited ‎Jan 27 2020 01:29 AM

‎Jan 27 2020 01:27 AM - edited ‎Jan 27 2020 01:29 AM

Re: Access session (UniversalBot.loadSession) and it's userData from tab

@subhasish-MSFT 

Thank you for your reply!

 

I have configured a configurable tab like this:

 

 

  "configurableTabs": [
    {
      "configurationUrl": "<a href="https://XXXXXXXX.ngrok.io/tab/configure" target="_blank">https://XXXXXXXX.ngrok.io/tab/configure</a>",
      "canUpdateConfiguration": true,
      "scopes": [
          "team"
      ]
    }
  ]

 

 

 
I am using Node/express:

 

 

app.get("/tab/configure", (req, res) => {
  res.render("configure")
});

 

 

 
And I get called via GET-Request:

 

 

req.url: "/tab/configure"
req.method: "GET"
req.rawHeaders:
"["Host","XXXXXXXX.ngrok.io",
"Accept","text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Accept-Encoding","gzip, deflate, br",
"Referer","<a href="https://teams.microsoft.com/iframe-container.html" target="_blank">https://teams.microsoft.com/iframe-container.html</a>",
"Upgrade-Insecure-Requests","1",
"User-Agent","Mozilla/5.0" (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.362 Chrome/66.0.3359.181 Electron/3.1.13 Safari/537.36",
"X-Forwarded-Proto","https","X-Forwarded-For","XXX.XXX.XXX.XXX"]"

 

 

 
Where can I access the id and aadObjectId? Do I miss something? I cannot see any header or URL-argument containing authentication information.
 
When I dump the result of microsoftTeams.getContext on my configuration page, there is also no id or aadObjectId, and as stated in the docs this information must not be used for user authentication anyway.
 
Thank you and regards,
Dominik
 
 
0 Likes
Reply
dhoelzl

‎Jan 28 2020 09:34 AM

‎Jan 28 2020 09:34 AM

Re: Access session (UniversalBot.loadSession) and it's userData from tab

@subhasish-MSFT 

Thank you!

 

So with this I can access the session before teams retrieves an URL to the configuration page, so that I can attach an oAuth access token (or the id/aadObjectIdas URL parameter which later can be accessed when handling the GET-Request of the configuration page itself? May this be insecure?

Where is the documentation about that? I can see that the C#-equivalent is OnTeamsMessagingExtensionConfigurationQuerySettingUrlAsync (found at https://github.com/microsoft/botbuilder-dotnet/blob/master/libraries/Microsoft.Bot.Builder/Teams/Tea...), but I cannot find any reference documentation for this. How does this interfere with the configured configurationUrl in the manifest?

I will try and play around with this.

 

Regards,

Dominik

0 Likes
Reply