Access session (UniversalBot.loadSession) and it's userData from tab

%3CLINGO-SUB%20id%3D%22lingo-sub-1117830%22%20slang%3D%22de-DE%22%3EAccess%20session%20(UniversalBot.loadSession)%20and%20it's%20userData%20from%20tab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1117830%22%20slang%3D%22de-DE%22%3E%3CP%3EHello!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20possibility%20to%20access%20the%20current%20session%20(UniversalBot.loadSession%20with%20an%20address%20object)%20and%20the%20associated%20userData%20when%20handling%20a%20request%20for%20a%20tab%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20microsoftTeams.getContent%20on%20the%20tab%20client%20side%2C%20but%20that%20information%20is%20insecure%20and%20cannot%20be%20used%20for%20authentication%20as%20stated%20in%20the%20docs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20handling%20a%20bot%20request%2C%20e.g.%20handling%20a%20messaging%20extension%20request%20for%20a%20search%20that%20needs%20authentication%20to%20an%20external%20IDP%2C%20this%20information%20can%20be%20accessed%20through%20the%20address%20object%20from%20the%20event%20object%20in%20an%20onQuery-handler%2C%20but%20so%20far%20I%20could%20not%20figure%20out%20how%20to%20do%20this%20wh%20en%20handling%20a%20request%20for%20a%20tab.%20Especially%20I%20don't%20know%20how%20to%20access%20the%20address%20object%20with%20which%20the%20session%20can%20be%20loaded.%20%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20need%20this%20to%20use%20one%20single%20authentication%20flow%20with%20the%20bot%20but%20not%20an%20additional%20tab%20based%20authentication%20flow.%20I%20want%20to%20avoid%20using%20microsoftTeams.authentication.authenticate%20as%20a%20second%20parallel%20authentication%20flow%20to%20the%20bot%20authentication%20initiated%20with%20responding%20with%20composeExtension%2Ftype%20%22auth%22%2F%22openUrl%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsing%20two%20parallel%20authentication%20flows%20may%20confuse%20the%20user%20as%20e.g.%20when%20the%20user%20first%20uses%20the%20tab%20flow%20the%20bot%2Fmessaging%20extension%20needs%20an%20additional%20authentication%2C%20and%20when%20using%20the%20bot%20flow%20first%20the%20tab%20can%20be%20authenticated%20through%20localStorage%20(writing%20the%20access%20token%20into%20the%20localStore%20in%20the%20authentication%20callback%20site)%20on%20the%20machine%20where%20the%20authentication%20took%20place%2C%20but%20when%20signed%20in%20to%20teams%20simultaneously%20on%20another%20machine%2C%20the%20bot%20can%20use%20the%20access%20token%20there%20too%2C%20as%20the%20teams%20sessions%20is%20the%20same%20but%2C%20the%20tab%20is%20not%20authenticated%20as%20it%20cannot%20access%20the%20session.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EDominik%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1117830%22%20slang%3D%22de-DE%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOauth%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESession%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EUserdata%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1124710%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20session%20(UniversalBot.loadSession)%20and%20it's%20userData%20from%20tab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1124710%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F522287%22%20target%3D%22_blank%22%3E%40dhoelzl%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EEvery%20request%20to%20your%20services%20includes%20the%26nbsp%3B%3C%2FSPAN%3E%3CCODE%3Eid%3C%2FCODE%3E%3CSPAN%3E%26nbsp%3Band%26nbsp%3B%3C%2FSPAN%3E%3CCODE%3EaadObjectId%3C%2FCODE%3E%2C%20which%26nbsp%3B%3CSPAN%3Eare%20guaranteed%20to%20be%20of%20the%20authenticated%20Teams%20user.%20They%20can%20be%20used%20as%20keys%20to%20look%20up%20credentials%20or%20any%20cached%20state%20in%20your%20service.%20In%20addition%2C%20each%20request%20contains%20the%20Azure%20Active%20Directory%20tenant%20ID%20of%20the%20user%2C%20which%20can%20be%20used%20to%20identify%20the%20user%E2%80%99s%20organization.%3CBR%20%2F%3EYou%20can%20take%20a%20look%20at%20below%20link%20for%20more%20details.%3CBR%20%2F%3E%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fplatform%2Fmessaging-extensions%2Fhow-to%2Fadd-authentication%23authentication%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CFONT%20face%3D%22arial%2Chelvetica%2Csans-serif%22%20size%3D%223%22%3EAdd%20authentication%20to%20your%20messaging%20extension%3C%2FFONT%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1130851%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20session%20(UniversalBot.loadSession)%20and%20it's%20userData%20from%20tab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1130851%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F451628%22%20target%3D%22_blank%22%3E%40subhasish-MSFT%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20reply!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20configured%20a%20configurable%20tab%20like%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-javascript%22%3E%3CCODE%3E%20%20%22configurableTabs%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22configurationUrl%22%3A%20%22%3CA%20href%3D%22https%3A%2F%2FXXXXXXXX.ngrok.io%2Ftab%2Fconfigure%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FXXXXXXXX.ngrok.io%2Ftab%2Fconfigure%3C%2FA%3E%22%2C%0A%20%20%20%20%20%20%22canUpdateConfiguration%22%3A%20true%2C%0A%20%20%20%20%20%20%22scopes%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%20%22team%22%0A%20%20%20%20%20%20%5D%0A%20%20%20%20%7D%0A%20%20%5D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EI%20am%20using%20Node%2Fexpress%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-javascript%22%3E%3CCODE%3Eapp.get(%22%2Ftab%2Fconfigure%22%2C%20(req%2C%20res)%20%3D%26gt%3B%20%7B%0A%20%20res.render(%22configure%22)%0A%7D)%3B%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EAnd%20I%20get%20called%20via%20GET-Request%3A%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Ereq.url%3A%20%22%2Ftab%2Fconfigure%22%0Areq.method%3A%20%22GET%22%0Areq.rawHeaders%3A%0A%22%5B%22Host%22%2C%22XXXXXXXX.ngrok.io%22%2C%0A%22Accept%22%2C%22text%2Fhtml%2Capplication%2Fxhtml%2Bxml%2Capplication%2Fxml%3Bq%3D0.9%2Cimage%2Fwebp%2Cimage%2Fapng%2C*%2F*%3Bq%3D0.8%22%2C%0A%22Accept-Encoding%22%2C%22gzip%2C%20deflate%2C%20br%22%2C%0A%22Referer%22%2C%22%3CA%20href%3D%22https%3A%2F%2Fteams.microsoft.com%2Fiframe-container.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fteams.microsoft.com%2Fiframe-container.html%3C%2FA%3E%22%2C%0A%22Upgrade-Insecure-Requests%22%2C%221%22%2C%0A%22User-Agent%22%2C%22Mozilla%2F5.0%22%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Teams%2F1.3.00.362%20Chrome%2F66.0.3359.181%20Electron%2F3.1.13%20Safari%2F537.36%22%2C%0A%22X-Forwarded-Proto%22%2C%22https%22%2C%22X-Forwarded-For%22%2C%22XXX.XXX.XXX.XXX%22%5D%22%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EWhere%20can%20I%20access%20the%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3Eid%3C%2FFONT%3E%20and%26nbsp%3B%3CSPAN%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EaadObjectId%3C%2FFONT%3E%3F%20Do%20I%20miss%20something%3F%20I%20cannot%20see%20any%20header%20or%20URL-argument%20containing%20authentication%20information.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EWhen%20I%20dump%20the%20result%20of%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EmicrosoftTeams.getContext%3C%2FFONT%3E%26nbsp%3Bon%20my%20configuration%20page%2C%20there%20is%20also%20no%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3Eid%3C%2FFONT%3E%20or%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EaadObjectId%3C%2FFONT%3E%2C%20and%20as%20stated%20in%20the%20docs%20this%20information%20must%20not%20be%20used%20for%20user%20authentication%20anyway.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EThank%20you%20and%20regards%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EDominik%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1130977%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20session%20(UniversalBot.loadSession)%20and%20it's%20userData%20from%20tab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1130977%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20refer%20this%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FBotBuilder-Samples%2Fblob%2F0bc30ed8ecdd8c82f2e20c48cc72426dd2100bc0%2Fsamples%2Fjavascript_nodejs%2F52.teams-messaging-extensions-search-auth-config%2Fbots%2FteamsMessagingExtensionsSearchAuthConfigBot.js%23L36%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Esample%20code%20for%20authentication%20in%20message%20extension%20in%20node.js.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20a%20link%20for%20complete%20solution%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FBotBuilder-Samples%2Ftree%2F0bc30ed8ecdd8c82f2e20c48cc72426dd2100bc0%2Fsamples%2Fjavascript_nodejs%2F52.teams-messaging-extensions-search-auth-config%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fmicrosoft%2FBotBuilder-Samples%2Ftree%2F0bc30ed8ecdd8c82f2e20c48cc72426dd2100bc0%2Fsamples%2Fjavascript_nodejs%2F52.teams-messaging-extensions-search-auth-config%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20it%20helps%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1133335%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20session%20(UniversalBot.loadSession)%20and%20it's%20userData%20from%20tab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1133335%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F451628%22%20target%3D%22_blank%22%3E%40subhasish-MSFT%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20with%20this%20I%20can%20access%20the%20session%20before%20teams%20retrieves%20an%20URL%20to%20the%20configuration%20page%2C%20so%20that%20I%20can%20attach%20an%20oAuth%20access%20token%20(or%20the%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3Eid%3C%2FFONT%3E%2F%3CSPAN%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EaadObjectId%3C%2FFONT%3E)%26nbsp%3B%3C%2FSPAN%3Eas%20URL%20parameter%20which%20later%20can%20be%20accessed%20when%20handling%20the%20GET-Request%20of%20the%20configuration%20page%20itself%3F%20May%20this%20be%20insecure%3F%3C%2FP%3E%3CP%3EWhere%20is%20the%20documentation%20about%20that%3F%20I%20can%20see%20that%20the%20C%23-equivalent%20is%26nbsp%3BOnTeamsMessagingExtensionConfigurationQuerySettingUrlAsync%20(found%20at%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fbotbuilder-dotnet%2Fblob%2Fmaster%2Flibraries%2FMicrosoft.Bot.Builder%2FTeams%2FTeamsActivityHandler.cs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fmicrosoft%2Fbotbuilder-dotnet%2Fblob%2Fmaster%2Flibraries%2FMicrosoft.Bot.Builder%2FTeams%2FTeamsActivityHandler.cs%3C%2FA%3E)%2C%20but%20I%20cannot%20find%20any%20reference%20documentation%20for%20this.%20How%20does%20this%20interfere%20with%20the%20configured%26nbsp%3BconfigurationUrl%20in%20the%20manifest%3F%3C%2FP%3E%3CP%3EI%20will%20try%20and%20play%20around%20with%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EDominik%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello!

 

Is there any possibility to access the current session (UniversalBot.loadSession with an address object) and the associated userData when handling a request for a tab?

 

There is microsoftTeams.getContent on the tab client side, but that information is insecure and cannot be used for authentication as stated in the docs.

 

When handling a bot request, e.g. handling a messaging extension request for a search which needs authentication to an external IDP, this information can be accessed through the address object from the event object in an onQuery-handler, but so far I could not figure out how to do this when handling a request for a tab. Especially I don't know how to access the address object with which the session can be loaded.

I would need this to use one single authentication flow with the bot but not an additional tab based authentication flow. I want to avoid using microsoftTeams.authentication.authenticate as a second parallel authentication flow to the bot authentication initiated with responding with composeExtension/type "auth"/"openUrl".

 

Using two parallel authentication flows may confuse the user as e.g. when the user first uses the tab flow the bot/messaging extension needs an additional authentication, and when using the bot flow first the tab can be authenticated through localStorage (writing the access token into the localStore in the authentication callback site) on the machine where the authentication took place, but when signed in to Teams simultaneously on another machine, the bot can use the access token there too, as the Teams sessions is the same, but the tab is not authenticated as it cannot access the session.

 

Regards,

Dominik

 

4 Replies
Highlighted

@dhoelzl 

Every request to your services includes the id and aadObjectId, which are guaranteed to be of the authenticated Teams user. They can be used as keys to look up credentials or any cached state in your service. In addition, each request contains the Azure Active Directory tenant ID of the user, which can be used to identify the user’s organization.
You can take a look at below link for more details.
Add authentication to your messaging extension



 

Highlighted

@subhasish-MSFT 

Thank you for your reply!

 

I have configured a configurable tab like this:

 

 

  "configurableTabs": [
    {
      "configurationUrl": "<a href="https://XXXXXXXX.ngrok.io/tab/configure" target="_blank">https://XXXXXXXX.ngrok.io/tab/configure</a>",
      "canUpdateConfiguration": true,
      "scopes": [
          "team"
      ]
    }
  ]

 

 

 
I am using Node/express:

 

 

app.get("/tab/configure", (req, res) => {
  res.render("configure")
});

 

 

 
And I get called via GET-Request:

 

 

req.url: "/tab/configure"
req.method: "GET"
req.rawHeaders:
"["Host","XXXXXXXX.ngrok.io",
"Accept","text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Accept-Encoding","gzip, deflate, br",
"Referer","<a href="https://teams.microsoft.com/iframe-container.html" target="_blank">https://teams.microsoft.com/iframe-container.html</a>",
"Upgrade-Insecure-Requests","1",
"User-Agent","Mozilla/5.0" (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.362 Chrome/66.0.3359.181 Electron/3.1.13 Safari/537.36",
"X-Forwarded-Proto","https","X-Forwarded-For","XXX.XXX.XXX.XXX"]"

 

 

 
Where can I access the id and aadObjectId? Do I miss something? I cannot see any header or URL-argument containing authentication information.
 
When I dump the result of microsoftTeams.getContext on my configuration page, there is also no id or aadObjectId, and as stated in the docs this information must not be used for user authentication anyway.
 
Thank you and regards,
Dominik
 
 
Highlighted

@subhasish-MSFT 

Thank you!

 

So with this I can access the session before teams retrieves an URL to the configuration page, so that I can attach an oAuth access token (or the id/aadObjectIdas URL parameter which later can be accessed when handling the GET-Request of the configuration page itself? May this be insecure?

Where is the documentation about that? I can see that the C#-equivalent is OnTeamsMessagingExtensionConfigurationQuerySettingUrlAsync (found at https://github.com/microsoft/botbuilder-dotnet/blob/master/libraries/Microsoft.Bot.Builder/Teams/Tea...), but I cannot find any reference documentation for this. How does this interfere with the configured configurationUrl in the manifest?

I will try and play around with this.

 

Regards,

Dominik