Providing an identity to Azure bot service
Requirements: I am creating a teams bot wherein the bot’s logical part/bot is not being hosted on Azure.
Current Problem: To get the data from teams my understanding is that Azure Bot Service is utilized wherein an endpoint is provided to it, where it sends the requests. I wish to provide an identity to this Azure Bot Service in order to verify the authenticity of the incoming requests to our platform(though can be done at the bot however I wish to accomplish the same using IAP in GCP). However from the documentation it seems that there are ways to provide identities to Azure App Services however such an option seems not be available for the Azure Bot Service. Is there a methodology to provide an identity to an Azure Bot Service such that the bot service itself may be authenticated?
Azure AI Bot Service
-
navba-MSFT 27,065 Reputation points • Microsoft Employee
2024-12-17T04:56:32.8666667+00:00 @Shivaansh Mital Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
.
To authenticate your Azure Bot Service and verify the authenticity of incoming requests, you can use Microsoft Entra ID (formerly Azure AD) to provide an identity to your bot. Here’s a high-level overview of how you can achieve this:
-
Create an Azure Bot Resource
: This is necessary to register your bot with the Azure Bot Service. -
Create a Microsoft Entra ID Application
: This application will act as the identity provider for your bot. You can use federated credentials to authenticate the bot service itself. -
Register the Microsoft Entra ID Application with the Bot
: This involves configuring the bot to use the identity provider for authentication. You will need to set up OAuth 2.0 authentication, which allows the bot to obtain tokens for accessing secured resources. -
Configure the Bot Code
: Update your bot’s code to handle authentication tokens. This typically involves adding the necessary libraries and configuration settings to manage OAuth tokens. -
Use Federated Identity Credentials
: This method allows your bot to authenticate using federated credentials, which can be configured in the Azure portal.
.
Here are some detailed steps and resources to help you get started:
- Create the Azure Bot Resource: Create and configure your bot resource in the Azure portal.
- Set Up Microsoft Entra ID: Register a new application in Microsoft Entra ID and configure it to use federated credentials.
- Update Bot Configuration: Modify your bot’s configuration files to include the necessary authentication settings.
.
You can refer to the official documentation on adding authentication to a bot and implementing authentication with federated identity credentials.
.
Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.
-
-
Shivaansh Mital 0 Reputation points
2024-12-18T04:39:11.85+00:00 Could you please confirm the methodology to add an identity to the bot resource/service since in all the documentations that I have read there is a way to add an identity to azure app services however is the same possible for azure bot service since it appears that there is no such options in the bot service to add an identity.
Below I have attached a screenshot in one of the documentations which specifies the methodology to add an identity to azure app service.
Source: Microsoft
However, I believe that there is no such option to add an identity to the bot service. Could you please confirm the same and inform regarding the methodology if there exists one, also could you kindly specify the post request format in case an identity is provided to the bot service, since currently the format is
POST Some endpoint
Authorization: Bearer eyJhbGciOiJIUzI1Ni... Content-Type: application/json -
Shivaansh Mital 0 Reputation points
2024-12-18T04:57:53.0666667+00:00 Could you please kindly confirm whether an identity can be provided to the azure bot service/resource since in all the documentations that I have read there seems to be a way to provide an identity to azure app service however there does not seem to be a way to add an identity to the bot service.
To add an identity to an azure app service
Source: Microsoft
However, I believe that the azure bot service does not have any such option to add an identity to itself.
Could you please check and inform regarding the methodology to add an identity to the bot service. Further if an identity can be provided to the service could you also provide the post request format in that case. Since the current format is - POST Some Endpoint Authorization: JWT Token Content-Type: application/json
-
navba-MSFT 27,065 Reputation points • Microsoft Employee
2024-12-18T09:12:19.2166667+00:00 @Shivaansh Mital Thanks for getting back.
.
You are correct that the Azure Bot Service itself does not directly support assigning a managed identity in the same way that Azure App Services do. However, you can still achieve secure authentication for your bot by leveraging Azure App Service, which can host your bot and support managed identities.
.
Here’s how you can proceed:
- Deploy Your Bot on Azure App Service
- Enable Managed Identity for
Azure App Service
:- Navigate to your App Service in the Azure portal.
- Under the Settings section, select Identity.
- Turn on the System-assigned managed identity.
- Assign Roles to the
Managed Identity
:
- Assign the necessary roles to the managed identity to access the required resources (e.g., Azure Key Vault, Azure Storage).
- Configure your Bot to Use the
Managed Identity
: - In your bot’s code, use the Azure SDK to authenticate using the managed identity. For example, using the
DefaultAzureCredential
class in .NET:
var credential = new DefaultAzureCredential(); var client = new SecretClient(new Uri("https://<your-key-vault-name>.vault.azure.net/"), credential); KeyVaultSecret secret = await client.GetSecretAsync("MySecret"); Console.WriteLine(secret.Value);
- Verify Incoming Requests: To verify the authenticity of incoming requests to your bot, you can use the managed identity to authenticate the requests. This involves checking the token provided in the Authorization header of the incoming requests.
.
Here’s an example of the POST request format with the managed identity:
POST /your-endpoint Authorization: Bearer eyJhbGciOiJIUzI1Ni... Content-Type: application/json { "message": "Hello, world!" }
In this setup, the Authorization header contains the JWT token that your bot service will validate. More info here.
-
navba-MSFT 27,065 Reputation points • Microsoft Employee
2024-12-19T03:22:10.51+00:00 @Shivaansh Mital A quick follow-up to check if you had a chance to look at my provided suggestion. Awaiting your reply.
-
Shivaansh Mital 0 Reputation points
2024-12-20T00:36:11.99+00:00 I had a look at the suggestion however I have a concern related to deploying on App Service, the point of the main query was that I don't wish to deploy my bot on Azure due to certain constraints hence this solution does not seem relevant. Correct me if I have misunderstood anything anywhere.
-
navba-MSFT 27,065 Reputation points • Microsoft Employee
2024-12-20T07:09:38.5266667+00:00 @Shivaansh Mital Thanks for clarifying. Since you don't want to deploy your bot on Azure due to certain constraints, you can still achieve secure authentication by using Azure Active Directory (AAD) and OAuth 2.0 without hosting your bot on Azure. If that is feasible for you.
.
Here's an alternative approach:
Register an Application in Azure Active Directory (AAD):
- Register an application in AAD to act as the identity provider. This application will handle the OAuth 2.0 flow.
Configure OAuth 2.0 Authentication:
- Set up OAuth 2.0 authentication in your bot. This involves configuring your bot to use the AAD application for authentication. You can find detailed steps on how to do this in the [Azure Bot Service documentation](https://zcusa.951200.xyz/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0)1. **Verify Incoming Requests**: - When your bot receives a request, it will include a bearer token in the `Authorization` header. You can validate this token against your AAD application to ensure the request's authenticity.
Here's an example of the POST request format with the bearer token:
POST https://your-endpoint Authorization: Bearer eyJhbGciOiJIUzI1Ni... Content-Type: application/json { "type": "message", "from": { "id": "user-id", "name": "user-name" }, "text": "Hello, bot!" }
.
Using this approach you can authenticate your bot's requests without needing to host the bot on Azure. Hope this helps.
-
Shivaansh Mital 0 Reputation points
2024-12-20T07:37:52.83+00:00 Just to confirm this bearer token is the OAuth access token, whose validity can be authenticated at Identity-Aware Proxy?
-
navba-MSFT 27,065 Reputation points • Microsoft Employee
2024-12-20T07:46:54.93+00:00 @Shivaansh Mital Yes that's correct. The bearer token in the
Authorization
header is indeed the OAuth access token. You can authenticate its validity using Identity-Aware Proxy (IAP)..
To verify the token, you can include it in the
Authorization: Bearer
header when making requests to your IAP-secured resource. IAP will validate the token to ensure it is legitimate and has not expired.POST https://your-endpoint Authorization: Bearer eyJhbGciOiJIUzI1Ni... Content-Type: application/json { "type": "message", "from": { "id": "user-id", "name": "user-name" }, "text": "Hello, bot!" }
This way, you can securely authenticate requests to your bot without needing to host it on Azure. Hope this answers.
-
navba-MSFT 27,065 Reputation points • Microsoft Employee
2024-12-23T03:44:36.6433333+00:00 @Shivaansh Mital Just following up to check if my suggestion helped. Awaiting your reply.
-
Shivaansh Mital 0 Reputation points
2024-12-23T05:20:53.92+00:00 I want to confirm once following the above mentioned procedure, authentication using the procedure mentioned in the documentation will no longer work, right? Since now the token is being fetched?
-
navba-MSFT 27,065 Reputation points • Microsoft Employee
2024-12-23T06:13:33.5733333+00:00 @Shivaansh Mital Yes, you are correct. Once you implement the OAuth 2.0 authentication procedure and start using OAuth access tokens, the previous method of authentication described in the documentation you referenced will no longer be applicable.
The traditional method involves using the App ID and password to authenticate requests between your bot and the Bot Connector service. However, with OAuth 2.0, your bot will use access tokens to authenticate requests. This means that the Bot Connector service will expect an OAuth token in the Authorization header of your requests, and your bot will need to handle token acquisition and validation.
.
OAuth 2.0 Method
- Authentication: OAuth access token.
- Request Format:
POST https://your-endpoint Authorization: Bearer <OAuth access token> Content-Type: application/json
By switching to OAuth 2.0, you enhance the security of your bot by leveraging token-based authentication, which is more secure and flexible. More info here.
-
Shivaansh Mital 0 Reputation points
2024-12-24T04:03:43.1166667+00:00 When you say start using OAuth token, all that would need to be done from my end would involve registering the OAuth client, then whenever a message would need to be relayed then then the request issued would use the OAuth token, kindly correct me if I am wrong?
-
navba-MSFT 27,065 Reputation points • Microsoft Employee
2024-12-26T04:10:11.0333333+00:00 @Shivaansh Mital Yes, That's correct. Here’s a concise breakdown of the steps you need to follow:
Register the OAuth Client:
- Register an application in Azure Active Directory (AAD) to act as the OAuth client. This will handle the OAuth 2.0 flow and provide you with the necessary client ID and client secret.
Obtain the OAuth Token:
- When your bot needs to send a message, it will first obtain an OAuth access token from AAD. This involves making a request to the AAD token endpoint using the client ID and client secret. **Include the OAuth Token in Requests**: - Use the obtained OAuth access token in the `Authorization` header of your HTTP requests to the endpoint. This token will be validated by Identity-Aware Proxy (IAP) to ensure the request is authenticated.
Example Workflow:
Register OAuth Client:
- Register your application in AAD and configure it to use OAuth 2.0.
- Obtain Token:
- Yes, you're on the right track! Here’s a concise breakdown of the steps you need to follow:
- Register the OAuth Client:
- Register an application in Azure Active Directory (AAD) to act as the OAuth client. This will handle the OAuth 2.0 flow and provide you with the necessary client ID and client secret.
- Obtain the OAuth Token:
- When your bot needs to send a message, it will first obtain an OAuth access token from AAD. This involves making a request to the AAD token endpoint using the client ID and client secret.
- Include the OAuth Token in Requests:
- Use the obtained OAuth access token in the
Authorization
header of your HTTP requests to the endpoint. This token will be validated by Identity-Aware Proxy (IAP) to ensure the request is authenticated.
- Use the obtained OAuth access token in the
- Register OAuth Client:
- Register your application in AAD and configure it to use OAuth 2.0.
- Obtain Token:
- Make a request to the AAD token endpoint to get the access token:
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
- Make a request to the AAD token endpoint to get the access token:
Content-Type: application/x-www-form-urlencoded
client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET &grant_type=client_credentials &scope=https://graph.microsoft.com/.default ```
1. **Send Authenticated Request**: - Include the access token in the `Authorization` header when sending a message: ```json POST https://your-endpoint
Authorization: Bearer eyJhbGciOiJIUzI1Ni... Content-Type: application/json
{ "type": "message", "from": { "id": "user-id", "name": "user-name" }, "text": "Hello, bot!" } ```
By following these steps, you ensure that your bot's requests are securely authenticated using OAuth tokens.
Sign in to comment