Why does authentication not go through in MS Teams Bot app? - azure-active-directory

Cannot authenticate user in MS Teams Bot.
Same works in "Test in webchat" properly:
Domain added to Teams manifest properly:
{
"$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.15/MicrosoftTeams.schema.json",
"version": "1.0.0",
"manifestVersion": "1.15",
"id": "a0d93a07-2f63-4569-a651-cf3761859b28",
"packageName": "com.package.name",
"name": {
"short": "NewTest",
"full": ""
},
"developer": {
"name": "KUKA",
"mpnId": "",
"websiteUrl": "https://supportbotkuka.z6.web.core.windows.net/teams_ITSupport_about.html",
"privacyUrl": "https://supportbotkuka.z6.web.core.windows.net/teams_ITSupport_priv.html",
"termsOfUseUrl": "https://supportbotkuka.z6.web.core.windows.net/teams_ITSupport_terms.html"
},
"description": {
"short": "CS Logistics TEST app",
"full": "test app for CS Logistics"
},
"icons": {
"outline": "outline.png",
"color": "color.png"
},
"accentColor": "#FFFFFF",
"staticTabs": [
{
"entityId": "conversations",
"scopes": [
"personal"
]
},
{
"entityId": "about",
"scopes": [
"personal"
]
}
],
"bots": [
{
"botId": "99e82921-96c9-4ec1-83ab-bd05382abc96",
"scopes": [
"personal"
],
"isNotificationOnly": false,
"supportsCalling": false,
"supportsVideo": false,
"supportsFiles": true
}
],
"validDomains": [
"token.botframework.com"
],
"webApplicationInfo": {
"id": "1e04e5cd-88e1-4522-984d-2bba5e2d37eb",
"resource": "https://graph.microsoft.com/"
}
}
Also recreated AppService, AzureBot in Azure, and setup new Teams app with new manifest version via Developer Portal.
Installed the Teams app directly just form myself, as a personal app.
App registration redirect URIs:
Also the app registration works fine for other chatbots in our domain. Why not for this one?

Actually the only thing that needed to be changed was to add this line of code to the error handler adapter to the bot code: base.Use(new TeamsSSOTokenExchangeMiddleware(storage, configuration["ConnectionName"]));Add code to handle an access token.
And also to add method OnTeamsSigninVerifyStateAsync to Bot like in sso-quickstart sample.

Related

Cannot read property 'tenant_id' of undefined using Auth0

I've been setting up Single Sign On with Active Directory for our application according to this instruction:
https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2#register-your-app-with-azure-ad
However, after redirect to the Microsoft page i get this error:
Cannot read property 'tenant_id' of undefined
In my Auth0 Dashboard under
Monitoring > Logs
i found this error log:
{
"date": "2022-02-28T09:05:51.484Z",
"type": "f",
"description": "Cannot read property 'tenant_id' of undefined",
"connection_id": "",
"client_id": "XXXXXXX",
"client_name": "XXXXXXX (DEV)",
"ip": "195.192.198.XXX",
"user_agent": "Chrome 98.0.4758 / Mac OS X 10.15.7",
"details": {
"body": {},
"qs": {
"client_id": "XXXXXXXX",
"redirect_uri": "http://localhost:3000",
"scope": "openid profile email",
"response_type": "code",
"response_mode": "query",
"state": "WmdOOEpBTUlKTG5mQks1LjJLY3JabEwyUVBJTDZNeTdVZE1TZjNGVDhFUw==",
"nonce": "OG94dlNjbEFyUDJXcnNmeWNEamhSa1IxWHVSV08wcUxZS0tVQ3NwTjRjWA==",
"code_challenge": "8tWkNmx5qUlDVpIUCJy68B1lWwPa6qi1ZpMjq-4WZAc",
"code_challenge_method": "S256",
"auth0Client": "XXXXXXXXXX"
},
"error": {
"message": "Cannot read property 'tenant_id' of undefined",
"oauthError": "access_denied",
"type": "oauth-authorization"
},
"session_id": "7aXIltPAKa0e0vQhqyyAblzIWjmvbiy",
"riskAssessment": {
"confidence": "high",
"version": "1",
"assessments": {
"UntrustedIP": {
"confidence": "high",
"code": "not_found_on_deny_list"
},
"NewDevice": {
"confidence": "high",
"code": "initial_login"
},
"ImpossibleTravel": {
"confidence": "high",
"code": "initial_login"
}
}
}
},
"hostname": "XXXXXXX.eu.auth0.com",
"user_id": "XXXXXXXX",
"user_name": "XXXX#XXXX.com",
"audience": "https://XXXXXXX.eu.auth0.com/userinfo",
"scope": [
"openid",
"profile",
"email"
],
"auth0_client": {
"name": "auth0-react",
"version": "1.9.0"
},
"log_id": "900202202280905566349491050266127672706556666XXXXXXX",
"_id": "900202202280905566349491050266127672706556666XXXXXXX",
"isMobile": false
}
What i've been trying so far:
Created a new Auth0 account and connect the sample React Login application (https://github.com/auth0-samples/auth0-react-samples/tree/master/Sample-01) provided by Auth0 to the same Active Directory endpoint (works)
Connect our Development Auth0 account to Active Directory using the Auth0 React sample app (doesn't work)
Connect our React development application to the Active Directory Endpoint (throws error as shown above)
Playing around with different Callback URLs. Added some URLs and Routes to the existing http://localhost:3000 (doesn't work)
I think this error was caused by wrong settings in our Auth0 account since creating a new account doesn't show any problems. I also don't see any issues caused by setting up the Active Directory application.

ARM Template Web App Authentication Settings not working

I am working on setting up my site authentication settings to use the AAD provider. Most of the template is respected. However, the unauthenticatedClientAction and allowedAudiences is not being properly assigned. I observe 'allow anonymous' and no 'allowed audiences' being assigned.
Please note that I was working with the ARM Template API 2018-02-01. This problem may still exist due to the documentation, if you provide an answer, please note the ARM Template version it addresses.
Additionally, create an issue for the ARM documentation team to correct any issues.
Here is my template segment for these settings. It is nested under resources in my website template.
root > Microsoft.Web/Site > Resources
{
"type": "config",
"name": "web",
"apiVersion": "2016-08-01",
"location": "[parameters('app-location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('web-site-name'))]"
],
"properties": {
"siteAuthEnabled": true,
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('web-aad-client-id')]",
"issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
"allowedAudiences": [
"[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
]
}
}
}
Template Validates
Deployment does not output any errors
Issues:
unauthenticatedClientAction is assigned allow anonymous not RedirectToLoginPage
allowedAudiences is not assigned any sites
What could be causing these issues? What could I have missed?
I got my answer after working with the fine people at Azure Support.
Please note that this solution targets API 2018-02-01 which was the current version at the time of this post.
This sub-resource is no longer a valid solution, while the endpoint may still recognize some of its fields, this is deprecated.
The new solution is to add the siteAuthSettings object to the main 'Microsoft.Web/site' properties and the siteAuthEnabled is no longer needed as siteAuthSettings.enable duplicates this functionality.
Updated ARM Template (removed other settings for brevity)
{
"name": "[variables('app-service-name')]",
"type": "Microsoft.Web/sites",
"location": "[parameters('app-location')]",
"apiVersion": "2016-08-01",
"dependsOn": [
"[variables('app-plan-name')]"
],
"properties": {
//... other app service settings
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('web-aad-client-id')]",
"issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
"allowedAudiences": [
"[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
]
}
}
}
As suggested by #Michael, the siteAuthSettings object must be added to the siteConfig object, not just under the root properties object.
{
"apiVersion": "2019-08-01",
"name": "[variables('webAppName')]",
"type": "Microsoft.Web/sites",
"kind": "app",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('appServiceName'))]"
],
"properties": {
...
"siteConfig": {
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('clientId')]",
"issuer": "[concat('https://sts.windows.net/', parameters('tenantId'), '/')]"
}
}
}
}
The other solutions given only apply when using the classic authentication experience (Authentication (Classic)). If you would like to use the new authentication experience, use below configuration:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2019-08-01",
"name": "[variables('webAppName')]",
"type": "Microsoft.Web/sites",
"kind": "app",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "config",
"apiVersion": "2020-12-01",
"name": "authsettingsV2",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('webAppName'))]"
],
"properties": {
"platform": {
"enabled": true,
"runtimeVersion": "~1"
},
"identityProviders": {
"azureActiveDirectory": {
"isAutoProvisioned": false,
"registration": {
"clientId": "[parameters('clientId')]",
"clientSecret": "[variables('clientSecret')]",
"openIdIssuer": "[concat('https://sts.windows.net/', parameters('tenantId'), '/v2.0')]"
},
"validation": {
"allowedAudiences": [
"https://management.core.windows.net/"
]
}
}
},
"login": {
"routes": {},
"tokenStore": {
"enabled": true,
"tokenRefreshExtensionHours": 72,
"fileSystem": {},
"azureBlobStorage": {}
},
"preserveUrlFragmentsForLogins": false,
"allowedExternalRedirectUrls": [],
"cookieExpiration": {
"convention": "FixedTime",
"timeToExpiration": "08:00:00"
},
"nonce": {
"validateNonce": true,
"nonceExpirationInterval": "00:05:00"
}
},
"globalValidation": {
"redirectToProvider": "azureactivedirectory",
"unauthenticatedClientAction": "RedirectToLoginPage"
},
"httpSettings": {
"requireHttps": true,
"routes": {
"apiPrefix": "/.auth"
},
"forwardProxy": {
"convention": "NoProxy"
}
}
}
}
]
}
]
}

Detecting when user unlinks alexa skill

I'm implementing an Alexa Smart Home skill and I want to know if a user is still using the app after a while.
Google Home, for example, sends a request when I unlink my app from the Google Smarthome app. I need to know it to disable sending updates to Amazon Alexa gateway if a user isn't using the skill anymore.
What the best way of doing it? Alexa documentation doesn't talk about it.
Can I rely on just checking if the user has a expired OAuth tokens? E.g. if expired for more than a day, mark user as inactive.
Another thing I'm going to test out tomorrow is just see the gateway response after having unlinked the skill. But for my case it wouldn't be good option anyway, as I will only know the user state after a physical change and trying to submit it and have it possibly fail. Which can happen after days or weeks, so it isn't that reliable.
You can integrate with Alexa Skill Events and get notification when user disables the Skill.
https://developer.amazon.com/docs/smapi/skill-events-in-alexa-skills.html#skill-disabled-event.
The SkillDisabled event only contains user_id (i.e. no access token). So you would also need to listen for the SkillAccountLinked event so you can link that user_id with your own user identifier.
Your Smart Home Skill manifest should look like this:
{
"manifest": {
"publishingInformation": {
"locales": {
"en-US": {
"summary": "...",
"examplePhrases": [
"Alexa, ...",
"Alexa, ...",
"Alexa, ..."
],
"keywords": [],
"name": "...",
"smallIconUri": "...",
"description": "...",
"largeIconUri": "..."
}
},
"isAvailableWorldwide": false,
"testingInstructions": "...",
"category": "SMART_HOME",
"distributionCountries": [
"US"
]
},
"apis": {
"smartHome": {
"endpoint": {
"uri": "arn:aws:lambda:..."
},
"protocolVersion": "3"
}
},
"manifestVersion": "1.0",
"permissions": [
{
"name": "alexa::async_event:write"
}
],
"privacyAndCompliance": {
"allowsPurchases": false,
"locales": {
"en-US": {
"termsOfUseUrl": "...",
"privacyPolicyUrl": "..."
}
},
"isExportCompliant": true,
"containsAds": false,
"isChildDirected": false,
"usesPersonalInfo": false
},
"events": {
"endpoint": {
"uri": "arn:aws:lambda:..."
},
"subscriptions": [
{
"eventName": "SKILL_ENABLED"
},
{
"eventName": "SKILL_DISABLED"
},
{
"eventName": "SKILL_PERMISSION_ACCEPTED"
},
{
"eventName": "SKILL_PERMISSION_CHANGED"
},
{
"eventName": "SKILL_ACCOUNT_LINKED"
}
],
"regions": {
"NA": {
"endpoint": {
"uri": "arn:aws:lambda:..."
}
}
}
}
}
}

Where can I provide filter for Azure Service Bus Topic Subscription from my logic app

I've created a service bus, topic, and subscription to that topic in Azure. I have a logic app that is triggered when a message arrives but I need to apply a filter (or rule?) to that subscription where it looks for a particular value in the message header before the logic app processes the message. I don't see anywhere in the logic app or in the Azure portal to create filters for the subscriptions. What mechanism exists to create a filter for a subscription?
How did you create your topic subscription? did you use ARM Templates?
When you are creating the Subscription, you can add a SqlFilter to the rule applied in the topic subscription.
The ARM Template below (taken from here) shows you how to add a SqlFilter to the Rule in a Topic Subsctiption
"resources": [{
"apiVersion": "[variables('sbVersion')]",
"name": "[parameters('serviceBusNamespaceName')]",
"type": "Microsoft.ServiceBus/Namespaces",
"location": "[variables('location')]",
"sku": {
"name": "Standard",
},
"resources": [{
"apiVersion": "[variables('sbVersion')]",
"name": "[parameters('serviceBusTopicName')]",
"type": "Topics",
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]"
],
"properties": {
"path": "[parameters('serviceBusTopicName')]"
},
"resources": [{
"apiVersion": "[variables('sbVersion')]",
"name": "[parameters('serviceBusSubscriptionName')]",
"type": "Subscriptions",
"dependsOn": [
"[parameters('serviceBusTopicName')]"
],
"properties": {},
"resources": [{
"apiVersion": "[variables('sbVersion')]",
"name": "[parameters('serviceBusRuleName')]",
"type": "Rules",
"dependsOn": [
"[parameters('serviceBusSubscriptionName')]"
],
"properties": {
"filterType": "SqlFilter",
"sqlFilter": {
"sqlExpression": "StoreName = 'Store1'",
"requiresPreprocessing": "false"
},
"action": {
"sqlExpression": "set FilterTag = 'true'"
}
}
}]
}]
}]
}]
You need to add your filter using Sql like expressions in the properties member of the rules sub-resource
e.g.
"sqlExpression": "YourMessageProperty='YourExpectedValue'",
If you are not using ARM Templates, the Service Bus Explorer allows you to remove the default subscription rule and create a new one with your own SqlFilter.
HTH

WebExtensions: browser.webRequest.onCompleted never fires

I'm using the Firefox WebExtensions API with the following background script
var log = console.log.bind(console)
log('hello world from browser extension')
// https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/onCompleted
var filter = { urls: '<all_urls>' }
var extraInfoSpec = ['tlsInfo', 'responseHeaders']
browser.webRequest.onCompleted.addListener(function(details){
log(`Woo got a request, here's the details!`, details)
}, filter, extraInfoSpec)
log('Added listener')
After loading the script from about:debugging, I see the following output in DevTools:
hello world from browser extension
I do not see any output- there is no data from browser.webRequest.onCompleted.addListener and there is no 'Added listener' message.
How do I make browser.webRequest.onCompleted work?
For completeness, my manifest.json is below:
{
"manifest_version": 2,
"name": "Test extension",
"version": "1.0",
"description": "Test extension.",
"icons": {
"48": "icons/border-48.png"
},
"content_scripts": [
{
"matches": ["<all_urls>"],
"js": ["content.js"]
}
],
"permissions": [
"webRequest",
"webRequestBlocking"
]
}
The webRequest API is only available to background scripts. You seem to using it inside a content script.
urls in var filter = { urls: '<all_urls>' } needs to be be an array ['<all_urls>'].
'tlsInfo' in extraInfoSpec doesn't exist, I don't know where it comes from.
You need to specify an additional <all_urls> permission in your manifest.
script.js
var filter = { urls: ['<all_urls>'] }
var extraInfoSpec = ['responseHeaders']
browser.webRequest.onCompleted.addListener(function(details){
console.log(`Woo got a request, here's the details!`, details)
}, filter, extraInfoSpec)
console.log('Added listener')
manifest.json
{
"manifest_version": 2,
"name": "Test extension",
"version": "1.0",
"description": "Test extension.",
"icons": {
"48": "icons/border-48.png"
},
"background": {
"scripts": ["script.js"]
},
"permissions": [
"webRequest",
"webRequestBlocking",
"<all_urls>"
]
}

Resources