Botframework-webchat: Sample: Chat bot single sign-on

Created on 9 Jan 2019 · 13Comments · Source: microsoft/BotFramework-WebChat

I have a bot running on a hosting page where users are logged in using SSO.
I want to authenticate the user in the bot automatically when the bot starts and I do not want to use anAuthCard to do it. Just want to automatically authenticate the user without prompting anything to him, just using SSO.

I found an article that refers three ways to authenticate an user in the bot:

Sharing the client's user token directly with the bot via ChannelData
Using an OAuthCard to drive a sign-in experience to any OAuth provider
A third option, called Single Sign-On (SSO), that is in development.
And, according to the article my situation is:

WebChat in an authenticated website where the user is already signed in and the website has a token to the same identity provider but to a different app that the bot needs -> in the future, this is single sign-on, but for now you 'll need to use an OAuthCard.

Is there any update about this functionality? How can I authenticate the user into the bot without using an OAuthCard or a SigninCard?

Thanks in advance

P0 Sample front-burner

Source

pedrosalider

Most helpful comment

A sample showing how a enterprise/intranet scenario using WebChat can retrieve a (AAD token) from the browser session (already authenticated) and pass through channelData will be key for our enterprise customers to get started. Unclear from the above if httpOnly will need to be enabled for this scenario so would be good to clarify - perhaps by having a section for Intranet/Enterprise scenarios?

darrenj on 30 Jan 2019

👍8

All 13 comments

Hi @pedrosalider, do you mind sharing the article that refers to three ways to authenticate? :)

I have closed #1503 as a dupe of this issue. I know that @compulim kept it open because he wants to give you a detailed response, but we've been low on bandwidth and he hasn't been able to respond to your question yet.

@compulim assigning you as gentle reminder 👍

corinagum on 10 Jan 2019

👍1

Hi @corinagum. You can find the article here. I'm sorry but I grabbed the text from stackoverflow and I forgot about the link.

pedrosalider on 10 Jan 2019

+1 from @darrenj via email discussion

corinagum on 14 Jan 2019

I spoke to another customer today who has a pressing need for this capability in their internal Bot, scenario information below. This is quite a common scenario and there have been people that have solved it externally to Microsoft eg: this article

The scenario is:

An ASP.NET web-page on the company intranet which makes use of the WebChat control has AD Authentication enabled (normal ASP.NET auth configuration)
User is already authenticated on the network and the act of browsing to said intranet page authenticates the user to the ASP.NET App/page.
UserId is retrieved from claim provided and set on WebChat control
Token is passed to the Bot (event?)
User starts talking to the Bot and asks a question requiring access to a corporate service, Microsoft graph for example.
Bot uses the token passed to the Bot and does not prompt the user for authentication
Currently the Bot will prompt the user to authenticate even though they are already authenticated

We need two things (suggested order) - ideally both by the end of month but could work with just the recommended approach if needed.

[ ] Recommended approach
[ ] Sample

darrenj on 18 Jan 2019

Thank you @darrenj. @compulim is going to provide a recommended approach soon and we will include a sample of such an approach at a later date.

cwhitten on 18 Jan 2019

👍2

Thanks!

Sent from Outlook Mobilehttps://aka.ms/sdimjr

From: Chris Whitten notifications@github.com
Sent: Friday, January 18, 2019 8:22:16 PM
To: Microsoft/BotFramework-WebChat
Cc: Darren Jefford; Mention
Subject: Re: [Microsoft/BotFramework-WebChat] Chat bot single sign on (#1564)

Thank you @darrenjhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdarrenj&data=02%7C01%7Cdarrenj%40microsoft.com%7Cf9d2f8169c98431a1c8208d67d82a3a9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636834397379794490&sdata=6PdyBzLz6T2kWftFM%2FoY%2BySeJpBBI6V5EZdTkBKywd4%3D&reserved=0. @compulimhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcompulim&data=02%7C01%7Cdarrenj%40microsoft.com%7Cf9d2f8169c98431a1c8208d67d82a3a9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636834397379794490&sdata=pdli6ca9xVHxTR%2FwqvpcJCkaqLXkX%2FBfLu19yiVvtUw%3D&reserved=0 is going to provide a recommended approach soon and we will include a sample of such an approach at a later date.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoft%2FBotFramework-WebChat%2Fissues%2F1564%23issuecomment-455675842&data=02%7C01%7Cdarrenj%40microsoft.com%7Cf9d2f8169c98431a1c8208d67d82a3a9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636834397379804499&sdata=hSx5sghaQxHhEu28%2F9OTTKMU3MtRnZrYP1EGR82e0ZE%3D&reserved=0, or mute the threadhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAf93oJEAlTY21xaddoBDW1nx4drF1lG2ks5vEiz4gaJpZM4Z4S3b&data=02%7C01%7Cdarrenj%40microsoft.com%7Cf9d2f8169c98431a1c8208d67d82a3a9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636834397379814503&sdata=bYhIm7Fc%2B4UHRYMh7jDjEDGyFdiVr9fD2UPNUZ0riEI%3D&reserved=0.

darrenj on 21 Jan 2019

HI team, I too am facing the exact single sign on requirements without having the oAuth card thrown... @compulim / @cwhitten any updates as per above?

anevjes on 29 Jan 2019

@cwhitten, @Jeffders, @darrenj please chime-in if you have any comments.

Recommended approaches

Different server implementations might be different on the approaches. This section provides a general guidance on how to achieve the work. A security review is always recommended.

Auth token in cookie or local/session storage

These approaches does not requires the use of bot user state. This is preferred method because it decentralize the authentication system. And it does not requires additional clean up.

Auth token accessible from JavaScript

Example: cookie without httponly flag, auth token saved in localStorage/sessionStorage.

Piggyback the auth token on every outgoing activities via channelData
- Please refer to this sample on piggybacking custom data on every outgoing activities
The bot will use this token to access server resources
The bot should use this token in a one-off manner, it should not cache this token nor save it to user state

Auth token inaccessible from JavaScript

Example: cookie with httponly flag.

The web page operator could consider opening up the cookie httponly flag. Please note that some implementations of auth token could potentially introduce security vulnerabilities. If this is the case, you should not use this approach.

Session ID or other form of server-based token

Example: session ID including jsessionid

Using a security evidence

Security evidence is an umbrella term describing a piece of serializable information, to proof the owner of this information is a specific user. Security evidence do not change frequently and may not pass to the user. Both auth token and session ID is a type of security evidence.

When a Direct Line token is generated, associate a Direct Line user ID with it
- This token generation code should live inside your web or API server
- Thus, it should already have access to a security evidence
After the token is generated, store the security evidence on your bot user state, and associate it with the Direct Line user ID

When your bot receive an activity from the user, your bot will be able to access the security evidence thru user state (which is based on the Direct Line user ID).

After the user sign out, make sure the security evidence is removed from user state to prevent use without permission.