Skip to content

Norm authentication rework #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
NormSohl merged 59 commits into from
Mar 2, 2018
Merged

Norm authentication rework #103

Changes from 1 commit
Commits
Show all changes
59 commits
Select commit Hold shift + click to select a range
59e5a6b
Added structure for new authentication content
Jan 9, 2018
73aac25
Added content to top level
Jan 9, 2018
9dea71f
added structure and content
Jan 9, 2018
3497087
Rough draft of tab authentication topic with new screenshots
Jan 10, 2018
d5e4248
Fixed format issue
Jan 10, 2018
3bc9d69
Formatting test
Jan 10, 2018
188cca4
Formatting
Jan 10, 2018
908b4a2
Added content for SSO
Jan 10, 2018
1cc9843
Structural edits
Jan 10, 2018
240a3f3
list test
Jan 11, 2018
2b56efb
test
Jan 11, 2018
928e901
test
Jan 11, 2018
617ad74
test
Jan 11, 2018
041607d
Test
Jan 11, 2018
32f5c36
test
Jan 11, 2018
5a6de6e
test
Jan 11, 2018
4c290fe
test
Jan 11, 2018
40ac059
test
Jan 11, 2018
ca0fe28
indent code
Jan 11, 2018
1e618af
test
Jan 11, 2018
28eb1c8
tst
Jan 11, 2018
5b921d1
test
Jan 11, 2018
0f2c947
Updated bot auth
Jan 11, 2018
9623d18
Added new samples for bot auth
Jan 12, 2018
8bf8bdf
Corrected code for auth
Jan 12, 2018
c562311
Expanded code for bot auth
Jan 12, 2018
eef6b1b
Minor edits
Jan 12, 2018
bded07d
Merge branch 'master' of https://github.com/MicrosoftDocs/msteams-doc…
Jan 16, 2018
1f23824
Removed work in progress
Jan 16, 2018
75834cb
More term changes and rewrite
Jan 17, 2018
e91fb11
More review comments
Jan 17, 2018
ad95f64
Merge branch 'master' into Norm-Authentication_rework
Jan 23, 2018
efb2376
Review comments
Jan 23, 2018
50b0c6c
TOC
Feb 21, 2018
698714f
Added support for other providers
Feb 21, 2018
49b2551
Removed app registration
Feb 23, 2018
e10f7aa
minor edits
Feb 23, 2018
7bf9d3a
Pre publication changes
Feb 26, 2018
cd9af69
Extensive edits, added links, native image
billbliss Feb 27, 2018
a4dbd56
Added missing space
billbliss Feb 27, 2018
7653164
Made title match metadata
billbliss Feb 27, 2018
7c1fa30
Misc changes (#97)
billbliss Feb 27, 2018
6b74cb4
Merge branch 'master' into Norm-Authentication_rework
Feb 27, 2018
89eac85
Updated flow diagram
Feb 27, 2018
5eed7b4
toc changes
Feb 27, 2018
7a1ea5d
fixed link
Feb 27, 2018
31e6cfe
Extensive edits (#99)
billbliss Feb 28, 2018
3058401
Restructured auth topics
Feb 28, 2018
7230f63
added links to auth provider
Feb 28, 2018
9e5bb9e
TOC
Feb 28, 2018
19ed1e6
Changes from readthrough
Feb 28, 2018
c4bbb9a
edits
Feb 28, 2018
948edf4
edits
Feb 28, 2018
3a831c3
edits
Feb 28, 2018
5daae4a
formatting
Feb 28, 2018
3c25982
edits
Feb 28, 2018
7d4cc6b
standardize
Mar 1, 2018
794f09e
Billbl auth final edits (#102)
billbliss Mar 2, 2018
3f58823
Merge branch 'master' into Norm-Authentication_rework
Mar 2, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Extensive edits, added links, native image
  • Loading branch information
@billbliss
billbliss authored Feb 27, 2018
commit cd9af69a6c1fa63db3f38013920dee5082e89c62
28 changes: 14 additions & 14 deletions msteams-platform/concepts/authentication/auth-flow.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,47 +1,47 @@
---
title: Authentication flow
title: Authentication flow for bots
description: Describes authentication flow in bots
keywords: teams authentication flow bots
ms.date: 02/22/2018
ms.date: 02/26/2018
---
# Microsoft teams authentication flow in bots
# Microsoft Teams authentication flow in bots

OAuth is an open standard for authentication used by AAD and many other service providers. Understanding OAuth is a prerequisite for working with authentication in Teams. Authentication flow in bots differs slightly from authentication flow in tabs.
OAuth 2.0 is an open standard for authentication and authorization used by AAD and many other identity providers. A basic understanding of OAuth 2.0 is a prerequisite for working with authentication in Teams; [here's a good overview](https://aaronparecki.com/oauth-2-simplified/) that's easier to follow than the [formal specification](https://oauth.net/2/). Authentication flow for tabs and bots are a little different because tabs are very similar to websites so they can use OAuth 2.0 directly, and bots are not and must do a few things differently, but the core concepts are identical.

See the github repo [Microsoft Teams Authentication Sample](https://github.com/OfficeDev/microsoft-teams-sample-auth-node)
for an example that demonstrates authentication flow for tabs and bots using node.
See the GitHub repo [Microsoft Teams Authentication Sample](https://github.com/OfficeDev/microsoft-teams-sample-auth-node)
for an example that demonstrates authentication flow for tabs and bots using Node using the [OAuth 2.0 authorization code grant type](https://oauth.net/2/grant-types/authorization-code/).

![Bot authentication sequence diagram](https://aosolis.github.io/bot-auth/bot_auth_sequence.png)
![Bot authentication sequence diagram](~/assets/images/authentication/bot_auth_sequence_diagram.png)

1. The user sends a message to the bot.
2. The bot determines if the user needs to sign in.
* In this example, the bot stores the access token in its user data store. It asks the user to log in if it doesn't have a validated token for the selected identity provider. ([View code](https://github.com/OfficeDev/microsoft-teams-sample-auth-node/blob/469952a26d618dbf884a3be53c7d921cc580b1e2/src/utils/AuthenticationUtils.ts#L58-L76))
3. The bot constructs the URL to the start page of the authentication flow, and sends a card to the user with a `signin` action. ([View code](https://github.com/OfficeDev/microsoft-teams-sample-auth-node/blob/469952a26d618dbf884a3be53c7d921cc580b1e2/src/dialogs/BaseIdentityDialog.ts#L160-L190))
* Like other application auth flows in Teams, the start page must be on a domain that's in your `validDomains` list, and on the same domain as the post-login redirect page.
* **IMPORTANT**: If you are using OAuth, remember that the `state` parameter in the authentication request must contain a unique session token to prevent request forgery attacks. The example uses a randomly-generated GUID.
* **IMPORTANT**: The OAuth 2.0 authorization code grant flow calls for a `state` parameter in the authentication request which contains a unique session token to prevent a [cross-site request forgery attack](https://en.wikipedia.org/wiki/Cross-site_request_forgery). The example uses a randomly-generated GUID.
4. When the user clicks on the `signin` button, Teams opens a popup window and navigates it to the start page.
5. The start page redirects the user to the identity provider's `authorize` endpoint. ([View code](https://github.com/OfficeDev/microsoft-teams-sample-auth-node/blob/469952a26d618dbf884a3be53c7d921cc580b1e2/public/html/auth-start.html#L51-L56))
6. On the provider's site, the user signs in and grants access to the bot.
7. The provider takes the user to the bot's OAuth redirect page, with an authorization code.
8. The bot redeems the authorization code for an access token, and **provisionally** associates the token with the user that initiated the signin flow.
* In the example, the bot uses information in the OAuth `state` parameter to determine the id of the user that started the signin process. Before proceeding, it checks `state` against the expected value, to detect forged requests. ([View code](https://github.com/OfficeDev/microsoft-teams-sample-auth-node/blob/469952a26d618dbf884a3be53c7d921cc580b1e2/src/AuthBot.ts#L70-L99))
* **IMPORTANT**: The bot puts the token in user's data store, but it is marked as "pending validation". The token is not used while in this state. The user has to "complete the loop" first by sending a verification code in Teams. This is to ensure that the user who authorized the bot with the identity provider is the same user who is chatting in Teams. This guards against "man-in-the-middle" attacks. ([View code](https://github.com/OfficeDev/microsoft-teams-sample-auth-node/blob/469952a26d618dbf884a3be53c7d921cc580b1e2/src/AuthBot.ts#L100-L113))
* In the example, the bot associates the value of the `state` parameter with the id of the user that *initiated* the signin process so it can later match it with the `state` value returned by the identity provider. ([View code](https://github.com/OfficeDev/microsoft-teams-sample-auth-node/blob/469952a26d618dbf884a3be53c7d921cc580b1e2/src/AuthBot.ts#L70-L99))
* **IMPORTANT**: The bot stores the token it receives from the identity provider and associates it with a specific user, but it is marked as "pending validation". The token is not used while in this state. If the `state` pamrameter is valid, Teams then uses a [two-step authentication](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) process to ensure that the user who authorized the bot with the identity provider is the same user who is chatting with the bot. This guards against [man-in-the-middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) and [phishing](https://en.wikipedia.org/wiki/Phishing) attacks. On the desktop and web versions of Teams, the verification code is generated and verified automatically; on mobile devices the user may have to enter it manually[as described below](#Mobile-clients). ([View code](https://github.com/OfficeDev/microsoft-teams-sample-auth-node/blob/469952a26d618dbf884a3be53c7d921cc580b1e2/src/AuthBot.ts#L100-L113))
9. The OAuth callback renders a page that calls `notifySuccess("<verification code>")`. ([View code](https://github.com/OfficeDev/microsoft-teams-sample-auth-node/blob/master/src/views/oauth-callback-success.hbs))
10. Teams closes the popup and sends the string given to `notifySuccess()` back to the bot. The bot receives an invoke message with `name` = `signin/verifyState`.
11. The bot checks the incoming verification code against the code stored in the user's provisional token. ([View code](https://github.com/OfficeDev/microsoft-teams-sample-auth-node/blob/469952a26d618dbf884a3be53c7d921cc580b1e2/src/dialogs/BaseIdentityDialog.ts#L127-L140))
12. If they match, the bot marks the token as validated and ready for use. Otherwise, the auth flow fails, and the bot deletes the provisional token.

## Mobile clients

As of February 2018, the Microsoft Teams mobile clients do not fully support the `signin` action protocol:
As of March 2018, the Microsoft Teams mobile clients do not fully support the `signin` action protocol:

* If the URL provided to the `signin` action has a `fallbackUrl` query string parameter, Teams will launch that URL in the browser.
* If the URL provided to the `signin` button action has a `fallbackUrl` query string parameter, Teams will launch that URL in the browser.
* Otherwise, Teams will show an error saying that the action is not yet supported on mobile.

In the example, the mobile signin flow works the same way as on the desktop, until the point where the OAuth callback page tries to send the verification code back to the bot. The bot sets the `fallbackUrl` query string parameter to be the same as the original url to the auth start page, so that the user goes to the same page on all platforms. ([View code](https://github.com/OfficeDev/microsoft-teams-sample-auth-node/blob/469952a26d618dbf884a3be53c7d921cc580b1e2/src/dialogs/BaseIdentityDialog.ts#L173-L178))

When the OAuth callback runs in a mobile browser, the call to `notifySuccess()` will fail silently because it's not running inside the Teams client. The window will not close and the bot won't get the verification code. To handle this case, the page has a timer that checks if it's still open after 5 seconds. If so, it asks the user to manually send the verification code via chat. The bot code is able to receive the verification code from either the `signin/verifyState` callback or a chat message. ([View code](https://github.com/OfficeDev/microsoft-teams-sample-auth-node/blob/469952a26d618dbf884a3be53c7d921cc580b1e2/src/dialogs/BaseIdentityDialog.ts#L106-L117))
When the OAuth callback runs in a mobile browser, the call to `notifySuccess()` will fail silently because it's not running inside a Teams client. The window will not close and the bot won't get the verification code. To handle this case, the page has a timer that checks if it's still open after 5 seconds. If so, it asks the user to manually send the verification code via chat. The bot code is able to receive the verification code from either the `signin/verifyState` callback or from a chat message. ([View code](https://github.com/OfficeDev/microsoft-teams-sample-auth-node/blob/469952a26d618dbf884a3be53c7d921cc580b1e2/src/dialogs/BaseIdentityDialog.ts#L106-L117))

If you want to limit signing in to web and desktop only, you can choose to omit the `fallbackUrl` parameter, or point it to your own error page that asks the user to sign in on web or desktop.

Once the Microsoft Teams mobile clients support the complete signin protocol, including passing the verification code via `notifySuccess()`, they will launch the auth start page in a popup window and ignore `fallbackUrl`.
Once the Microsoft Teams mobile clients support the complete `signin` action protocol, including passing the verification code via `notifySuccess()`, they will launch the auth start page in a popup window and ignore `fallbackUrl`.