Want to integrate Bot in MS Teams channel for auto replying messages/welcoming users/etc. For that created Bot in Azure and as part of the configuration it required messaging endpoint and it should be publicly accessible HTTPS. But due to security reason and limitations, unable to expose the server. Is there any other way we can achieve it without exposing the server to publicly?
To request an access token from the login service, issue the following request, replacing MICROSOFT-APP-ID, MICROSOFT-APP-PASSWORD and MICROSOFT-TENANT-ID with the bot's AppID, password and tenant Id that you obtained when you registered your bot with the Bot Service.
The Teams backend servers need to be able to communicate with your bot, via the Bot Framework Service infrastructure, so the bot definitely needs a live, public httpS address. However, there are options to "tunnel" that to an on premises environment, e.g. CloudFlare Tunnel and I think Azure has a service for this as well.
In addition, any message your bot receives from Teams will have a Tenant ID associated with it, so you can verify that the message is from Teams, that the TenantId exists and that it matches your tenant. Here's a sample to do this: https://github.com/OfficeDev/microsoft-teams-sample-complete-csharp/blob/master/template-bot-master-csharp/middleware/Middleware.cs
Finally, you can look to implement SSO in your bot to securely authenticate the user and get the tenant Id from there as well. See here: https://learn.microsoft.com/en-us/microsoftteams/platform/sbs-bots-with-sso
Related
I'm hosting a static page/site on GCP App Engine (written in standard js/html/css), on a company domain ;
I know in localhost testing I can't get the user info in any way (which is fine, I'll hardcode dummy data).
But after using gcloud app deploy and running it on the engine, is there a way to obtain user info somehow? Name, email etc. Ideally just through the app somehow - or even by calling a google cloud function or something.
Nb. I have activated IAP so when hosted, the user does go through google auth on this site (all domain users are allowed in).
If you have turned on IAP, then to get the information you want, you have to look at the headers
From Google Documentation
....IAP also passes the user's identity to your backend service in the following HTTP headers.
X-Goog-Authenticated-User-Email : The user's email address
X-Goog-Authenticated-User-Id : A persistent, unique identifier for the user
Tip: Do a dump of the headers in your code to see what else you might find useful.
I am making a google classroom discord bot and i needed to fill out an OAuth form. to do this it asked me what I was making so I put a web server. and then it asked me for a URI. does this mean I have to own my own website? or is a discord bot not a webserver.
thanks in advance!
Any OAuth2 Forms will require a redirectURI which they will append the confirmation code, or send it to. While a Discord Bot in itself is Not a Web Server, you can create one using your VPS's external IP (If you have one, but you generally get one per VM.) by following a guide to do so.
https://www.oauth.com/oauth2-servers/redirect-uris/
Redirect URLs are a critical part of the OAuth flow. After a user successfully authorizes an application, the authorization server will redirect the user back to the application with either an authorization code or access token in the URL. Because the redirect URL will contain sensitive information, it is critical that the service doesn’t redirect the user to arbitrary locations.
NOTE: I don't think that changing your option from Web Server to whatever will change a thing, if you want to use redirectURI, which is required for OAuth2, then make a Web Server and connect it to your Bot.
We plan to build a web client (Angular) for our project. Our Backend will be a lot of google cloud run services. How can we make sure that these services can only be called by this web application?
I understand that there are Service Account, which I can use to limit access to Cloud Run services, but how do I do that in a purely JavaScript application and without a logged in user. I just want to authenticate the application not the user.
Any advise or samples?
TL;DR: The application authentication and authorization level is managed by service account. But putting a service account key file in your Javascript app (and thus viewable by any user in their browser) is useless because your secret becomes public!
With Cloud Run, you have 2 mode: private and public
If public, no security, all the requests go to your Cloud Run service
If private, Google Front End check the identity of the requester and if they have the run.invoker permission. If so, the request pass through, else it's blocked.
For being authenticated, today, you need a service account. If you aren't on Google Cloud Platform (here in the browser of the users for example), you need a service account key file. But, if you put it in your website, it's not secure because anyone can take it and use it outside your website.
So, today, you can't do this: Either your Cloud Run is public, without any check, or private with authentication (and IAM authorization)
But, soon, at least in 2020 I hope, you should be able to put a load balancer in front of Cloud Run and to activate IAP on it. Thus, the users will be authenticated thanks to their Google account authentication cookie (SSO). However, in private mode in your browser, the user will be asked for being authenticated before going to the website. It's not authentication free, it's just authentication not manage by your own.
I know the issue of securing connexion between a JS app (let's say just 'app') and an OAuth2.0 server (let's say just 'server') is an age-old question.
However, I can not find a lot of information about the special case where the app and the server are coded by the same entity and stored at the same place (i.e. same domain, or at least, two subdomains of the same domain).
First of all, as far as the OAuth grant type is concerned, I think the right one is the Resource Owner Password Credentials Grant, since the server and the app have the same author. The issue here being that the Client ID and Client Secret are available to the user in the client. This can be dealt with either by developing a proxy on server end or by using short-life tokens and disabling CORS (if I understood correctly). Is there any other property we can take advantage of as far as security is concerned when server and app have the same author?
My second question relates to the optional use of a Facebook Login authentication (or whatever well-known app OAuth login system: Google, Twitter, etc.).
Ideally, I want users to log in using either:
My-app-related credentials (if they registered without using FB login option)
Facebook credentials (if they registered using FB login option)
The first log in method is the classical one: upon log in, are sent to the server the user credentials along with the client ID and client Secret, we get back an access token and everything works well.
I must confess I'm a bit lost with the second method: upon login, user Facebook credentials are sent to Facebook server, which responds with an access token, and my app get access to my user Facebook information (such as email address and UID). But I do not know what to do with this FB information, and especially what I should sent to my own OAuth server so that:
The user gets connected to my server
The connection is secure (i.e. no one can impersonate the user by only having to get her Facebook UID for instance).
In other terms, there should be something secret related to Facebook sent to my server but I can not figure what.
I have found the answer to my second question, so I share it here:
What should be passed on to the server is the Facebook access token, so that the server can :
make a request using Facebook PHP SDK and the given token
retrieve user data (such as Facebook UID for instance)
match it against your website user database (which should have users FB UIDs)
actually connects the user if there is a match
Step 1. and 2. can be done nicely with the helper class FacebookJavascriptLoginHelper of the FB PHP SDK. In this case, the access token is stored by Facebook Javascript SDK into a cookie that is read server-side by the FacebookJavascriptLoginHelper.
I am new to Oauth2 and hello.js and don't understand, how to use it securely.
I was trying singup/login with Google and for me the problem is, that 3rd party Oauth service (e.g. Google) does not return user-details (email, id) to my server. The critical data (id, email) is fetched on the client and then it can be sent to my server by client / browser.
But I cannot make reliable server API which receives arbitrary network-type(google|facebook), userId, password and makes login / signup according to this. Everyone could then register as someone other's = arbitrary social id.
What workflow would You sugest to create an account for Google-authenticated user, in my server?
Edit: sorry, this whole queestion is probably my misunderstanding of Hellol.js purpose.
In my case, I need something like authom or passport.
Google adds to the url all the information about user, and there is no secret token
It should only be adding an 'access_token' this is unique session token to make subsequent calls to googles api's on behalf of the user.