Skip to content

Latest commit

 

History

History

84.bot-authentication-certificate

README.md

Authentication Bot using SSL/TLS certificates

Bot Framework v4 bot authentication using Certificate

This bot has been created using Bot Framework, it shows how to use the bot authentication capabilities of Azure Bot Service.

In this guide, we'll explain how to create and consume a certificate in Bot Framework with the following options:

  1. Local environment
  2. KeyVault

Interacting with the bot

This sample uses the bot authentication capabilities of Azure Bot Service, providing features to make it easier to develop a bot that authenticates users using digital security certificates. You just need to provide the certificate data linked to the managed identity and run the bot, then communicate with it to validate its correct authentication.

SSL/TLS certificate

An SSL/TLS certificate is a digital object that allows systems to verify identity and subsequently establish an encrypted network connection with another system using the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. Certificates are issued using a cryptographic system known as public key infrastructure (PKI). PKI allows one party to establish the identity of another through the use of certificates if they both trust a third party, known as a certificate authority. SSL/TLS certificates therefore function as digital identity documents that protect network communications and establish the identity of websites on the Internet as well as resources on private networks.

Prerequisites

  • Ngrok latest version.

  • .NET SDK version 8.0

    # determine dotnet version
dotnet --version

To try this sample

  • Setup ngrok

    1. Follow this guide to install and configure ngrok in your environment.
    2. Run ngrok with the following command. 
      ngrok http --host-header=rewrite 3978

  • Setup a Bot

    1. Register a bot with Azure Bot Service, following the instructions here.
    2. After registering the bot, use <NGROK_FORWARDING_DOMAIN>/api/messages as the messaging endpoint.

      NOTE: make sure to take note of the Microsoft App Id as we'll need this for later.

  • Clone the repository

    git clone https://github.com/microsoft/botbuilder-samples.git

Create and configure the SSL/TSL certificate. In this sample we use two possible options to create and set an SSL/TSL certificate. Below is a step-by-step description of each one:

Using local environment

  1. Configure the following app settings variables:

    • MicrosoftAppId: App Id of your bot (gathered from the Setup a Bot step).
    • MicrosoftAppType: Type of the App (optional for MultiTenant apps).
    • MicrosoftAppTenantId: Tenant Id to which your bot belongs (optional for MultiTenant apps).

  2. Intall and configure OpenSSL with the latest version.

    • Download the latest version source and add the folder to the environment variables path. 
      setx path "%path%;<OpenSSL path here> 

e.g:
setx path "%path%;C:\Program Files\openssl-3.3.0"

  3. Run the following command in PowerShell

    • For global environment certificate execute the following command with admin privileges:

      $cert = New-SelfSignedCertificate -CertStoreLocation "." -Subject "CN=<certificate-name>" -KeySpec KeyExchange

      e.g: Global Certificate Command

    • For current user certificate execute:

      $cert = New-SelfSignedCertificate -CertStoreLocation "Cert:\CurrentUser\My" -Subject "CN=<certificate-name>" -KeySpec KeyExchange

      e.g: User Certificate Command

  4. Then, type Manage computer certificates (global environment certificate) or Manage User Certificates (current user certificate) in the Windows search bar and hit enter.

    User Certificate Search

  5. The certificate will be located in the user certificates folder, under personal directory.

    Certificate Directory

  6. Export the certificate to pfx format including the key.

    Certificate Export Steps Certificate Export Steps

  7. Go to the certificate location and run the following command to generate a pem file (the command will ask for the password generated in the previous step):

    OpenSSL pkcs12 -in .\<certificate-name>.pfx -out <certificate-name>.pem –nodes -nokeys

    e.g: Pem File Command No Key

  8. Upload the generated certificate to the Azure app registration.

    Certificate Upload

  9. To read the certificate in the bot, the pem file must include the key, then go to the certificate location and run the following command to generate a pem file with key:

    OpenSSL pkcs12 -in .\<certificate-name>.pfx -out <certificate-with-key-name>.pem –nodes

    e.g: Pem Command With Key

  10. In the sample code, go to the Startup class and uncomment the line of code that reads the local certificate and write the name of the certificate in pem format inside the CreateFromPemFile method. Be sure to comment out or remove the lines of code that use Azure KeyVault to avoid errors.

    NOTE: Here the value of MicrosoftAppId and MicrosoftAppTenantId are needed to generate the credentials.

    Certificate Reading

Using KeyVault

  1. This option requires the following app settings variables:

    • KeyVaultName: Name of the KeyVault containing the certificate.
    • CertificateName: Name of the certificate in the KeyVault.
    • MicrosoftAppId: App Id of your bot (gathered from the Setup a Bot step).
    • MicrosoftAppType: Type of the App (optional for MultiTenant apps).
    • MicrosoftAppTenantId: Tenant Id to which your bot belongs (optional for MultiTenant apps).

  2. Create a KeyVault resource.

  3. Assign KeyVault permissions to the current user if needed to create a new certificate.

  4. Under the Certificates section, hit on Generate/Import, complete the form, and create the certificate in pem format. Generate Certificate Create Certificate

  5. Go to the details of the certificate and download it in CER format to avoid the export of the private key.

    Certificate Details Download Certificate

    NOTE: If you used pkcs format in the creation step and downloaded it in PFX format, install OpenSSL and follow the step 6 of the previous section to convert it to pem format without keys.

    NOTE: If you downloaded it in PEM format, it will be neccesary to remove the private key by executing the following command:

    OpenSSL pkcs12 -in .\<certificate-name>.pem -export -out .\<certificate-without-key-name>.pem -nokeys

    e.g: Remove Keys

  6. Upload the certificate to the Azure app registration. Upload Cer Certificate

  7. In the sample code, go to the Startup class and uncomment the line of code that reads the keyvault certificate and verify that the keyvault credentials are completed in the appsettings file. Be sure to comment out or remove the lines of code that use local certificate to avoid errors.

    NOTE: Here the value of MicrosoftAppId and MicrosoftAppTenantId are also needed to generate the credentials.

    Certificate Reading

  8. In the current sample context, log into Azure to obtain the default credentials by executing the following command.

    az login

Run the bot from a terminal or from Visual Studio:

  • From a terminal, navigate to samples/csharp_dotnetcore/84.bot-authentication-certificate and execute:

    # run the bot
dotnet run

  • Or from Visual Studio

    • Launch Visual Studio
    • File -> Open -> Project/Solution
    • Navigate to samples/csharp_dotnetcore/84.bot-authentication-certificate folder
    • Select AuthCertificateBot.csproj file
    • Press F5 to run the project

Testing the bot using Azure Bot

Go to the Azure bot resource created previously, select the Test in Web Chat option under the Settings section and start talking to the bot.

Bot Conversation

Deploy the bot to Azure

To learn more about deploying a bot to Azure, see Deploy your bot to Azure for a complete list of deployment instructions.

Further reading