Bot Framework v4 bot authentication using Subject Name/Issuer
This bot has been created using Bot Framework, it shows how to use the bot authentication capabilities of Azure Bot Service. In this sample, we use a local or KeyVault certificate and the MSAL Subject Name/Issuer configuration to create the Bot Framework Authentication.
Important
Microsoft's first-party resources are required to test this sample.
In this guide, we'll explain how to consume a certificate in Bot Framework with the following options:
This sample uses the bot authentication capabilities of Azure Bot Service, providing features to make it easier to develop a bot that authenticates users using digital security certificates. You just need to provide the certificate data linked to the managed identity and run the bot, then communicate with it to validate its correct authentication.
An SSL/TLS certificate is a digital object that allows systems to verify identity and subsequently establish an encrypted network connection with another system using the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. Certificates are issued using a cryptographic system known as public key infrastructure (PKI). PKI allows one party to establish the identity of another through the use of certificates if they both trust a third party, known as a certificate authority. SSL/TLS certificates therefore function as digital identity documents that protect network communications and establish the identity of websites on the Internet as well as resources on private networks.
Certificate Subject Name and Issuer (SNI) based authentication is currently available only for Microsoft internal (first-party) applications. External (third-party) apps cannot use SNI because SNI is based on the assumption that the certificate issuer is the same as the tenant owner. This can be guaranteed for some first-party tenants, but not for third-party. So there are no plans to bring SNI to third-party apps. For more details about this feature and code examples see this SNI issue and a wiki page.
-
Setup ngrok
- Follow this guide to install and configure ngrok in your environment.
- Run ngrok with the following command.
ngrok http --host-header=rewrite 3978
-
Setup a Bot
Note
The app registration used here can be Single or Multi tenant.
- Register a bot with Azure Bot Service, following the instructions here.
- After registering the bot, use
<NGROK_FORWARDING_DOMAIN>/api/messagesas the messaging endpoint.NOTE: make sure to take note of the Microsoft App Id as we'll need this for later.
-
Clone the repository
git clone https://github.com/microsoft/botbuilder-samples.git
-
Configure the SSL/TSL certificate. This sample requires an existing certificate issued by OneCert. The first step is to configure the app registration with the certificate subject name, then go to the app registration used by the azure bot and add the following configuration to the manifest:
"trustedCertificateSubjects": [ { "authorityId": "00000000-0000-0000-0000-000000000001", "subjectName": "<certificate_subject_name>", "revokedCertificateIdentifiers": [] } ] -
We have two options to configure the certificate in the bot. Below is a step-by-step description of each one:
-
Configure the following app settings variables:
- MicrosoftAppId: App Id of your bot (gathered from the Setup a Bot step).
- MicrosoftAppType: Type of the App (optional for MultiTenant apps).
- MicrosoftAppTenantId: Tenant Id to which your bot belongs (optional for MultiTenant apps).
-
Install and configure OpenSSL with the latest version - Download the latest version source and add the folder to the environment variables path.
setx path "%path%;<OpenSSL path here> e.g setx path "%path%;C:\Program Files\openssl-3.3.0"
-
To read the certificate in the bot, the pem file must include the key, then if your certificate is in pfx format go to the certificate location and run the following command to generate a pem file with key:
OpenSSL pkcs12 -in .\<certificate-name>.pfx -out <certificate-with-key-name>.pem –nodes
e.g
-
In the sample code, go to the Startup class and uncomment the line of code that reads the local certificate and write the name of the certificate in pem format inside the CreateFromPemFile method. Be sure to comment out or remove the lines of code that use Azure KeyVault to avoid errors. Keep in mind that the SNI authentication works with the sendX5C flag, keep its value in true.
NOTE: Here the values of
MicrosoftAppIdandMicrosoftTenantIdare needed to generate the credentials.
-
This option requires the following app settings variables:
- KeyVaultName: Name of the KeyVault containing the certificate.
- CertificateName: Name of the certificate in the KeyVault.
- MicrosoftAppId: App Id of your bot (gathered from the Setup a Bot step).
- MicrosoftAppType: Type of the App (optional for MultiTenant apps).
- MicrosoftAppTenantId: Tenant Id to which your bot belongs (optional for MultiTenant apps).
-
Import the certificate under the Certificates section, hit on Generate/Import, complete the form, and upload the certificate.
-
In the sample code, go to the Startup class and uncomment the line of code that reads the keyvault certificate and verify that the keyvault credentials are completed in the appsettings file. Be sure to comment out or remove the lines of code that use local certificate to avoid errors. Keep in mind that the SNI authentication works with the sendX5C flag, keep its value in true.
NOTE: Here the values of
MicrosoftAppIdandMicrosoftTenantIdare also needed to generate the credentials.
-
In the current sample context, log into Azure to obtain the default credentials by executing the following command.
az login
- From a terminal, navigate to
samples/csharp_dotnetcore/85.bot-authentication-sn
# run the bot
dotnet run-
Or from Visual Studio
-
Launch Visual Studio
-
File -> Open -> Project/Solution
-
Navigate to
samples/csharp_dotnetcore/85.bot-authentication-snfolder -
Select
AuthSNIBot.csprojfile -
Press
F5to run the project
Go to the Azure bot resource created previously, select the Test in Web Chat option under the Settings section and start talking to the bot.
To learn more about deploying a bot to Azure, see Deploy your bot to Azure for a complete list of deployment instructions.