Indetity propagation between 3rd part IP and Microsoft Azure

Question

Hello, I'd like to create a Slack Application using OAuth 2.0 On-Behalf-Of flow. I can open browser from Slack, login into AD with SSO, and then the backend of the Slack Application receives a valid token and can call another Web API service using my identity. This "another Web service" is an O365 Enterprise App using AD users and permissions. It works, but I need to store the second token in the Slack App backend and use it with each request between my backend services.

My question is - is there a way to translate my Slack Identity (the Slack OAuth that has been used to initialize the login into AD) into my Microsoft AD Identity? Therefore I'll be sure that only "Slack me" can be translated into "Microsoft me".

Answer 1

Hello Damien,

Thank you for your question and for reaching out with your question today.

Yes, you can achieve the translation of your Slack identity into your Microsoft AD identity using the OAuth 2.0 On-Behalf-Of flow in combination with Microsoft's identity platform (formerly Azure Active Directory). This flow allows your Slack application to obtain an access token representing the user's identity in Microsoft AD, based on the initial token obtained from Slack.

Here's how the process works:

1. User Authentication with Slack: When a user authenticates with your Slack application, Slack generates an access token representing the user's identity in Slack. This token is typically a user-specific token associated with the permissions granted to your Slack app.
2. On-Behalf-Of Flow: After the user is authenticated with Slack, your backend server (Slack App backend) can use the OAuth 2.0 On-Behalf-Of flow to exchange the Slack access token for a new access token that represents the user's identity in Microsoft AD.
3. Calling Microsoft O365 Enterprise App: With the new access token representing the user's identity in Microsoft AD, your backend server can then make authorized requests to the O365 Enterprise App on behalf of the user.

By using the On-Behalf-Of flow, you can obtain a token representing the user's identity in Microsoft AD, which allows you to access other Microsoft services securely.

Here are the high-level steps involved in the On-Behalf-Of flow:

1. From your Slack App backend, make a request to the Microsoft identity platform's token endpoint (https://login.microsoftonline.com/{tenant}/oauth2/token) with the Slack access token and a grant_type of urn:ietf:params:oauth:grant-type:jwt-bearer.
2. The Microsoft identity platform will validate the Slack access token and issue a new access token representing the user's identity in Microsoft AD.
3. Use the new access token to call the O365 Enterprise App on behalf of the user.

By following this flow, you ensure that only "Slack you" (i.e., the user authenticated with your Slack app) can be translated into "Microsoft you" (i.e., the same user's identity in Microsoft AD), as the translation is done securely through OAuth 2.0 mechanisms.

Make sure to handle token storage securely on your Slack App backend to protect the user's identity and avoid token leakage.

For more details and code examples on implementing the On-Behalf-Of flow with Microsoft identity platform, you can refer to the official Microsoft documentation on OAuth 2.0 On-Behalf-Of flow:

• Microsoft Identity Platform Documentation: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow

I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

If the reply was helpful, please don’t forget to upvote or accept as answer.

Best regards.