Authenticate users in multitent MS Teams chatbot

rvds 1 Reputation point
2021-11-05T09:43:18.613+00:00

I have a serverless multi tenant application with one 'front end' in the forms of a MS Teams chat bot.

Each client company (tenant) receives an individual database bu the serverless application is shared among clients. The credentials for this database are stored in AWS Parameter store as a SecureString with the Tenant_ID (of the client's Azure AD) as parameter name.

All services (except the MS Teams chat bot) are secure in a VPC with no access from the outside.

The MS Teams chat bot service exposes a handler on POST /api/messages.

The "authentication" works a follows: when a message is received in the MS Teams chat bot the tenant_id of the user is extracted and is used to check if the tenant_id is registered within the parameter store. If not the chat bot returns a message that the client company needs to register first.

class TeamsAuthHelper:
    async def check_if_tenant_is_registered(turn_context: TurnContext):
        """
        Helper method that checks if the tenant_id exists as a parameter within the parameter store.
        If the parameter exists, this implies that the user should be able to access our application.

        Args:
            tenant_id (str): The tenant ID of the user to be checked.

        Returns:
            [type]: Boolean
        """
        try:
            logger.debug("Checking if tenant is registered")

            ssm_client = boto3.client("ssm")
            response = ssm_client.get_parameter(
                Name=turn_context.activity.channel_data["tenant"]["id"], WithDecryption=True)

            if response is not None:
                return True

            return False

        except ssm_client.exceptions.ParameterNotFound:
            return False

        except Exception as e:
            logger.exception(
                "An unregistered company tried to connect", extra={"exception": e})
            await turn_context.send_activity("Your organisation seems to be not yet registered!")

Is this a secure way of doing it?

Microsoft Teams Development
Microsoft Teams Development
Microsoft Teams: A Microsoft customizable chat-based workspace.Development: The process of researching, productizing, and refining new or existing technologies.
1,702 questions
Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
5,347 questions
{count} votes

2 answers

Sort by: Most helpful
  1. rvds 1 Reputation point
    2021-11-06T14:52:57.593+00:00

    UPDATE

    In the mean time I consulted with other people and now came to the following solution:

    We will implement the authentication as explained here: https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/add-authentication?tabs=dotnet%2Cdotnet-sample

    Next we will parse the JWT token as received from authenticating the user to extract the tenant_id. This tenant ID will then be used to check if the tenant of the user is configured within our service.

    This feels more like a secure approach.


  2. Hunaid Hanfee-MSFT 976 Reputation points
    2021-11-10T12:58:37.75+00:00

    Hello @rvds ,
    You can authenticate user as explained here: https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/add-authentication?tabs=dotnet%2Cdotnet-sample.

    But for TenantId rather than getting it from token, Tenant Id present in bot payload is reliable source.

    Thanks,

    Hunaid Hanfee


    If the response is helpful, please click "Accept Answer" and upvote it. You can share your feedback via Microsoft Teams Developer Feedback link. Click here to escalate.