Reputation: 1894
Get information about who installed a Microsoft Teams Bot App
We've built a bot application using Microsoft Bot Framework (C# & Azure) and used Microsoft Teams Channel on dev.botframework.com to enable our bot on MSTeams using sideloading, but this bot is going to be a commercial one, so we need a way to make it accessible only to our customers.
During the installation of the bot app on ms teams is there any event that is raised when someone installs our app where we can hook a redirection URL or a callback to receive the information on "who installed our app (the user info, their team info, their company info, etc.)" I came across a commercial app Microsoft Teams Jira Connector but couldn't figure out how they commercialised it.
The installation should be launched from within our application so that we can map the licensing, customer & team/tenant details together for an admin purchasing on behalf of their company.
What I've tried so far,
On the bot code-end, we're getting tenant_id so I was searching to retrieve similar info when the bot is added/installed to Microsoft teams but I've not been able to find much.
Thinking OAuth might help as Slack uses it to provide access to user's workspace information, I've tried OAuth 2.0 & v2.0 Protocols OAuth 2.0 I'm getting an access_token but don't see any API's to call in order to get team/tenant information.
EDIT: If I could get tenant_id or their ms teams information using OAuth and API's the process will become simple, it is as follows
In our website we will ask the user to click a button to grant access to their ms teams using OAuth and using the access_token we will get their ms teams information and store it on our end mapped to a particular company.
When a user sends a message we will ask them to click authenticate/activate license button in card, if the team info coming from user matches with a record in our database then he is a valid user and we activate a license.
Will Microsoft Graph API be useful here?, MS teams developer API seems to be in development
Please provide your suggestions on this.
Upvotes: 3
Views: 2012
Answers (2)
Reputation: 1894
In order to do authentication when we don't have individual user accounts on our system but the concept of no. of licenses and admin user account for the company. The following approach can be followed,
In our website, we will ask the company admin to click a button to grant access to their ms teams using OAuth 2.0 and using the
id_token(JWT token) retrieved we will get their ms teams information and store it on our end mapped to a particular company.When a user sends a message we will ask them to click authenticate/activate license button in a card, if the team info coming from the user matches with a record in our database then he is a valid user and we activate a license.
Step 1 ensures that we have our customer information (tenant id) in our database (this will be validated against the information coming from the actual bot user - their tenant id when they send a message to our bot)
Step 2 validates & activates the license of the user through tenant id.
To do OAuth 2.0 flow the AuthBot sample code should be taken as a reference, you can also refer to OAuth 2.0 & v2.0 Protocols OAuth 2.0
When the user grants access we will be getting an authorization code, which can be used to request an access token, from the response we can take id_token (JWT token) and decode it to retrieve user information https://jwt.io/.
Check 'Successful response' and 'JWT Token Claims' sections in OAuth 2.0
However, I see more cons than pros without individual user accounts and I recommend to have individual user accounts. After we put forth the pros and cons of 'having individual accounts' vs. 'not having', the product owners accepted to have individual user accounts.
Upvotes: 2
Reputation: 13918
As due to the text length limitation of comment, apologize for me to generate as an answer here, thanks for understanding.
As @bill-bliss-msft mentioned at comment, there is an event while a bot is installed or removed shown at https://msdn.microsoft.com/en-us/microsoft-teams/botevents#bot-or-user-added-to-a-team, but which doesn't contain user info.
For your scenario, the common idea is to authenticate the purchased users when they are using your bot. And there is a sample at https://github.com/MicrosoftDX/AuthBot/tree/master/AuthBot. You can get the access_token in bot client and set it as authentication header against your server requests.
The access_tokens are JWT tokens under Auth 2.0 flow, so you can directly decrypt this token in your backend server to get the info about your authenticated user.
Please refer to https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens for a glance of the claims in access_token for Azure AD. You can leverage tenant ID property to authenticate the user purchased by a team or group. I think there will be a similar property in other Auth 2.0 server if you are not using Azure AD.
Upvotes: 0
Related Questions
- How am I supposed to know the request to my bot originated from Teams?
- Get Teams Graph API id from bot framework request
- Get an access token for a bot with Microsoft Teams for use with graph API
- Requesting an access token for an MSTeams bot
- Get current User in MS Teams for Bots
- Track Microsoft Teams userid for who opened the tab (created by bot)
- Retrieve Teams User ID based on AAD ID
- Get AADObject Id of the user @mentioned to the Microsoft Teams Bot
- How do I fetch the list of MS Teams users in an organization?
- Is there a way to fetch username from Microsoft teams