Single Sign On(-ish) behavior from MS Teams with BotFramework Composer

Question

We are using BotFramework Composer to create bots. These bots are supposed to get information from a backend REST service, where we need to know, which user is submitting the request for data. We are currently using {turn.activity.from.id} to get the Teams user's id, and sending it in a special http header in the "Send an HTTP request" action. We then perform a mapping of this id to our internal users.

We are, of course, aware, that this is not secure at all, since anyone who knows this, could get the user's id and send it to our service. We are currently thinking along the lines of generating a short-lived jwt token in the Bot to send to our application. However, we see no direct way of implementing this token generation in the Bot Framework Composer itself.

Also, we don't want to use OAuth, because we don't want the user to have to log in via the bot.

Is there a way to implement custom token generation using C# or js and assigning it to a dialog variable to be used in a "Send an HTTP request" action?

Answer 1

You can create a custom Action or a package component and create any c# methods there for JWT generation. This will keep it all local to the bot.

https://learn.microsoft.com/en-us/composer/how-to-create-custom-actions

Answer 2

This document discusses how to implement an HTTP request in Composer. The first half is focused on creating a login for OAuth, which I know is not your focus, so look at the second half. If you set up a simple server that can generate a token for you, then you can make a request to it from Composer using the method described.

As links can break and docs can change (and Composer is still in Preview), I would recommend saving the doc somewhere and checking back every so often for any updates.

I've used HTTP requests from within Composer, myself, so I know this will work for you.

Hope of help!