how to get Azure Active Directory B2C working with Bot Framework?

so far I've not been able to get this working with the bot framework. I spent all day but only managed to get .net api example (https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet) working with AD B2C. I'm not sure where it grabs the bearer token that I want to pass to BotUserData...

I've tried following https://azure.microsoft.com/en-us/blog/bot-framework-made-better-with-azure/

but in reality the solution does not build successfully and I've resorted to just taking code from there and into my bot framework sample template....however, when it asks me to login through MS and I do, I am not able to proceed and it doesn't seem like that blog is using the AD B2C policies.

so how do you integrate AD B2C with Bot Framework? Is it possible to call /Account/SignIn URL from bot framework to authenticate the user? Afterwards, how would you capture the token and pass it to BotUserData?


Solution 1:

You might want to take a look to the Facebook Auth sample to get an idea of a potential flow for the Auth scenario. For Azure AD, you need to do a similar flow.

Let's say your user send a "Login" message to your bot. The bot should respond with an auth URL and ask the user to login to the service using that URL. You can use the GetAuthorizationRequestURL method of ADAL for that.

Then you will have a Web API which will basically expose an endpoint that will be the reply URL of Azure AD. Once the users completes the login, a message will be posted to your Web API where you will be able to get the authorization code and perform the calls to get the Access Token. After that, you can just do the same they are doing in the Facebook Sample Web API which involves resuming the conversation with the Bot, sending a message with the access token (so it can be persisted in the PerUserInConversationData bag (check this line of code).

After that you have the access token available to perform any call that requires an access token.

Update

There are two new samples that you might want to take a look since they are implementing the workflow being discussed.

  • GraphBot from the BotBuilder repo.
  • AuthBot from Mat Velloso

Hope this helps.

Solution 2:

Follow this tutorial for Bot side code development, i focus on configuration at B2C and Azure level here:

OAuth Connection

Client id This is taken from the Application ID field in your B2C app's properties. It's the equivalent of a Microsoft app ID taken from any other AAD app registration.

client id from B2C configuration in Azure

Client secret This is generated using the steps in this tutorial.

Select Keys and then click Generate key. Select Save to view the key. Make note of the App key value. You use the value as the application secret in your application's code.

Use AAD V2 configuration in oAuth settings in bot channel registration - new oauth connection settings.

AAD V2 configuration page.

Fill the above details by following the steps and values we got from them.

Authorization/Token/Refresh URL

I followed on this one with

https://login.microsoftonline.com/tfp///oauth2/v2.0/authorize

for the Authorization URL and

https://login.microsoftonline.com/tfp///oauth2/v2.0/token

for the Token and Refresh URL's.

For I used the URL format (kyleorg.onmicrosoft.com) rather than the GUID format, but using the GUID also seems to work.

is the name of a user flow, like B2C_1_userflow. I created one with this tutorial.

Scopes Using the scopes openid offline_access I am able to sign in successfully, but to my astonishment the token returned is empty.

enter image description here

Then I found this document which suggests using the client ID itself as a scope.

When I reuse the value from the Client id field in my Scopes field, a token is returned successfully and my bot is able to use the connection.

enter image description here

You can combine this with other scopes as needed, but for the sake of experimentation I highly recommend getting the simplest implementation to work first.

Let me know if these instructions work, and if they don't then we'll see if the difference lies in how we've set up our B2C apps. As a bonus, I should mention that after you get a token you can paste it into https://jwt.ms/ to decode it and see if it recognized your B2C user correctly. Always refresh the page when pasting a new token to make sure it doesn't keep showing you the information from the last token.

Referred this document.