Closed rggammon closed 3 years ago
If it matters - d6d49420-f39b-4df7-a1dc-d59a935871db is DefaultChannelAuthTenant (botframework.com)
Hi @rggammon, based on the last link you provided, it looks like you need to request a token with the App ID and App Password after you register your bot.
AppAuth will always default to requesting a token for the managed identity when deployed to an App Service or VM, and this identity will always live in your subscription's tenant. Unfortunately, due to the abstracting nature of AzureServiceTokenProvider, the tenantId parameter is not always honored, such as in this scenario.
However, in order to configure the AzureServiceTokenProvider to request a token for your bot's app, you can use the following AppAuth connection string, where you would your bot's App ID and Password you should have after following the steps from the earlier link:
RunAs=App;AppId={AppId};TenantId={TenantId};AppKey={ClientSecret}
Let me know if this doesn't help or you have any other questions.
Thanks Nick. My larger goal is to deploy a Web App Bot from an ARM template, and being able to use a managed identity in this scenario would be beneficial, because then the bot owner won't need to pre-create the app registration, nor worry about secret rotation.
Options I could see here -
I could open an issue in botbuilder-dotnet repo with the 2nd suggestion, but it would be helpful to know if this (specifying the tenant/authority, in addition to client_id) is a valid "feature request" for MSI, especially given that the sdk accepts a tenantId parameter?
Or maybe option 3 (2 appId's) are the way to go here - unfortunately, the 2nd appId would be "unmanaged" & the setup process would be manual, but at least the credentials would be in keyvault.
I will go with option 3, I think I will need an additonal appId anyway to handle user delegated permissions, auth code flows.
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/known-issues covers questions on integration with ADAL/MSAL (not yet), and https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities does not include bot services.
For the original bug, perhaps consider throwing an exeption of some kind, if the tenant id parameter is provided but not honored, rather than returning a token for the wrong tenant? Otherwise, this can be closed. Thanks!
The right thing to do is to make a change to throw an exception if the tenant id is specified, but not used. This will be a breaking change, so we will evaluate the timeline and get back on this thread.
This will not be addressed. If this is a blocking issue, please use the new Azure.Identity library. More information available here: AppAuthentication to Azure.Identity Migration Guidance
Describe the bug I am trying to use MSI with Bot Framework, replacing their AdalAuthenticator.
I am calling:
… where "d6d49420-f39b-4df7-a1dc-d59a935871db" is a hard-coded tenant in the bot framework SDK, but the token I get back via MsiAccessTokenProvider is …
Exception or Stack Trace N/A
To Reproduce Call GetAuthenticationResultAsync provding a tenantId
Code Snippet See above
Expected behavior Issuer should contain d6d49420-f39b-4df7-a1dc-d59a935871db as the tenant, as provided to the call to GetAuthenticationResultAsync
Screenshots N/A
Setup (please complete the following information):
Additional context AdalAuthenticator (which I am replacing) is -
https://github.com/microsoft/botbuilder-dotnet/blob/master/libraries/Microsoft.Bot.Connector/Authentication/AdalAuthenticator.cs
Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report