简体繁体 English

获取有关谁安装了 Microsoft Teams Bot 应用的信息

[英]Get information about who installed a Microsoft Teams Bot App

原文 2017-10-31 14:55:59 2 2 c#/ azure/ oauth-2.0/ botframework/ microsoft-teams

We've built a bot application using Microsoft Bot Framework (C# & Azure) and used Microsoft Teams Channel on dev.botframework.com to enable our bot on MSTeams using sideloading, but this bot is going to be a commercial one, so we need a way to make it accessible only to our customers.我们已经使用 Microsoft Bot Framework（C# 和 Azure）构建了一个机器人应用程序，并使用了 dev.botframework.com 上的 Microsoft Teams Channel 来使用侧载在 MSTeams 上启用我们的机器人，但是这个机器人将是一个商业机器人，所以我们需要一种使其仅对我们的客户可用的方法。

During the installation of the bot app on ms teams is there any event that is raised when someone installs our app where we can hook a redirection URL or a callback to receive the information on "who installed our app (the user info, their team info, their company info, etc.)" I came across a commercial app Microsoft Teams Jira Connector but couldn't figure out how they commercialised it.在 ms 团队上安装机器人应用程序期间，是否会在有人安装我们的应用程序时引发任何事件，我们可以在其中挂钩重定向 URL 或回调以接收有关“谁安装了我们的应用程序（用户信息、他们的团队信息）”的信息，他们的公司信息等）”我遇到了一个商业应用程序Microsoft Teams Jira Connector，但无法弄清楚他们如何将其商业化。
The installation should be launched from within our application so that we can map the licensing, customer & team/tenant details together for an admin purchasing on behalf of their company.安装应从我们的应用程序中启动，以便我们可以将许可、客户和团队/租户详细信息映射到一起，以便管理员代表他们的公司购买。

What I've tried so far,到目前为止我所尝试的，

On the bot code-end, we're getting tenant_id so I was searching to retrieve similar info when the bot is added/installed to Microsoft teams but I've not been able to find much.在机器人代码端，我们得到了tenant_id所以当机器人被添加/安装到微软团队时，我正在搜索以检索类似的信息，但我找不到太多。

Thinking OAuth might help as Slack uses it to provide access to user's workspace information, I've tried OAuth 2.0 & v2.0 Protocols OAuth 2.0 I'm getting an access_token but don't see any API's to call in order to get team/tenant information.认为 OAuth 可能会有所帮助，因为 Slack 使用它来提供对用户工作区信息的访问，我已经尝试了OAuth 2.0和v2.0 协议 OAuth 2.0我得到了一个access_token但没有看到任何 API 可以调用以获得团队/租户信息。

EDIT : If I could get tenant_id or their ms teams information using OAuth and API's the process will become simple, it is as follows编辑：如果我可以使用 OAuth 和 API 获取tenant_id 或他们的 ms 团队信息，过程将变得简单，如下所示

In our website we will ask the user to click a button to grant access to their ms teams using OAuth and using the access_token we will get their ms teams information and store it on our end mapped to a particular company.在我们的网站中，我们将要求用户单击按钮以使用 OAuth 授予对他们的 ms 团队的访问权限，并使用 access_token 我们将获取他们的 ms 团队信息并将其存储在我们端映射到特定公司。
When a user sends a message we will ask them to click authenticate/activate license button in card, if the team info coming from user matches with a record in our database then he is a valid user and we activate a license.当用户发送消息时，我们会要求他们点击卡片中的身份验证/激活许可证按钮，如果来自用户的团队信息与我们数据库中的记录匹配，则他是有效用户，我们激活许可证。

Will Microsoft Graph API be useful here?, MS teams developer API seems to be in development Microsoft Graph API 在这里有用吗？ MS 团队开发人员 API似乎正在开发中

Please provide your suggestions on this.请就此提出您的建议。

2 个解决方案

In order to do authentication when we don't have individual user accounts on our system but the concept of no.为了在我们的系统上没有个人用户帐户但没有的概念时进行身份验证。 of licenses and admin user account for the company.公司的许可证和管理员用户帐户。 The following approach can be followed,可以遵循以下方法，

In our website, we will ask the company admin to click a button to grant access to their ms teams using OAuth 2.0 and using the id_token (JWT token) retrieved we will get their ms teams information and store it on our end mapped to a particular company.在我们的网站中，我们将要求公司管理员单击按钮以使用 OAuth 2.0 授予对他们的 ms 团队的访问权限，并使用检索到的id_token （JWT 令牌）我们将获取他们的 ms 团队信息并将其存储在我们端映射到特定公司。
When a user sends a message we will ask them to click authenticate/activate license button in a card, if the team info coming from the user matches with a record in our database then he is a valid user and we activate a license.当用户发送消息时，我们会要求他们单击卡片中的身份验证/激活许可证按钮，如果来自用户的团队信息与我们数据库中的记录匹配，则他是有效用户，我们激活许可证。

Step 1 ensures that we have our customer information (tenant id) in our database (this will be validated against the information coming from the actual bot user - their tenant id when they send a message to our bot)步骤 1 确保我们的数据库中有我们的客户信息（租户 ID）（这将根据来自实际机器人用户的信息进行验证 - 他们向我们的机器人发送消息时的租户 ID）

Step 2 validates & activates the license of the user through tenant id.第 2 步通过租户 ID 验证并激活用户的许可证。

To do OAuth 2.0 flow the AuthBot sample code should be taken as a reference, you can also refer to OAuth 2.0 & v2.0 Protocols OAuth 2.0做OAuth 2.0流程可以参考AuthBot示例代码，也可以参考OAuth 2.0 & v2.0 Protocols OAuth 2.0

When the user grants access we will be getting an authorization code, which can be used to request an access token, from the response we can take id_token (JWT token) and decode it to retrieve user information https://jwt.io/ .当用户授予访问权限时，我们将获得一个授权代码，可用于请求访问令牌，我们可以从响应中获取id_token （JWT 令牌）并将其解码以检索用户信息https://jwt.io/ 。

Check 'Successful response' and 'JWT Token Claims' sections in OAuth 2.0检查OAuth 2.0 中的“成功响应”和“JWT 令牌声明”部分

However, I see more cons than pros without individual user accounts and I recommend to have individual user accounts.但是，我看到比没有个人用户帐户的专业人士更多的缺点，我建议拥有个人用户帐户。 After we put forth the pros and cons of 'having individual accounts' vs. 'not having', the product owners accepted to have individual user accounts.在我们提出“拥有个人帐户”与“没有”的利弊之后，产品所有者接受了拥有个人用户帐户。

As due to the text length limitation of comment, apologize for me to generate as an answer here, thanks for understanding.由于评论的文本长度限制，请原谅我在这里生成答案，感谢您的理解。

As @bill-bliss-msft mentioned at comment, there is an event while a bot is installed or removed shown at https://msdn.microsoft.com/en-us/microsoft-teams/botevents#bot-or-user-added-to-a-team , but which doesn't contain user info.正如@bill-bliss-msft 在评论中提到的，在https://msdn.microsoft.com/en-us/microsoft-teams/botevents#bot-or-user- added-to-a-team ，但不包含用户信息。

For your scenario, the common idea is to authenticate the purchased users when they are using your bot.对于您的场景，常见的想法是在购买的用户使用您的机器人时对其进行身份验证。 And there is a sample at https://github.com/MicrosoftDX/AuthBot/tree/master/AuthBot . https://github.com/MicrosoftDX/AuthBot/tree/master/AuthBot 上有一个示例。 You can get the access_token in bot client and set it as authentication header against your server requests.您可以在 bot 客户端中获取access_token并将其设置为针对您的服务器请求的身份验证标头。

The access_token s are JWT tokens under Auth 2.0 flow, so you can directly decrypt this token in your backend server to get the info about your authenticated user. access_token是 Auth 2.0 流程下的 JWT 令牌，因此您可以直接在后端服务器中解密此令牌以获取有关已验证用户的信息。

Please refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens for a glance of the claims in access_token for Azure AD.请参阅https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens了解access_token for Azure AD 中的声明。 You can leverage tenant ID property to authenticate the user purchased by a team or group.您可以利用tenant ID属性对团队或组购买的用户进行身份验证。 I think there will be a similar property in other Auth 2.0 server if you are not using Azure AD.如果您不使用 Azure AD，我认为其他 Auth 2.0 服务器中也会有类似的属性。