Azure AD B2C 和 MS Teams 应用(机器人 + 选项卡)身份验证
[英]Azure AD B2C and MS Teams app (bot + tab) auth
问题描述
We are working on integrating our app with MS Teams using a Teams app with a bot and a tab and we are struggling with the authentication.
我们正在使用带有机器人和选项卡的 Teams 应用程序将我们的应用程序与 MS Teams 集成,我们正在努力进行身份验证。
Our scenario is:我们的场景是:
- We use Azure AD B2C for authentication to our app (using predefined user flows).我们使用 Azure AD B2C 对我们的应用进行身份验证(使用预定义的用户流)。
- We have different customers that use Azure AD (each one with its own Azure AD tenant).我们有不同的客户使用 Azure AD(每个客户都有自己的 Azure AD 租户)。 We created a custom identity provider that enables sign-in/sign up users to our app using their own Azure AD credentials.我们创建了一个自定义身份提供程序,使用户能够使用他们自己的 Azure AD 凭据登录/注册我们的应用程序。
- We created a bot channel registration using a "Generic Oauth 2" service provider to connect to our bot with Azure AD B2C.我们使用“通用 Oauth 2”服务提供程序创建了一个机器人通道注册,以使用 Azure AD B2C 连接到我们的机器人。
Our challenges are:我们的挑战是:
- Ideally, we want to implement SSO for our bot in Teams to allow our customers to be able to sign in to our app using their MS Teams credentials.理想情况下,我们希望在 Teams 中为我们的机器人实施 SSO,以允许我们的客户能够使用他们的 MS Teams 凭据登录我们的应用程序。 We managed to authenticate using
OAuthPromptfor Teams following this sample but the challenge we've seen is that the user needs to sign in every time that opens the bot (ie there refresh token is not working) and also we are not able to send a "domain_hint" query string to differentiate our customers.我们设法按照此示例使用OAuthPromptfor Teams 进行身份验证,但我们看到的挑战是用户每次打开机器人时都需要登录(即刷新令牌不起作用),而且我们无法发送“domain_hint”查询字符串来区分我们的客户。 - Ideally, we want the authentication to be handled using only one bot channel registration Probably it could be achieved by creating one channel registration for each customer but in the long-term, we'd need to create one bot for each customer and that could be difficult to maintain/avoiding our customers installing an App Registration on their Azure AD.理想情况下,我们希望只使用一个机器人通道注册来处理身份验证可能可以通过为每个客户创建一个通道注册来实现,但从长远来看,我们需要为每个客户创建一个机器人,这可能是难以维护/避免我们的客户在其 Azure AD 上安装应用程序注册。
Anyone had similar experiences dealing with MS Teams apps for multiple Azure AD tenants using Azure AD B2C?任何人都有过使用 Azure AD B2C 为多个 Azure AD 租户处理 MS Teams 应用程序的类似经历吗? How's the best way you recommend to handle this scenario?您推荐处理这种情况的最佳方法是什么?
Your help would be appreciated!您的帮助将不胜感激!
Thanks in advance!提前致谢!
2 个解决方案
解决方案1
1 已采纳 2021-07-16 16:07:37
If it helps to someone, after some research, we are doing the following for our scenario:如果它对某人有帮助,经过一些研究,我们正在为我们的场景执行以下操作:
For the SSO in the tabs, given the limitation of
OAuthPromptto don't refresh tokens (we don't want users to sign in every time the token expires) we are following this solution posted months ago https://github.com/igrep/example-teams-bot-with-ms-account-refresh-token .对于选项卡中的 SSO,鉴于OAuthPrompt限制不刷新令牌(我们不希望用户在每次令牌过期时都登录),我们遵循几个月前发布的此解决方案https://github.com/ igrep/example-teams-bot-with-ms-account-refresh-token 。For handling multiple Azure AD tenants within B2C, given that we are using predefined user flows and we need to build a custom sign-in for our scenario, we are going to pass the get and pass the
domain_hintfrom MS Teams to Azure AD B2C.为了在 B2C 中处理多个 Azure AD 租户,假设我们正在使用预定义的用户流并且我们需要为我们的场景构建自定义登录,我们将传递 get 并将domain_hint从 MS Teams 传递到 Azure AD B2C。
解决方案2
0 2021-07-12 17:02:20
- To implement SSO, please go through Add single sign on to a bot and also you can refer the code base in Expert Finder app template and it has implemented the same bot sign-in functionality and it is working fine.要实现 SSO,请通过向机器人添加单点登录,您也可以参考Expert Finder应用程序模板中的代码库,它已经实现了相同的机器人登录功能,并且运行良好。
- Could you please take a look at multiple Azure AD tenants using Azure AD B2C for configuring multi tenant AD B2C.您能否查看使用 Azure AD B2C 配置多租户 AD B2C 的多个 Azure AD 租户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.