Bot Framework v4 bot authentication using Subject Name/Issuer
This bot has been created using Bot Framework, is shows how to use the bot authentication capabilities of Azure Bot Service. In this sample, we use a local or KeyVault certificate and the MSAL Subject Name/Issuer configuration to create the Bot Framework Authentication.
-
.NET SDK version 6.0
# determine dotnet version dotnet --version
-
Clone the repository
git clone https://github.com/microsoft/botbuilder-samples.git
-
Set app settings variables
-
MicrosoftAppType: Type of the App.
-
MicrosoftAppId: App Id of your bot.
-
MicrosoftAppTenantId: Tenant Id to which your bot belongs.
-
KeyVaultName: Name of the KeyVault containing the certificate.
-
CertificateName: Name of the certificate in the KeyVault.
-
-
Run the bot from a terminal or from Visual Studio:
A) From a terminal, navigate to
samples/csharp_dotnetcore/85.bot-authentication-sni# run the bot dotnet runB) Or from Visual Studio
- Launch Visual Studio
- File -> Open -> Project/Solution
- Navigate to
samples/csharp_dotnetcore/85.bot-authentication-snifolder - Select
AuthSNIBot.csprojfile - Press
F5to run the project
Bot Framework Emulator is a desktop application that allows bot developers to test and debug their bots on localhost or running remotely through a tunnel.
- Install the latest Bot Framework Emulator from here
- Launch Bot Framework Emulator
- File -> Open Bot
- Enter a Bot URL of
http://localhost:3978/api/messages
This sample uses the bot authentication capabilities of Azure Bot Service, providing features to make it easier to develop a bot that authenticates users using digital security certificates. You just need to provide the certificate data linked to the managed identity and run the bot, then communicate with it to validate its correct authentication.
An SSL/TLS certificate is a digital object that allows systems to verify identity and subsequently establish an encrypted network connection with another system using the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. Certificates are issued using a cryptographic system known as public key infrastructure (PKI). PKI allows one party to establish the identity of another through the use of certificates if they both trust a third party, known as a certificate authority. SSL/TLS certificates therefore function as digital identity documents that protect network communications and establish the identity of websites on the Internet as well as resources on private networks.
There are two possible options to create SSL/TSL certificate. Below is a step-by-step description of each one:
- Run the following command in a local PowerShell
$cert = New-SelfSignedCertificate -CertStoreLocation "<directory-to-store-certificate>" -Subject "CN=<certificate-name>" -KeySpec KeyExchange
-
Then, type Manage User Certificates in the Windows search bar and hit enter
-
The certificate will be located in the user certificates folder, under personal directory.
-
Export the certificate to pfx format including the key(The default location is system32 folder).
-
Go to the certificate location and run the following command to generate a pem file:
OpenSSL pkcs12 -in <certificate-name>.pfx -out c:\<certificate-name>.pem –nodes
- Upload the generated certificate to the Azure app registration.
-
Create a KeyVault resource and assign the KeyVault Administrator role to have permission to create a new certificate.
-
Under the Certificates section, hit on Generate/Import, complete the form, and create the certificate in PEM format.
-
Go to the details of the certificate that you created and enable it.
-
Download the certificate in CER format and then upload it to the Azure app registration.
To learn more about deploying a bot to Azure, see Deploy your bot to Azure for a complete list of deployment instructions.