feat: Support Single Tenant authentication through BotFramework-Emula…

…tor (#4643) * use dynamic creation of issuer with tenant id * include documentation and tid validation * use valid token issuer Url template * format lint issues * use auth constants to get payload values * fix lint issues
microsoft · Apr 16, 2024 · 0b1d958 · 0b1d958
1 parent 2f45467
commit 0b1d958
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/libraries/botframework-connector/src/auth/authenticationConstants.ts b/libraries/botframework-connector/src/auth/authenticationConstants.ts
@@ -172,6 +172,11 @@ export namespace AuthenticationConstants {
      */
     export const ServiceUrlClaim = 'serviceurl';
 
+    /**
+     * Tenant ID claim name. As used in Microsoft AAD tokens.
+     */
+    export const TenantIdClaim = 'tid';
+
     /**
      * AppId used for creating skill claims when there is no appId and password configured.
      */

diff --git a/libraries/botframework-connector/src/auth/emulatorValidation.ts b/libraries/botframework-connector/src/auth/emulatorValidation.ts
@@ -69,12 +69,29 @@ export namespace EmulatorValidation {
         }
 
         // Is there an Issuer?
-        const issuer: string = token.payload.iss;
+        const issuer: string = token.payload[AuthenticationConstants.IssuerClaim];
         if (!issuer) {
             // No Issuer, means it's not from the Emulator.
             return false;
         }
 
+        //Validation to manage the issuer object as a string.
+        if (Array.isArray(ToBotFromBotOrEmulatorTokenValidationParameters.issuer)) {
+            const tenantId = token?.payload[AuthenticationConstants.TenantIdClaim] ?? '';
+
+            //Validate if there is an existing issuer with the same tid value.
+            if (
+                tenantId != '' &&
+                ToBotFromBotOrEmulatorTokenValidationParameters.issuer.find((issuer) => issuer.includes(tenantId)) ==
+                    null
+            ) {
+                //If the issuer doesn't exist, this is added using the Emulator token issuer structure.
+                //This allows use of the SingleTenant authentication through Emulator.
+                const newIssuer = AuthenticationConstants.ValidTokenIssuerUrlTemplateV1 + `${tenantId}/`;
+                ToBotFromBotOrEmulatorTokenValidationParameters.issuer.push(newIssuer);
+            }
+        }
+
         // Is the token issues by a source we consider to be the emulator?
         if (
             ToBotFromEmulatorTokenValidationParameters.issuer &&