Merge pull request #841 from Microsoft/ming/tenantAuthNode

Allow user to specify bot to channel token tenant
microsoft · Apr 10, 2019 · d0a01bd · d0a01bd
2 parents b537724 + e1317be
commit d0a01bd
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 3 deletions.
diff --git a/libraries/botbuilder/src/botFrameworkAdapter.ts b/libraries/botbuilder/src/botFrameworkAdapter.ts
@@ -41,6 +41,12 @@ export interface BotFrameworkAdapterSettings {
      * Password assigned to your bot in the [Bot Framework Portal](https://dev.botframework.com/).
      */
     appPassword: string;
+
+    /**
+     * (Optional) The OAuth API Endpoint for your bot to use.
+     */
+    channelAuthTenant?: string;
+
     /**
      * (Optional) The OAuth API Endpoint for your bot to use.
      */
@@ -129,7 +135,7 @@ export class BotFrameworkAdapter extends BotAdapter implements IUserTokenProvide
     constructor(settings?: Partial<BotFrameworkAdapterSettings>) {
         super();
         this.settings = { appId: '', appPassword: '', ...settings };
-        this.credentials = new MicrosoftAppCredentials(this.settings.appId, this.settings.appPassword || '');
+        this.credentials = new MicrosoftAppCredentials(this.settings.appId, this.settings.appPassword || '', this.settings.channelAuthTenant);
         this.credentialsProvider = new SimpleCredentialProvider(this.credentials.appId, this.credentials.appPassword);
         this.isEmulatingOAuthCards = false;
         if (this.settings.openIdMetadata) {

diff --git a/libraries/botframework-connector/src/auth/constants.ts b/libraries/botframework-connector/src/auth/constants.ts
@@ -8,9 +8,26 @@
 export namespace Constants {
     /**
      * TO CHANNEL FROM BOT: Login URL
+     * 
+     * DEPRECATED: DO NOT USE
      */
     export const ToChannelFromBotLoginUrl = 'https://login.microsoftonline.com/botframework.com/oauth2/v2.0/token';
 
+    /**
+     * TO CHANNEL FROM BOT: Login URL prefix
+     */
+    export const ToChannelFromBotLoginUrlPrefix = 'https://login.microsoftonline.com/';
+
+    /**
+     * TO CHANNEL FROM BOT: Login URL token endpoint path
+     */
+    export const ToChannelFromBotTokenEndpointPath = '/oauth2/v2.0/token';
+
+    /**
+     * TO CHANNEL FROM BOT: Default tenant from which to obtain a token for bot to channel communication
+     */
+    export const DefaultChannelAuthTenant = 'botframework.com';
+
     /**
      * TO CHANNEL FROM BOT: OAuth scope to request
      */

diff --git a/libraries/botframework-connector/src/auth/microsoftAppCredentials.ts b/libraries/botframework-connector/src/auth/microsoftAppCredentials.ts
@@ -28,14 +28,18 @@ export class MicrosoftAppCredentials implements msrest.ServiceClientCredentials
     public appPassword: string;
     public appId: string;
 
-    public oAuthEndpoint: string = Constants.ToChannelFromBotLoginUrl;
+    public oAuthEndpoint: string;
     public oAuthScope: string = Constants.ToChannelFromBotOAuthScope;
     public readonly tokenCacheKey: string;
     private refreshingToken: Promise<Response> | null = null;
 
-    constructor(appId: string, appPassword: string) {
+    constructor(appId: string, appPassword: string, channelAuthTenant?: string) {
         this.appId = appId;
         this.appPassword = appPassword;
+        const tenant = channelAuthTenant && channelAuthTenant.length > 0
+            ? channelAuthTenant
+            : Constants.DefaultChannelAuthTenant;
+        this.oAuthEndpoint = Constants.ToChannelFromBotLoginUrlPrefix + tenant + Constants.ToChannelFromBotTokenEndpointPath;
         this.tokenCacheKey = `${ appId }-cache`;
     }
 

diff --git a/libraries/botframework-connector/tests/auth.test.js b/libraries/botframework-connector/tests/auth.test.js
@@ -63,6 +63,14 @@ describe('Bot Framework Connector - Auth Tests', function () {
                 assert(MicrosoftAppCredentials.isTrustedServiceUrl('https://smba.trafficmanager.net/amer-client-ss.msg/'));
             });
 
+            it('Obtain MsaHeader from a user specified tenant', async () => {
+                const tokenGenerator = new MicrosoftAppCredentials('2cd87869-38a0-4182-9251-d056e8f0ac24', '2.30Vs3VQLKt974F', 'microsoft.com');
+                const header = `Bearer ${ await tokenGenerator.getToken(true) }`;
+                const credentials = new SimpleCredentialProvider('2cd87869-38a0-4182-9251-d056e8f0ac24', '');
+                const claims = await JwtTokenValidation.authenticateRequest({ serviceUrl: 'https://smba.trafficmanager.net/amer-client-ss.msg/' }, header, credentials, undefined);
+                assert(claims.getClaimValue("tid") == '72f988bf-86f1-41af-91ab-2d7cd011db47');
+            });
+
             it('MsaHeader with invalid ServiceUrl should not be trusted', async () => {
                 const tokenGenerator = new MicrosoftAppCredentials('2cd87869-38a0-4182-9251-d056e8f0ac24', '2.30Vs3VQLKt974F');
                 const header = `Bearer ${ await tokenGenerator.getToken(true) }`;