MS TEAMS聊天机器人:我可以限制我的MS Botframework聊天机器人仅与我的MS Teams租户ID一起使用,而无需其他身份验证 [英] MS TEAMS Chatbot: Can I restrict my MS Botframework Chatbot to only work with my MS Teams Tenant ID without requiring additional Authentication
问题描述
我们使用MS Botframework V4,QnA Maker和LUIS创建了一个常见问题解答聊天机器人.客户的信息安全团队怀疑,如果任何人都掌握了聊天机器人的 MicrosoftAppId ,那么任何人都可以在任何其他MS Teams Subscription上发布该聊天机器人,从而引起安全威胁.
We have created a FAQ Chatbot using MS Botframework V4, QnA Maker and LUIS. The Client's Information security team suspects if, anyone gets hold of the MicrosoftAppId of the chatbot then, anyone would be able to publish the Chatbot on any other MS Teams Subscription causing a security Threat.
条件:客户端不赞成添加额外的身份验证提示,尽管用户已登录MS Teams,该提示仍要求用户登录
Condition: The client is not in favor of adding an extra Authentication prompt where the users would have to login despite being logged in MS Teams
已阅读问题说明,任何人都可以通过一种技术/方法来帮助我,在这种技术/方法中,我们可以限制ChatBot只能在客户组织的MS团队中使用,而无需任何其他身份验证登录提示用户登录
Having read the problem statement, could anyone please help me with a technique/Methodology where we can restrict down the ChatBot to be usable only from the Client Organization's MS Teams without any additional authentication Login Prompt to the user to sign-in
-预先感谢
推荐答案
请阅读我关于漫游器通信的工作方式以了解请求-响应过程.正如它所解释的,尽管响应看起来是同步"的,从Bot,实际上不是,而是通过对Bot Framework服务本身的答复发送的.为此,您的机器人代码(dotnet,节点等)实际上需要两件事-应用程序ID和应用程序密码,以便在内部进行身份验证.没有这些,就没有人可以代表您运行另一个机器人,即使使用相同的ID.请注意,这是一种常规"的漫游器场景,不需要用户以任何方式实际登录该漫游器(仅在您要代表用户访问Graph上的资源时才需要这样做,希望从SharePoint Online提取文件.
Please read my blog post about how bot communications work to get an understanding of the request-response process. As it explains, although the response looks kind of "synchronous" from the bot, it's actually not and is sent via a reply to the Bot Framework services itself. In order to do this, your bot code (dotnet, node, whatever) actually needs TWO things - the app id AND the app password, in order to authenticate itself internally. Without these, no-one can run another bot on your behalf, even on that same id. Note that this is a 'regular' bot scenario, and does NOT require the user to actually Sign In to the bot in any way (that is only required if you want to, for example, access resources on the Graph on the user's behalf, like to fetch a file from SharePoint Online).
另外(但可能与此相关),如果有人DID拥有您的应用程序ID,他们可能会注册一个应用程序,从而导致更多消息发送到您的机器人(如果您愿意的话,这是一种"DOS"攻击),但是如上所述,仍然无法让他们充当"您的机器人.[更新:请注意,您的漫游器仍然会对这些消息进行响应,因为它不知道这不是您自己的Teams应用.我很难理解为什么有人可能想要这样做.没有人能够开发和托管可对您的机器人进行模拟的机器人,但是,他们需要(a)您的应用密码和(b)更改在其中托管机器人的注册端点.Bot框架].
Separately, but perhaps related, if someone DID have your app id, they could possibly register an app that would result in more messages coming TO your bot (a kind of "DOS" attack, if you like), but that still wouldn't enable them to 'act as' your bot, as mentioned above. [Update: Note that your bot would still end up responding to these messages, as it wouldn't know it wasn't your own Teams app. I'd struggle to understand why someone might want to do that though. No one would be able to develop and host a bot that impersonated your bot, however - they would need (a) you app password and (b) to change the registered endpoint where you host your bot, in the Bot Framework].
因此,尽管仅凭应用ID还是不够的,您当然应该尝试保护它(例如,KayVault),并且用应用密码更是如此.
So, albeit that the App Id alone is not enough, you should of course try to protect it (e.g. KayVault), and all the more so with the app password.
另外,还可以 将您的漫游器限制为仅在单个(或受限制的一组)租户中使用.请在 MS Teams应用清单文件租户限制中查看我的答案.
On a separate note, it is also possible to restrict your bot to only being used from a single (or restricted set of) tenants. Please see my answer at MS Teams app manifest file Tenant restriction.
这篇关于MS TEAMS聊天机器人:我可以限制我的MS Botframework聊天机器人仅与我的MS Teams租户ID一起使用,而无需其他身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
