Azure Bot channel error "There was an error sending this message to your bot: HTTP status code Unauthorized"

3
votes

I'm getting Unauthorized error when try to send message from azure Bot channel to api. I have deployed azure app and Bot channel with pulumi. In azure application I have noticed that there is a warning in authentication section about Implicit Grant.

Implicit Grant

If I disable Implicit Grant setting from azure portal then Bot channel works fine. I'm creating azure application with default settings as per pulumi documentation but there is no option to remove this Implicit Grant settings

I have created Azure application and Bot channel with pulumi using this link

public static AzureAD.Application Create()
{
    var name = "app-name";
    var azureApp = new AzureAD.Application(name, new AzureAD.ApplicationArgs
    {
        Name = name
        // Tried combinations of the following lines, but it makes no difference
        //, Type = "native"
        //, Oauth2AllowImplicitFlow = false
    });
    
    CreatePrincipal(azureApp);
    
    return azureApp;
}
    
private static void CreatePrincipal(AzureAD.Application azureApp)
{
    var name = "app-principal";
    new AzureAD.ServicePrincipal(name, new AzureAD.ServicePrincipalArgs
    {
        ApplicationId = azureApp.ApplicationId
    });
}

public static ChannelsRegistration Create(ResourceGroup resourceGroup, AzureAD.Application teamsBotAzureApp)
{
    var channelName = "Channel";
    var channel = new ChannelsRegistration(channelName, new ChannelsRegistrationArgs
    {
        Location = "global",
        ResourceGroupName = resourceGroup.Name,
        Sku = "F0",
        MicrosoftAppId = teamsBotAzureApp.ApplicationId,
        Endpoint = "https://azurefunction.com/api/BotMessagesHandler"
    });
    
    CreateChannel(resourceGroup, channel);
    
    return channel;
}
1
azureasp.net-coreazure-active-directorybotframeworkpulumi
When a channel calls your bot, it sends along an Authentication header with a Bearer token. The process of how to validate and verify this token is explained here: docs.microsoft.com/azure/bot-service/rest-api/…Eric Dahlvang
I know little about implicit grant, but from a cursory reading it does not look like it would work for a bot. My understanding is that an implicit grant flow is an exchange between receiver and caller. The channel services calling your bot are not configured for this type of exchange, they are setup to send and receive JWT Bearer tokens as explained above. Something you could maybe do is separate the front end from the bot backend, and publish them separately.Eric Dahlvang
All of that said, if you are only targeting the Direct Line channel, the App Service Extension might allow the implicit grant flow, since it is an App Service Extension and runs within the context of your app, which can even be isolated within a VNET. More information can be found here: docs.microsoft.com/azure/bot-service/…Eric Dahlvang
You disabled Implicit Grant from azure portal then Bot channel works fine, so what is your question?Joy Wang-MSFT
@JoyWang, as i'm doing it with pulumi so i don't want to do it manuallyMuhammad Atif

1 Answers

1
votes

In azure ad, the setting of Implicit Grant is controlled by the parameters in the Manifest(you can also set them in the UI, then they will be changed in the manifest), Access tokens corresponds to oauth2AllowImplicitFlow, ID tokens corresponds to oauth2AllowIdTokenImplicitFlow.

If you create the app with pulumi, you can set the Oauth2AllowImplicitFlow = false to disable the Access tokens, but looks there is no oauth2AllowIdTokenImplicitFlow in the pulumi inputs, so you could not disable the ID tokens via pulumi.

You could try the workarounds below.

1.From the warning, it says You should remove these settings or register the appropriate redirect URI. So you could try to create the app with a redirect URI(i.e. ReplyUrls ) with the code like below, see if it works without disabling the ID tokens.

ReplyUrls = 
            {
                "https://replyurl",
            }

2.If it is accepted, you could use the Microsoft Graph SDK to update the application after creating it. Set the enableIdTokenIssuance to false in implicitGrantSettings of web property, then the ID tokens will be disabled.