Skip to content

port: Managed Identity (MSI) + Single Tenant support for Bot apps (#5829) #3906

New issue
New issue
Closed
#3923
Closed
port: Managed Identity (MSI) + Single Tenant support for Bot apps (#5829)#3906
#3923
Assignees
JuanArceciliaavila
Labels
ExemptFromDailyDRIReportUse this label to exclude the issue from the DRI report.P0Must Fix. Release-blockerparityThe issue describes a gap in parity between two or more platforms.
Milestone
R15
@github-actions

Description

@github-actions
github-actions
bot
opened on Aug 20, 2021

The changes in Managed Identity (MSI) + Single Tenant support for Bot apps (#5829) may need to be ported to maintain parity with microsoft/botbuilder-dotnet.

Fixes #5830

Description

  • Enable Azure's Managed Identity (MSI) for bot apps, so that bot authors don't have to manage app secrets.
  • Support for hosting bots as single tenant apps, which enables acquiring AAD access tokens from the bot's host tenant, as opposed to, botframework.com tenant.

Below are the 3 ways a bot app can now be hosted:

1. Multi-Tenant (Default):

{
  "MicrosoftAppId": "",
  "MicrosoftAppPassword": ""
}

2. Single Tenant:

{
  "MicrosoftAppType": "SingleTenant",
  "MicrosoftAppId": "",
  "MicrosoftAppPassword": "",
  "MicrosoftAppTenantId": ""
}

3. Managed Identity (MSI):

{
  "MicrosoftAppType": "UserAssignedMSI",
  "MicrosoftAppId": "",
  "MicrosoftAppTenantId": ""
}

Specific Changes

  • Added classes for Managed Identity credentials management and token acquisition.
  • Updated ConfigurationServiceClientCredentialFactory to instantiate the appropriate credential mechanism (MultiTenant/SingleTenant/MSI) based on appsettings.
  • Added the bot's host tenant as a valid JWT token issuer since the tokens will be issued from the host tenant when using SingleTenant/MSI hosting model. This was done by adding a property to the AuthenticationConfiguration class which would be used in the skills scenarios.
  • Added an overload in PasswordServiceClientCredentialsFactory to accept TenantId which can be used to acquire token using the bot's host tenant for SingleTenant scenario.

Testing

Following scenarios were verified:

1. Bot to Channel scenarios:

  • MultiTenant
  • SingleTenant
  • MSI

2. Bot to bot (skills) scenarios:

MultiTenant SkillSingleTenant SkillMSI Skill
MultiTenant HostY--
SingleTenant Host-YY
MSI Host-YY
 NOTE: When one of the bots is MultiTenant, the other cannot be SingleTenant/MSI since the token acquisition by the MultiTenant bot will fail due to not being able to find the SingleTenant/MSI bot resource registered in the `botframework.com` tenant. So, those scenarios are not supported.

Please review and, if necessary, port the changes.

Metadata

Metadata

Assignees

Labels

ExemptFromDailyDRIReportUse this label to exclude the issue from the DRI report.P0Must Fix. Release-blockerparityThe issue describes a gap in parity between two or more platforms.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions