microsoft
diff --git a/‎samples/basic/authorization/README.md
Lines changed: 144 additions & 0 deletions b/‎samples/basic/authorization/README.md
Lines changed: 144 additions & 0 deletions
diff --git a/‎samples/basic/authorization/dotnet/AuthorizationExamples.sln
Lines changed: 31 additions & 0 deletions b/‎samples/basic/authorization/dotnet/AuthorizationExamples.sln
Lines changed: 31 additions & 0 deletions
diff --git a/‎samples/basic/authorization/dotnet/AutoSignIn/AuthAgent.cs
Lines changed: 187 additions & 0 deletions b/‎samples/basic/authorization/dotnet/AutoSignIn/AuthAgent.cs
Lines changed: 187 additions & 0 deletions
diff --git a/‎samples/basic/authorization/dotnet/AutoSignIn/AutoSignIn.csproj
Lines changed: 13 additions & 0 deletions b/‎samples/basic/authorization/dotnet/AutoSignIn/AutoSignIn.csproj
Lines changed: 13 additions & 0 deletions
@@ -0,0 +1,144 @@
+# User Authorization Samples
+
+These Samples demonstrate 3 methods of acquiring User tokens from inside an agent.  Each method has specific use cases where they can be applied.
+
+| Type of Authorization Flow | Sample Name | Description
+|----------------------------|-------------|----------------------------------------------------
+| Automatic Sign In| AutoSignIn | This sample demonstrates the use of the AgentSDK's built in Automatic Sign in Flow.  This Flow triggers anytime a message request is submitted ot the Agent.
+| Manual Sign In| ManualSignIn | This sample demonstrates the use of an on-demand login request. This request only logs in if the user or code requests it.
+| On Behalf of| OBOSignIn | This Sample utilizes the Automatic Sign In and Token Exchange.
+
+# User Authorization Samples General Setup
+
+>[!Warning]
+> It's important you follow these instructions prior to running the samples as this contains the common setup needed by all samples.
+
+These Samples use the OAuth capabilities in [Azure Bot Service](https://docs.botframework.com), providing features to make it easier to develop a bot that authorizes users to various identity providers such as Entria ID (formally Azure Active Directory), GitHub, Uber, etc.
+
+These samples are designed to work through Azure Bot Services and are not intended to work with the Bot Framework Emulator or Teams Test Tool at this time.
+## Prerequisites
+
+Access and Software
+- [.Net](https://dotnet.microsoft.com/en-us/download/dotnet/8.0) version 8.0
+- [dev tunnel](https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/get-started?tabs=windows)
+- Access to create Registrations on Azure Bot Service
+- Access to create Entra ID Application Registrations
+- (Optional) Access to deploy M365\Teams Applications
+
+### Setup Entra Applications 
+
+For these samples you will need to create two Entra ID Application Registrations.  
+- Agent Application Identity
+  - This identity will be used by your Agent and Azure Bot Services to Communicate with each other
+- User Application Identity
+  - This is used as the broker application that will be used for end user authentication, API permissions and provide the token for the user to the Agent.
+
+#### Create the Agent Application Identity
+
+You if you have an exiting Bot Service Agent Registration that you want to reuse and you have the Application(client) ID, Tenant ID, and Client Secret, you can skip this step.  Otherwise, follow the steps below to create a new Agent Application Registration.
+
+For the purposes of local development we will use an application registration that is registered in the same tenant as the Azure Bot Service.  This is not a requirement, but it does make local development easier. We will also 
+1. Create a new Entra ID Application Registration
+1. Go to the [Azure Portal](https://portal.azure.com)
+1. Select **Microsoft Entra ID** from the Azure Services List
+1. Select **App registrations** in the left menu
+   - Name: `AgentApp`
+   - Supported Account Types: `Accounts in this organizational directory only (Single tenant)`
+   - Click **Register**
+   - Record the Agent Application ID (Client ID) and Directory (Tenant ID) for use below
+   - Click **Authentication** in the left menu
+   - 
+
+- ## Prerequisites
+
+-  [.Net](https://dotnet.microsoft.com/en-us/download/dotnet/8.0) version 8.0
+-  [dev tunnel](https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/get-started?tabs=windows)
+
+## Running this sample
+
+1. [Create an Azure Bot](https://aka.ms/AgentsSDK-CreateBot)
+   - Record the Application ID, the Tenant ID, and the Client Secret for use below
+
+1. [Add OAuth to your bot](https://aka.ms/AgentsSDK-AddAuth)
+
+1. Configuring the token connection in the Agent settings
+   > The instructions for this sample are for a SingleTenant Azure Bot using ClientSecrets.  The token connection configuration will vary if a different type of Azure Bot was configured.  For more information see [DotNet MSAL Authentication provider](https://aka.ms/AgentsSDK-DotNetMSALAuth)
+
+   1. Open the `appsettings.json` file in the root of the sample project.
+
+   1. Find the section labeled `Connections`,  it should appear similar to this:
+
+      ```json
+      "ConnectionName": "{{ConnectionName}}",
+   
+      "TokenValidation": {
+        "Audiences": [
+          "{{ClientId}}" // this is the Client ID used for the Azure Bot
+        ],
+        "TenantId": "{{TenantId}}"
+      },
+
+      "Connections": {
+          "ServiceConnection": {
+          "Assembly": "Microsoft.Agents.Authentication.Msal",
+          "Type":  "MsalAuth",
+          "Settings": {
+              "AuthType": "ClientSecret", // this is the AuthType for the connection, valid values can be found in Microsoft.Agents.Authentication.Msal.Model.AuthTypes.  The default is ClientSecret.
+              "AuthorityEndpoint": "https://login.microsoftonline.com/{{TenantId}}",
+              "ClientId": "{{ClientId}}", // this is the Client ID used for the connection.
+              "ClientSecret": "00000000-0000-0000-0000-000000000000", // this is the Client Secret used for the connection.
+              "Scopes": [
+                "https://api.botframework.com/.default"
+              ]
+          }
+      }
+      ```
+
+      1. Replace all **{{ClientId}}** with the AppId of the bot.
+      1. Replace all **{{TenantId}}** with the Tenant Id where your application is registered.
+      1. Set the **ClientSecret** to the Secret that was created for your identity.
+      
+      > Storing sensitive values in appsettings is not recommend.  Follow [AspNet Configuration](https://learn.microsoft.com/en-us/aspnet/core/fundamentals/configuration/?view=aspnetcore-9.0) for best practices.
+
+1. Update `appsettings.json` 
+
+   | Property             | Value Description     | 
+   |----------------------|-----------|
+   | ConnectionName       | Set the configured bot's OAuth connection name.      |
+    
+1. Run `dev tunnels`. Please follow [Create and host a dev tunnel](https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/get-started?tabs=windows) and host the tunnel with anonymous user access command as shown below:
+   > NOTE: Go to your project directory and open the `./Properties/launchSettings.json` file. Check the port number and update it to match your DevTunnel port. If `./Properties/launchSettings.json`not fount Close and re-open the solution.launchSettings.json have been re-created.
+
+   ```bash
+   devtunnel host -p 3978 --allow-anonymous
+   ```
+
+1. Update your Azure Bot ``Messaging endpoint`` with the tunnel Url:  `{tunnel-url}/api/messages`
+
+1. Run the bot from a terminal or from Visual Studio
+
+1. Test via "Test in WebChat"" on your Azure Bot in the Azure Portal.
+
+## Running this Agent in Teams
+
+1. There are two version of the manifest provided.  One for M365 Copilot and one for Teams.
+   1. Copy the desired version to manifest.json
+1. Manually update the manifest.json
+   - Edit the `manifest.json` contained in the `/appManifest` folder
+     - Replace with your AppId (that was created above) *everywhere* you see the place holder string `<<AAD_APP_CLIENT_ID>>`
+     - Replace `<<AGENT_DOMAIN>>` with your Agent url.  For example, the tunnel host name.
+   - Zip up the contents of the `/appManifest` folder to create a `manifest.zip`
+1. Upload the `manifest.zip` to Teams
+   - Select **Developer Portal** in the Teams left sidebar
+   - Select **Apps** (top row)
+   - Select **Import app**, and select the manifest.zip
+
+1. Select **Preview in Teams** in the upper right corner
+
+## Interacting with the Agent
+
+Type anything to sign-in, or `logout` to sign-out.  
+
+## Further reading
+To learn more about building Agents, see our [Microsoft 365 Agents SDK](https://github.com/microsoft/agents) repo.
+
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.13.35828.75 d17.13
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AutoSignIn", "AutoSignIn\AutoSignIn.csproj", "{840081EB-DBFE-2E05-9275-2B4B342025E4}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ManualSignIn", "ManualSignIn\ManualSignIn.csproj", "{A7E45FDA-6714-F4B7-0195-5A2B12BA9A37}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{840081EB-DBFE-2E05-9275-2B4B342025E4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{840081EB-DBFE-2E05-9275-2B4B342025E4}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{840081EB-DBFE-2E05-9275-2B4B342025E4}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{840081EB-DBFE-2E05-9275-2B4B342025E4}.Release|Any CPU.Build.0 = Release|Any CPU
+		{A7E45FDA-6714-F4B7-0195-5A2B12BA9A37}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{A7E45FDA-6714-F4B7-0195-5A2B12BA9A37}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{A7E45FDA-6714-F4B7-0195-5A2B12BA9A37}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{A7E45FDA-6714-F4B7-0195-5A2B12BA9A37}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {55274C53-CF36-4245-A6B2-6603A3066208}
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,187 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.Agents.Builder;
+using Microsoft.Agents.Builder.App;
+using Microsoft.Agents.Builder.State;
+using Microsoft.Agents.Builder.UserAuth;
+using Microsoft.Agents.Core.Models;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Text;
+using System.Text.Json.Nodes;
+using System.Threading;
+using System.Threading.Tasks;
+
+
+public class AuthAgent : AgentApplication
+{
+    /// <summary>
+    /// Default Sign In Name
+    /// </summary>
+    private string _defaultDisplayName = "Unknown User";
+    /// <summary>
+    /// Authorization Handler Name to use for queries 
+    /// </summary>
+    private string _signInHandlerName = string.Empty;
+
+    /// <summary>
+    /// Describes the agent registration for the Authorization Agent
+    /// This agent will handle the sign-in and sign-out processes for a user.
+    /// </summary>
+    /// <param name="options">AgentApplication Configuration objects to configure and setup the Agent Application</param>
+    public AuthAgent(AgentApplicationOptions options) : base(options)
+    {
+        /*
+         During setup of the Agent Application, Register Event Handlers for the Agent. 
+         For this example we will register a welcome message for the user when they join the conversation, then configure sign-in and sign-out commands.
+         Additionally, we will add events to handle notifications of sign-in success and failure,  these notifications will report the local log instead of back to the calling agent. .
+
+         This handler should only register events and setup state as it can be called multiple times before agent events are invoked. 
+        */
+
+        // this sets the default signin handler to the default handler name.  This is used to identify the handler that will be used for the sign-in process later in this code. 
+        _signInHandlerName = UserAuthorization.DefaultHandlerName;
+
+        /*
+         When a conversation update event is triggered. 
+        */
+        OnConversationUpdate(ConversationUpdateEvents.MembersAdded, WelcomeMessageAsync);
+
+        ///*
+        // Handles the user sending a Login or LogOut command using the specific keywords '-signout'
+        //*/
+        OnMessage("/signout", async (turnContext, turnState, cancellationToken) =>
+        {
+            // force a user signout to reset the user state
+            // this is needed to reset the token in Azure Bot Services if needed. 
+            await UserAuthorization.SignOutUserAsync(turnContext, turnState, cancellationToken: cancellationToken);
+            await turnContext.SendActivityAsync("You have signed out", cancellationToken: cancellationToken);
+        }, rank: RouteRank.Last);
+
+
+        /*
+         The UserAuthorization Class provides methods and properties to manage and access user authentication tokens
+         You can use this class to interact with the authentication process, including signing in and signing out users, accessing tokens, and handling authentication events.
+         */
+
+        // Register Events for SignIn and SignOut on the authentication class to track the status of the user, notify the user of the status of their authentication process, or log the status of the authentication process.
+        UserAuthorization.OnUserSignInFailure(OnUserSignInFailure);
+
+        // Registers a general event handler that will pick up any message activity that is not covered by the previous events handlers. 
+        OnActivity(ActivityTypes.Message, OnMessageAsync, rank: RouteRank.Last);
+    }
+
+    /// <summary>
+    /// This method is called to handle the conversation update event when a new member is added to or removed from the conversation.
+    /// </summary>
+    /// <param name="turnContext"><see cref="ITurnContext"/></param>
+    /// <param name="turnState"><see cref="ITurnState"/></param>
+    /// <param name="cancellationToken"><see cref="CancellationToken"/></param>
+    private async Task WelcomeMessageAsync(ITurnContext turnContext, ITurnState turnState, CancellationToken cancellationToken)
+    {
+        /*
+        In this example, we will send a welcome message to the user when they join the conversation.
+        We do this by iterating over the incoming activity members added to the conversation and checking if the member is not the agent itself.
+        Then a greeting notice is provided to each new member of the conversation.
+        */
+        foreach (ChannelAccount member in turnContext.Activity.MembersAdded)
+        {
+            if (member.Id != turnContext.Activity.Recipient.Id)
+            {
+                string displayName = await GetDisplayName(turnContext);
+                StringBuilder sb = new StringBuilder();
+                sb.AppendLine($"Welcome to the AutoSignIn Example, **{displayName}**!.");
+                sb.AppendLine("This Agent automatically signs you in when you first connect.");
+                sb.AppendLine("You can use the following commands to interact with the agent:");
+                sb.AppendLine("/signout: Sign out of the agent and force it to reset the login flow on next message.");
+                if (displayName.Equals(_defaultDisplayName))
+                {
+                    sb.AppendLine("**WARNING: We were unable to get your display name with the current access token.. please use the /signout command before proceeding**");
+                }
+                sb.AppendLine("");
+                sb.AppendLine("Type anything else to see the agent echo back your message.");
+                await turnContext.SendActivityAsync(MessageFactory.Text(sb.ToString()), cancellationToken);
+                sb.Clear();
+            }
+        }
+    }
+
+    /// <summary>
+    /// Handles general message loop. 
+    /// </summary>
+    /// <param name="turnContext"><see cref="ITurnContext"/></param>
+    /// <param name="turnState"><see cref="ITurnState"/></param>
+    /// <param name="cancellationToken"><see cref="CancellationToken"/></param>
+    /// <returns></returns>
+    private async Task OnMessageAsync(ITurnContext turnContext, ITurnState turnState, CancellationToken cancellationToken)
+    {
+        /*
+        When Auto Sign in is properly configured, the user will be automatically signed in when they first connect to the agent using the default handler chosen in the UserAuthorization configuration.
+        IMPORTANT: The ReadMe associated with this sample, instructs you on confiuring the Azure Bot Service Registration with the scopes to allow you to read your own information from Graph.  you must have completed that for this sample to work correctly. 
+
+        If the sign in process is successful, the user will be signed in and the token will be available from the UserAuthorization.GetTurnToken(_signInHandlerName) function call. 
+        if the sign in was not successful,  you will get a Null when you call the UserAuthorization.GetTurnToken(_signInHandlerName) function. 
+        */
+
+        // Check for Access Token from the Authorization Sub System. 
+        if (string.IsNullOrEmpty(UserAuthorization.GetTurnToken(_signInHandlerName)))
+        {
+            // Failed to get access token here, and we will now bail out of this message loop. 
+            await turnContext.SendActivityAsync($"The auto sign in process failed and no access token is available", cancellationToken: cancellationToken);
+            return;
+        }
+
+        // We have the access token, now try to get your user name from graph. 
+        string displayName = await GetDisplayName(turnContext);
+        if (displayName.Equals(_defaultDisplayName))
+        {
+            // Handle error response from Graph API
+            await turnContext.SendActivityAsync($"Failed to get user information from Graph API \nDid you update the scope correctly in Azure bot Service?. If so type in /signout to force signout the current user", cancellationToken: cancellationToken);
+            return;
+        }
+
+        // Now Echo back what was said with your display name. 
+        await turnContext.SendActivityAsync($"**{displayName} said:** {turnContext.Activity.Text}", cancellationToken: cancellationToken);
+    }
+
+    /// <summary>
+    /// This method is called when the sign-in process fails with an error indicating why . 
+    /// </summary>
+    /// <param name="turnContext"></param>
+    /// <param name="turnState"></param>
+    /// <param name="handlerName"></param>
+    /// <param name="response"></param>
+    /// <param name="initiatingActivity"></param>
+    /// <param name="cancellationToken"></param>
+    /// <returns></returns>
+    private async Task OnUserSignInFailure(ITurnContext turnContext, ITurnState turnState, string handlerName, SignInResponse response, IActivity initiatingActivity, CancellationToken cancellationToken)
+    {
+        // Raise a notification to the user that the sign-in process failed.
+        await turnContext.SendActivityAsync($"Manual Sign In: Failed to login to '{handlerName}': {response.Error.Message}", cancellationToken: cancellationToken);
+    }
+
+    /// <summary>
+    /// Gets the display name of the user from the Graph API using the access token.
+    /// </summary>
+    /// <param name="turnContext"><see cref="ITurnState"/></param>
+    /// <returns></returns>
+    private async Task<string> GetDisplayName(ITurnContext turnContext)
+    {
+        string displayName = _defaultDisplayName;
+        string accessToken = UserAuthorization.GetTurnToken(_signInHandlerName);
+        string graphApiUrl = $"https://graph.microsoft.com/v1.0/me";
+        HttpClient client = new HttpClient();
+        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
+        HttpResponseMessage response = await client.GetAsync(graphApiUrl);
+        if (response.IsSuccessStatusCode)
+        {
+            var content = await response.Content.ReadAsStringAsync();
+            var graphResponse = JsonNode.Parse(content);
+            displayName = graphResponse!["displayName"].GetValue<string>();
+        }
+        return displayName;
+    }
+
+
+}
@@ -0,0 +1,13 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+	<PropertyGroup>
+		<TargetFramework>net8.0</TargetFramework>
+		<LangVersion>latest</LangVersion>
+	</PropertyGroup>
+
+	<ItemGroup>
+		<PackageReference Include="Microsoft.Agents.Authentication.Msal" Version="0.2.*-*" />
+		<PackageReference Include="Microsoft.Agents.Hosting.AspNetCore" Version="0.2.*-*" />
+	</ItemGroup>
+
+</Project>