Agents

Configure authentication in JavaScript

The JavaScript SDK requires an AuthenticationProvider to obtain JWT tokens to send activities to the target channel. Learn more

The package @microsoft/agents-bot-hosting provides a default authentication provider based on MSAL, that can be configured for the following types of credentials:

• SingleTenant / MultiTenant
• Client Secret
• Client Certificate
• User Assigned Managed Identities
• Federated Identitiy Credentials

Note: MultiTenant requires the Azure Bot instance to be configured as Multi Tenant and the EntraID app registration to be configured as Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant), and only supports Client Secret or Client Certificate. Learn More

Environment Variables for each Authentication Type

The configuration is obtained at runtime from environment variables, using the helper function loadBotAuthConfigFromEnv(): AuthConfiguration. The CloudAdapter instance requires to be initialized with the AuthConfiguration.

Based on the provided variables the authentication type will be infered as described below.

Single Tenant - Client Secret

tenantId={tenant-id-guid}
clientId={app-id-guid}
clientSecret={app-registration-secret}

This is the recommended configuration for local development.

Single Tenant - Client Certificate

tenantId={tenant-id-guid}
clientId={app-id-guid}
certPemFile={path-to-pem-file}
certKeyFile={path-to-key-file}

Note: The key file should not use any password.

Single Tenant - User-assigned managed identity

tenantId={tenant-id-guid}
clientId={app-id-guid}

This is the recommended configuration for production scenarios. Learn more.

Note: The bot needs to run in any Azure service supporting Managed Identities (see which Azure services support manage identities here ), and the managed identity should match the one configured in EntraID. Learn more.

Single Tenant - Federated Identity Credential

tenantId={tenant-id-guid}
clientId={app-id-guid}
FICClientId={client-id-of-the-FIC}

Learn more

Multi Tenant - ClientSecret

clientId={app-id-guid}
clientSecret={app-registration-secret}

Multi Tenant - Client Certificate

clientId={app-id-guid}
certPemFile={path-to-pem-file}
certKeyFile={path-to-key-file}

Back-compat with Bot Framework SDK

To load the configuration using the same format as the BotFramework SDK, we provide another helper function loadBotAuthConfigFromEnv(): AuthConfiguration

MicrosoftAppTenantId={tenant-id-guid}
MicrosoftAppId={app-id-guid}
MicrosoftAppPassword={app-registration-secret}

Custom Authentication Provider

Users requiring a customized authentication provider can implement the interface:

export interface AuthProvider {
  getAccessToken: (authConfig: AuthConfiguration, scope: string) => Promise<string>
}

As an example, let’s implement the AuthProvider using @azure/identity:

import { EnvironmentCredential } from "@azure/identity"
import { AuthProvider, AuthConfiguration } from "@microsoft/agents-bot-hosting"
class DevTokenProvider implements AuthProvider {
  async getAccessToken(authConfig: AuthConfiguration): Promise<string> {
    const id = new EnvironmentCredential()
    const tokenResponse = await id.getToken("https://api.botframework.com/.default")
    return tokenResponse.token
  }

To instantiate the CloudAdapter using the DevTokenProvider

const adapter = new CloudAdapter(authConfig, new DevTokenProvider())

This site is open source. Improve this page.