add details to SNI sample

samples/javascript_nodejs/84.bot-authentication-certificate/README.md

@@ -154,7 +154,7 @@ An SSL/TLS certificate is a digital object that allows systems to verify identit
 
       ![Upload Cer Certificate](Images/KeyVault/UploadCerCertificate.png)
 
-  6. In the sample code, go to the [Startup](Startup.cs) class and uncomment the line of code that reads the keyvault certificate and verify that the keyvault credentials are completed in the [appsettings](appsettings.json) file.
+  6. In the sample code, go to the [Startup](Startup.cs) class and uncomment the line of code that reads the keyvault certificate and verify that the keyvault credentials are completed in the [.env](.env) file.
   Be sure to comment out or remove the lines of code that use local certificate to avoid errors.
       > NOTE: Here the value of MicrosoftAppId and CertificateThumbprint are also needed to generate the credentials.
 

samples/javascript_nodejs/85.bot-authentication-sni/.env

@@ -1,6 +1,4 @@
-MicrosoftAppType=
 MicrosoftAppId=
 MicrosoftAppTenantId=
-CertificateThumbprint=
 KeyVaultName=
 CertificateName=

samples/javascript_nodejs/85.bot-authentication-sni/README.md

@@ -2,114 +2,174 @@
 
 Bot Framework v4 bot authentication using Subject Name/Issuer
 
-This bot has been created using [Bot Framework](https://dev.botframework.com/), is shows how to use the bot authentication capabilities of Azure Bot Service. In this sample, we use a local or KeyVault certificate and the MSAL Subject Name/Issuer configuration to create the Bot Framework Authentication.
+This bot has been created using Bot Framework, it shows how to use the bot authentication capabilities of Azure Bot Service. In this sample, we use a local or KeyVault certificate and the MSAL Subject Name/Issuer configuration to create the Bot Framework Authentication.
+>NOTE: Microsoft's first-party resources are required to test this sample.
+
+## Interacting with the bot
+
+This sample uses the bot authentication capabilities of Azure Bot Service, providing features to make it easier to develop a bot that authenticates users using digital security certificates. You just need to provide the certificate data linked to the managed identity and run the bot, then communicate with it to validate its correct authentication.
+
 
 ## Prerequisites
 
 - [Node.js](https://nodejs.org) version 10.14 or higher
 
-```bash
-# determine node version
-node  --version
-```
+  ```bash
+  # determine node version
+  node  --version
+  ```
+
+- [Ngrok](https://ngrok.com/) latest version.
+
+## SSL/TLS certificate
+
+An SSL/TLS certificate is a digital object that allows systems to verify identity and subsequently establish an encrypted network connection with another system using the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. Certificates are issued using a cryptographic system known as public key infrastructure (PKI). PKI allows one party to establish the identity of another through the use of certificates if they both trust a third party, known as a certificate authority. SSL/TLS certificates therefore function as digital identity documents that protect network communications and establish the identity of websites on the Internet as well as resources on private networks.
+
+## Subject Name and Issuer (SNI) Authentication
+
+Certificate Subject Name and Issuer (SNI) based authentication is currently available only for Microsoft internal (first-party) applications. External (third-party) apps cannot use SNI because SNI is based on the assumption that the certificate issuer is the same as the tenant owner. This can be guaranteed for some first-party tenants, but not for third-party. So there are no plans to bring SNI to third-party apps. For more details about this feature and code examples see this [SNI issue](https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/60) and a [wiki page](https://aadwiki.windows-int.net/index.php?title=Subject_Name_and_Issuer_Authentication).
 
 ## To try this sample
 
+- Setup ngrok
+  1. Run ngrok - point to port 3978
+
+    ```bash
+    ngrok http --host-header=rewrite 3978
+    ```
+
+- Setup a Bot
+  1. Register a bot with Azure Bot Service, following the instructions [here](https://docs.microsoft.com/azure/bot-service/bot-service-quickstart-registration?view=azure-bot-service-3.0).
+
+  2. While registering the bot, use `https://<your_tunnel_domain>/api/messages` as the messaging endpoint.
+      > NOTE: When you create your bot you will create a Microsoft App ID - make sure you keep this for later.
+
 - Clone the repository
 
-```bash
-git  clone  https://github.com/microsoft/botbuilder-samples.git
-```
+    ```bash
+    git clone https://github.com/microsoft/botbuilder-samples.git
+    ```
 
-- In a terminal, navigate to `samples/javascript_nodejs/85.bot-authentication-sni`
+- Configure the SSL/TSL certificate. This sample requires an existing certificate issued by an integrated CA. We have two options to configure it in the bot. Below is a step-by-step description of each one:
 
-```bash
-cd  samples/javascript_nodejs/85.bot-authentication-sni
-```
+  ### Using local environment
+  - This option requires the following app settings variables:
 
-- Install modules
+    - MicrosoftAppId: App Id of your bot.
 
-```bash
-npm  install
-```
+    - MicrosoftAppTenantId: Tenant Id to which your bot belongs(optional).
 
-- Set environment variables
+  1. Intall and configure [OpenSSL](https://www.openssl.org/source/) with the latest version
+    - Download the latest version source and add the folder to the [environment variables](https://www.java.com/en/download/help/path.html) path.
+      ```bash
+      setx path "%path%;<OpenSSL path here> 
+      i.e
+      setx path "%path%;C:\Program Files\openssl-3.3.0"
+      ```
 
-  - MicrosoftAppType: Type of the App.
+  2. Generate a _pem_ file without key:
+      - If your certificate is in _pfx_ format execute the following command:
+      ```
+      OpenSSL pkcs12 -in .\<certificate-name>.pfx -out <certificate-name>.pem –nodes -nokeys
+      ```
 
-  - MicrosoftAppId: App Id of your bot.
+      ![Pem File Command No Key](Images/Local/PemCommandNoKey.png)
 
-  - MicrosoftAppTenantId: Tenant Id to which your bot belongs.
+      - If your certificate is in _pem_ format and includes the key, execute the following command to remove the key:
+      ```
+      OpenSSL pkcs12 -in .\<certificate-name>.pem -export -out .\<certificate-without-key-name>.pem -nokeys
+      ```
 
-  - CertificateThumbprint: Certificate thumbprint.
+      ![Pem Export No Key](Images/Local/PemExportNoKey.png)
 
-  - KeyVaultName: Name of the KeyVault containing the certificate.
+  3. Upload the generated certificate to the Azure app registration.
 
-  - CertificateName: Name of the certificate in the KeyVault.
+      ![Certificate Upload](Images/Local/CertificateUpload.png)
 
-- Start the bot
+  4. To read the certificate in the bot, the _pem_ file must include the key, then if your certificate is in _pfx_ format go to the certificate location and run the following command to generate a _pem_ file with key:
 
-```bash
-npm  start
-```
+      ```
+      OpenSSL pkcs12 -in .\<certificate-name>.pfx -out <certificate-with-key-name>.pem –nodes
+      ```
 
-## Testing the bot using Bot Framework Emulator
+      ![Pem Command With Key](Images/Local/PemCommandWithKey.png)
 
-[Bot Framework Emulator](https://github.com/microsoft/botframework-emulator) is a desktop application that allows bot developers to test and debug their bots on localhost or running remotely through a tunnel.
+  5. In the sample code, go to the [index](index.js) file and uncomment the line of code that reads the local certificate and write the name of the certificate in _pem_ format inside the _CreateFromPemFile_ method. 
+  Be sure to comment out or remove the lines of code that use Azure KeyVault to avoid errors.
+
+      > NOTE: Here the value of MicrosoftAppId is needed to generate the credentials.
 
-- Install the latest Bot Framework Emulator from [here](https://github.com/Microsoft/BotFramework-Emulator/releases)
+      ![Certificate Reading](Images/Local/CertificateReading.png)
 
-### Connect to the bot using Bot Framework Emulator
+  ### Using KeyVault
+  - This option requires the following app settings variables:
 
-- Launch Bot Framework Emulator
+    - MicrosoftAppId: App Id of your bot.
 
-- File -> Open Bot
+    - KeyVaultName: Name of the KeyVault containing the certificate.
 
-- Enter a Bot URL of `http://localhost:3978/api/messages`
+    - CertificateName: Name of the certificate in the KeyVault.
 
-## Interacting with the bot
+    - MicrosoftAppTenantId: Tenant Id to which your bot belongs(optional).
 
-This sample uses the bot authentication capabilities of Azure Bot Service, providing features to make it easier to develop a bot that authenticates users using digital security certificates. You just need to provide the certificate data linked to the managed identity and run the bot, then communicate with it to validate its correct authentication.
+  1. Import the certificate under the Certificates section, hit on Generate/Import, complete the form, and upload the certificate.
 
-## SSL/TLS certificate
+      ![Generate Import Certificate](Images/KeyVault/GenerateImportCertificate.png)
+      ![Import Certificate](Images/KeyVault/ImportCertificate.png)
 
-An SSL/TLS certificate is a digital object that allows systems to verify identity and subsequently establish an encrypted network connection with another system using the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. Certificates are issued using a cryptographic system known as public key infrastructure (PKI). PKI allows one party to establish the identity of another through the use of certificates if they both trust a third party, known as a certificate authority. SSL/TLS certificates therefore function as digital identity documents that protect network communications and establish the identity of websites on the Internet as well as resources on private networks.
+  2. Go to the details of the certificate and download it in _CER_ format to avoid the export of the private key.
+
+      ![Certificate Details](Images/KeyVault/CertificateDetails.png)
+      ![Download Certificate](Images/KeyVault/DownloadCertificate.png)
 
-## How to create an SSL/TLS certificate
+      >NOTE: If you downloaded it in _PFX/PEM_ format, it will be neccesary to remove the private key by executing one the following commands:
+      ```
+      OpenSSL pkcs12 -in .\<certificate-name>.pfx -out <certificate-name>.pem –nodes -nokeys
+      OpenSSL pkcs12 -in .\<certificate-name>.pem -export -out .\<certificate-without-key-name>.pem -nokeys
+      ```
+      ![Pem File Command No Key](Images/Local/PemCommandNoKey.png)
+      ![Pem Export No Key](Images/Local/PemExportNoKey.png)
 
-There are two possible options to create SSL/TSL certificate. Below is a step-by-step description of each one:
+  3. Upload the certificate to the Azure app registration.
 
-### Using local environment
+      ![Upload Cer Certificate](Images/KeyVault/UploadCerCertificate.png)
 
-1. Run the following command in a local PowerShell
+  4. In the sample code, go to the [index](index.js) file and uncomment the line of code that reads the keyvault certificate and verify that the keyvault credentials are completed in the [.env](.env) file.
+  Be sure to comment out or remove the lines of code that use local certificate to avoid errors.
+      > NOTE: Here the value of MicrosoftAppId is also needed to generate the credentials.
 
-```
-$cert = New-SelfSignedCertificate -CertStoreLocation "<directory-to-store-certificate>" -Subject "CN=<certificate-name>" -KeySpec KeyExchange
-```
+      ![Certificate Reading](Images/KeyVault/CertificateReading.png)
 
-1. Then, type _Manage User Certificates_ in the Windows search bar and hit enter
+  1. In the current sample context, log into Azure to obtain the default credentials by executing the following command:
+      ```
+      az login
+      ```
 
-2. The certificate will be located in the _user certificates_ folder, under _personal_ directory.
+- Run the bot from a terminal or from Visual Studio:
 
-3. Export the certificate to _pfx_ format including the key(The default location is _system32_ folder).
+  - In a terminal, navigate to `samples/javascript_nodejs/85.bot-authentication-sni`
 
-4. Go to the certificate location and run the following command to generate a _pem_ file:
+    ```bash
+    cd samples/javascript_nodejs/85.bot-authentication-sni
+    ```
 
-```
-OpenSSL pkcs12 -in <certificate-name>.pfx -out c:\<certificate-name>.pem –nodes
-```
+    - Install modules
 
-5. Upload the generated certificate to the Azure app registration.
+    ```bash
+    npm install
+    ```
 
-### Using KeyVault
+    - Start the bot
 
-1. Create a KeyVault resource and assign _the KeyVault Administrator_ role to have permission to create a new certificate.
+    ```bash
+    npm start
+    ```
 
-2. Under the Certificates section, hit on Generate/Import, complete the form, and create the certificate in PEM format.
+## Testing the bot using Azure Bot
 
-3. Go to the details of the certificate that you created and enable it.
+Go to the Azure bot resource created previously, select the _Test in Web Chat_ option under the _Settings_ section and start talking to the bot.
 
-4. Download the certificate in CER format and then upload it to the Azure app registration.
+![Bot Conversation](Images/BotConversation.png)
 
 ## Deploy the bot to Azure
 
@@ -136,5 +196,7 @@ To learn more about deploying a bot to Azure, see [Deploy your bot to Azure](htt
 - [Restify](https://www.npmjs.com/package/restify)
 
 - [dotenv](https://www.npmjs.com/package/dotenv)
-
+  
 - [SSL/TLS certificates](https://www.digicert.com/tls-ssl/tls-ssl-certificates)
+
+- [Subject Name and Issuer (SNI) Authentication](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Subject-Name-and-Issuer-(SNI)-Authentication)

samples/javascript_nodejs/85.bot-authentication-sni/index.js

@@ -2,13 +2,13 @@
 // Licensed under the MIT License.
 
 const path = require('path');
-// const fs = require('fs');
+const fs = require('fs');
+const { createPrivateKey } = require('crypto');
 const dotenv = require('dotenv');
 const restify = require('restify');
-const msal = require('@azure/msal-node');
 const { DefaultAzureCredential } = require('@azure/identity');
 const { SecretClient } = require('@azure/keyvault-secrets');
-const { MsalServiceClientCredentialsFactory } = require('botframework-connector');
+const { CertificateServiceClientCredentialsFactory } = require('botframework-connector');
 
 // Import required bot configuration.
 const ENV_FILE = path.join(__dirname, '.env');
@@ -31,19 +31,17 @@
         server.use(restify.plugins.bodyParser());
 
         server.listen(process.env.port || process.env.PORT || 3978, () => {
-            console.log(`\n${ server.name } listening to ${ server.url }`);
+            console.log(`\n${server.name} listening to ${server.url}`);
             console.log('\nGet Bot Framework Emulator: https://aka.ms/botframework-emulator');
             console.log('\nTo talk to your bot, open the emulator select "Open Bot"');
         });
 
-        const authorityUrl = 'https://login.microsoftonline.com/botframework.com';
-
         // ---- Authenticate using key vault to obtain the certificate values.
         // Create an Azure credential to authenticate.
         const credential = new DefaultAzureCredential();
 
         const vaultName = process.env.KeyVaultName;
-        const keyVaultUrl = `https://${ vaultName }.vault.azure.net`;
+        const keyVaultUrl = `https://${vaultName}.vault.azure.net`;
 
         const certificateName = process.env.CertificateName;
 
@@ -52,32 +50,27 @@
 
         // Assuming you've already created a Key Vault certificate,
         // and that certificateName contains the name of your certificate.
-        const certificateSecret = await secretClient.getSecret(certificateName);
-
-        // Here we can find both the private key and the public certificate, in PKCS 12 format:
-        const certificateKey = certificateSecret.value;
+        const cert = (await secretClient.getSecret(certificateName)).value;
 
         // ---- Authenticate using local certificate.
-        // const key = fs.readFileSync('{KeyPath}.pem', 'utf8');
-
-        // Extract x5c value from the key string to use the SNI authentication.
-        const x5cValue = certificateKey.split('-----BEGIN CERTIFICATE-----\n').pop().split('\n-----END CERTIFICATE-----')[0];
+        // //Read the certificate from the file
+        // const cert = fs.readFileSync('{KeyPath}.pem', 'utf8');
+
+        // Create a private key object from the certificate
+        var certificateKey = createPrivateKey(cert);
+        //Convert the private key object to a string format
+        const privateKey = certificateKey.export({
+            type: 'pkcs8', // Can also be 'pkcs1' depending on your format requirements
+            format: 'pem'
+        });
 
         // Create client credentials using SNI authentication from MSAL.
-        const serviceClientCredentialsFactory = new MsalServiceClientCredentialsFactory(
+        const serviceClientCredentialsFactory = new CertificateServiceClientCredentialsFactory(
             process.env.MicrosoftAppId,
-            new msal.ConfidentialClientApplication({
-                auth: {
-                    clientId: process.env.MicrosoftAppId,
-                    authority: authorityUrl,
-                    clientCertificate: {
-                        thumbprint: process.env.CertificateThumbprint,
-                        privateKey: certificateKey,
-                        x5c: x5cValue
-                    }
-                }
-            })
-        );
+            cert,
+            privateKey,
+            process.env.MicrosoftAppTenantId
+        )
 
         const botFrameworkAuthentication = new ConfigurationBotFrameworkAuthentication(process.env, serviceClientCredentialsFactory);
 
@@ -90,12 +83,12 @@
             // NOTE: In production environment, you should consider logging this to Azure
             //       application insights. See https://aka.ms/bottelemetry for telemetry
             //       configuration instructions.
-            console.error(`\n [onTurnError] unhandled error: ${ error }`);
+            console.error(`\n [onTurnError] unhandled error: ${error}`);
 
             // Send a trace activity, which will be displayed in Bot Framework Emulator
             await context.sendTraceActivity(
                 'OnTurnError Trace',
-                `${ error }`,
+                `${error}`,
                 'https://www.botframework.com/schemas/error',
                 'TurnError'
             );