This blog series focuses on presenting complex DevOps projects as simple and approachable via plain language and lots of pictures. You can do it!

These articles are supported by readers, please consider subscribing to support me writing more of these articles <3 :)

This article is part of a series of articles, because 1 article would be absolutely massive.

• Part 1: Create an Azure Bot and App Registration

• Part 2: Register Bot in Teams with Teams Developer Portal

• Part 3: Delegated Permissions and Making Lambda Stateful for Oauth2

• Part 4 (this article): Building the Receiver lambda to store tokens and state

• Part 5: Finding messages, reading conversations in Teams

Hey all!

In the series so far we’ve registered an App Registration (permissions), an Azure Bot (Teams back-end Bot infra and link to permissions), and built a bot in the Teams Developer Portal (register name in Teams App). We also talked about how we’ll be building this Teams app with Delegated access tokens exclusively, which means we’ll need to establish some state for the tokens and conversations.

The use case for storing those two things are very different:

• Storing Conversations - We only have one function URL, so we need some routing - on first contact, we’ll push a “Card” to Teams to send users to the SSO login portal, and when the OAuth2 token is pushed to us, we’ll do our AI stuff. Since the first instance has shut down and discarded state, we’ll need to store the first contact payload to resume it when we have the token on second run!

• Storing Tokens - Since our app is stateless, once we receive the token and run, the lambda shuts off and we lose the token. If we store it for next run, users don’t need to provide a token on each run!

We’ll go over this in more depth as we walk through the code.

If you don’t care about the walk-through, and would rather just skip to the codebase, we’ll be walking through this Receiver lambda code:

github.com/KyMidd/TeamsAIBot/blob/master/lambda/src/receiver.py

We’ll have one lambda handle several different logic paths:

• Teams event inbound, we don’t have a token (or token is expired)

  • Build “Card”, push to user

  • Store Conversations for pickup when token received

  • Direct them to SSO so they can authorize an OAuth2 token for us

• Teams event inbound, we have a token

  • Build payload, pass to Worker

• OAuth2 token inbound

  • Store token

  • Find resumed Conversation and build payload around it

  • Pass to Worker

Lets talk about the first one first (as it should be)

Handle a Teams Call, No Token Yet

On the very first call from a user, we don’t have a token for them.

First let’s store some constants.

On line 6, the secret the bot uses to store secrets. It should store the slack bot token and signing secret so we can decode the webhook and validate it’s… well, valid.

On line 9, the redirect function URL. We are unable to look this up due to circular logic - we can’t get it until it’s built, so terraform won’t let us do that. You can deploy this with an invalid value, just redeploy once you get a real redirect function URL. This is used to build the “Card” we’ll push to Teams users, and build a URL for redirection for the OAuth2 token.

On line 12, a CMK KMS key alias - an SSH key we’ll use to encrypt the OAuth2 tokens we get from users. These tokens can do a bunch of actions AS the user, so we need to be careful when storing them in dynamo to pass them between lambdas.

Receive a Teams Event

Lets start with the main handler for the lambda event - we receive the event and context from AWS when the function URL is triggered.

On line 4, we check if the event path contains /callback. If yes, this is an oauth2 token. It’s not in this use case, so skip.

We check if channelData is part of the body on line 7 - that’s one of the Teams keys. If yes, we’re working a teams event.

Print out some debugs and then call the handle_teams_event on line 17.

The handle teams event is used to handle any Teams event that comes in, token present or not.

On line 11 and 12, we store the conversation table arn and token table arn as local vars - they’re injected as environmental variables by the terraform code.

Then on line 15 we register a dynamoDB client using the boto3 library - we’ll use this to read and write to dynamo.

Then on line 18 we read the aadObjectId from the event - this is the user that triggered the action. If the action came from Teams, it was triggered by a User or Bot, both of which are registered in Entra.

Then on line 25, we grab an encrypted token from dynamo. We have some error handling logic present in case there is no token. Lets zoom in on that.

Yeah, But When Did I Cook That Token?

This function helps us get a token and validate that it’s valid for at least 30 seconds.

Expert tip: tokens are valid for between 60-90m, and it’s random for each token issued to avoid thundering herds expiring. Cool architecture, $MSFT.

On line 6, we attempt to get the item from dynamo that matches our “token” dynamo, and has a key (line 8) of the aadObjectId (the user’s ID) set to a string of the aadObjectId from the event. This should make sure that users can only fetch and use their own token. Notably if there is no token, $item is simply not populated.

On line 15, we check if there’s no item set (there was no token ever stored), and if so, we return None. We have some higher level checks that set next steps.

On line 19, we lookup when the item expiresAt, an epic time-stamp.

On line 22, we check if the token expires less than 30 seconds from now. I picked 30 seconds as a common sense default of how long the whole conversation takes to run. If the token expires 31 seconds from now, we probably don’t care, and can complete this conversation before then. If it expires less than 30 seconds from now (or is already expired), we return None.

If we get to line 29, there is a valid token, so we map it to a variable, $token, and return it.

Initially these tokens weren’t encrypted, but when I learned how powerful they were I decided to encrypt them (AES-256 using CMK KMS). We’ll talk about that soon. In future might move them to a Secrets Manager Secret…

We Found a Token - Awesome

Lets jump back to our handle_teams_event function. We’ve now either validated a token doesn’t exist ($encrypted_token == None) or it does ($encrypted_token == valid token).

We first run the logic of if there is a valid token (line 6), then we need to kick off the Worker to do the AI magic, so we register a lambda client on line 8.

Then on line 12, we add a key of “token” set to the encrypted token.

On line 15, we invoke the worker lambda - we look up the name of the Worker as an environment var injected by terraform.

Then on line 23 we return, closing out the run.

No Token - No Problem

However, if we didn’t find a token in the dynamo table, we need to do two things:

1. Store the Conversation in the conversation dynamoDB table

2. Push an SSO Card to the Teams user.

Lets jump back to the handle_teams_event where we do that.

We’re working with dynamo again, so we register a client, line 6.

Then on line 7, we put the conversation payload into the conversation dynamo table, and set the aadObjectId as the user’s object ID. This is helpfully a string that’s present in the OAuth2 token that we’ll get in a second when the user authenticates, and we can resume their conversation.

Then we need to build the SSO Card, but we need some information to do that.

We’ll grab our secrets from secrets manager using the get_secret_ssm_layer function - this is the same as I’ve covered previously in the AWS series, so I won’t cover it here. We use the lambda secrets manager AWS layer (it’s the fastest method!)

Then we load the secrets as json and disambiguate the different variables, line 9-12.

Then we get the bot bearer token that we use to send messages. We’ll use this to send the SSO Card in a second.

Lets dig into that.

This function grabs us a bot bearer token - this lets us post messages to Teams as our bot user using the BotFramework.

We set our token URL on line 4.

Expert tip - this is different for a “global” Bot vs a “regional” Bot. Generally, you should be building a Global bot - “regional” is an old standard that isn’t used much anymore.

Then on line 7 we set the scope - the permissions we want. The “.default” scope grabs all permissions available. In some use cases you’d prune permissions based on user or workload, but this Bot is only used for this workload, so we want all the permissions.

Then on line 10 we build the payload - our client ID and secret (fetched from secrets manager) and our scope (permissions to ask for).

We use the requests library to send it, line 18, and check the status response on line 19. If it fails, we throw the error.

On line 22, we extract our access_token - a token we’ll use to send messages, and then return it on line 24.

Build an IdP OAuth2 Redirect URL

Next we’ll build the auth URL - I built a function just for this because it’s so complex. Let’s zoom in on that.

On line 6 we set the scope of permissions we want (.default), which is all of them.

Then we call the function to build our OAuth URL.

We need to build an OAuth URL. That’s the VERY long URL that we’ll send to the user as a clickable button in the SSO Card. It’ll take them to the Microsoft Entra SSO (or whatever IdP you use). It needs a lot of very precise information.

On line 2, we start with a base URL - we need users to authenticate to Entra in our tenant, so we build that URL.

The URI is “/callback” - that’s our top-level URI indicator that the OAuth token is sent to our lambda.

Next up, we want to define a map of our query parameters - these are information that are going to be embedded in our URL:

• The client ID of our caller

• The response_type of “code”

• The redirect URI - to tell the IdP (Entra) where to send the OAuth2 token

• The scope/permissions we want (again, .default for all permissions, this time for the Graph API)

• The “state” which is the user’s aad_object_id

Then we encode the whole thing in valid http using the urlencode() library, line 17, and return it, line 23.

Back to our handle_teams_event function - now that we have the OAuth2 URL, we need to build a Teams Card to push to the user. We also have a function for that.

Build a Clickable SSO Card

This function builds a Teams Card that looks like the following:

The button the users can click takes them to the SSO portal with the URL we just built.

There’s not a lot here - we’re building a few text blocks that contain the weight and layout of our card, as well as a button that opens a URL, which is the Entra SSO sign-in.

We return it to the parent caller.

Here’s My Business Card

Back to our teams handler. We need to send the SSO Card to the user as a Bot post.

We identify a few required items, like the response_url (the URL we can POST a response in the same conversation to), from 2 precursor items, both provided in our Teams webhook, line 6-8.

If we get this far (line 11), we create our headers using the bot bearer token and post the card to the User, line 16.

We check for status on line 22, and throw an error if it failed. If all worked, we return, line 26.

That concludes the “Teams” workflow.

However! We haven’t handled the OAuth2 routing yet. If we receive a token from Entra, what do we do with it? Let’s cover that next.

Auth Code POST from Entra IdP

Now, what if Entra sends us a token? Well, it doesn’t. It does however, send us an “auth_token” that we can exchange for a token (big sigh, $MSFT). Lets get to it.

When the user approves the SSO login, Microsoft Entra IdP will send an auth_token payload to us on the /callback URI, so we check for that on line 4.

We look up the auth code, line 8 (yay!), as well as the aad_object_id (user’s Entra ID), line 9.

Then we build an auto-close page. We do this because the User - like, the real human user, gets redirected to our lambda function URL once they approve the SSO IdP issuance. That’s kinda weird, but we can handle it by giving them a javascript payload that’ll redirect them back to Teams and attempt to close their tab.

And zooooooming in.

SSO, Then Magically Back to Teams

This function builds an html payload with a script that redirects users to Teams, using the msteams handler. In practice, this means that after users approve the SSO prompt in their browser, their computer automatically switches back to the Teams app, which is conveniently now working on a response to their request.

It’s a really slick system.

Once we receive the html payload, we do all the auth code magic. We’ll dig into that shortly, but this function is almost complete, so lets look a bit ahead.

On line 9, we send back an http/200 and close out the page for the user.

I initially had this return happen before I worked the callback, but when lambdas send a response, they end, so I need to do the quick work of handling the auth code exchange and kicking on the Worker before we do that. In practice, that means users hang on the SSO approval screen for a second or two before the redirect loads. They barely notice.

Lets zoom in on how we handle the auth code callback.

Lets walk through how we handle an auth token from Entra.

We look up our table ARNs, line 4-5, and fetch our secret package, line 9, then disambiguate them lines 12-15. I won’t dig into this, because we did earlier.

On line 21, we do the token exchange - an auth code for an auth token that’s valid for Graph API.

Finally, The Actual Token

Exchanging the code for a token is surprisingly straight-forward. We send over the required information, we get a token back. This token is issued for the user that’s using the bot, so we can operate as that user temporarily, which is pretty cool.

Keep This Token in Your Pocket, Please

We receive the real, actual token (PHEW), so we store it and the expiration time (remember, it’s randomized so we can’t just do math), and calculate the expiration in epic time (seconds since Jan 1 1970).

This token is sensitive, and we want to write it to dynamoDB, so we need to encrypt it. To do that, we need a KMS key, so we register the KMS client, line 15.

On line 18, we encrypt our plain-text user token using the CMK KMS key, as well as our utf-8 encoded token string.

That interestingly makes it binary, which I haven’t seen before, so we need to encode using base64 to store in dynamo, which we do on line 24.

What Were We Talking About Again?

Now that we have an enciphered (with KMS) and encoded (with base64) string of a token, we store it in the “token” dynamo table. All items are stored as the aadObjectId string, which we get both from the access code as well as any Teams events, so it’s a very convenient way to map stuff.

We also store the expiresAt int in the table so we can check it later.

We assume here that we ALWAYS reach here after the user has first tried to send a message, then gotten the SSO Card redirect, so we’ve stashed a conversation, so we register a dynamo_db client to go fetch the Conversation they sent initially so we can resume it, line 19.

Wake up Worker Bot

Once we get the conversation event, we hydrate it (line 3).

We’ll want to pass this Conversation payload, as well as the token, to our Worker lambda, so we add the encrypted and encoded token to the payload, line 6.

Now we’re ready to launch the worker, so we register a client (line 9), and trigger the lambda worker, line 12.

If this works properly, the Worker is now responding, so we delete the saved Conversation item from the table for cleanup, line 23.

And that’s it!

Summary

This got WAY LONGER than I planned. There’s a lot of nuance in how Entra IdP works to issue tokens, how lambda and dynamoDB work to store and process data, and in how python can route traffic in this Receiver pattern.

I’m particularly proud of the “automatically open Teams after you authenticate” part, I find that really cool in practice.

Hopefully you have a pretty solid idea of how this pattern works and how to customize it for your user case.

In the next article we’ll go over some of the Worker items for how we look up items and respond to conversations - it’s awesome, and entirely different from Slack.

Until next time. Good luck out there!
kyler