【问题标题】:Microsoft Teams to ServiceNow IntegrationMicrosoft Teams 到 ServiceNow 集成
【发布时间】:2018-10-08 18:05:07
【问题描述】:
我目前正在尝试集成 Microsoft Teams 和 ServiceNow。我能够向团队发送 HTTP 请求并创建连接器卡(通过传入的网络挂钩连接器)。此卡有一个可操作的消息,它将执行 HttpPOST 返回到 ServiceNow 的处理器路径。在这个处理器中,我能够获得包含不记名令牌的授权标头,据我所知,这是一个 JWT 令牌。所以下面是我的问题:
1) 出于安全考虑,我应该验证此 JWT 令牌吗?我试图这样做,因为看起来我需要来自 MS Teams 的共享秘密,而我没有。
2)我这样做正确吗?也许我需要在 MS Teams 中设置一个提供客户端 ID 和 Secret 的机器人,然后在 ServiceNow 中设置 OAuth?
非常感谢您的意见!
【问题讨论】:
标签:
jwt
servicenow
bearer-token
microsoft-teams
【解决方案1】:
请看Security requirements for actionable messages in Office 365
这是Token Validation的C#示例代码:
HttpRequestMessage request = this.ActionContext.Request;
// Validate that we have a bearer token.
if (request.Headers.Authorization == null ||
!string.Equals(request.Headers.Authorization.Scheme, "bearer", StringComparison.OrdinalIgnoreCase) ||
string.IsNullOrEmpty(request.Headers.Authorization.Parameter))
{
return request.CreateErrorResponse(HttpStatusCode.Unauthorized, new HttpError());
}
// Get the token from the Authorization header
string bearerToken = request.Headers.Authorization.Parameter;
ActionableMessageTokenValidator validator = new ActionableMessageTokenValidator();
// This will validate that the token has been issued by Microsoft for the
// specified target URL i.e. the target matches the intended audience (“aud” claim in token)
//
// In your code, replace https://api.contoso.com with your service’s base URL.
// For example, if the service target URL is https://api.xyz.com/finance/expense?id=1234,
// then replace https://api.contoso.com with https://api.xyz.com
ActionableMessageTokenValidationResult result = await validator.ValidateTokenAsync(bearerToken, "https://api.contoso.com");
if (!result.ValidationSucceeded)
{
if (result.Exception != null)
{
Trace.TraceError(result.Exception.ToString());
}
return request.CreateErrorResponse(HttpStatusCode.Unauthorized, new HttpError());
}