I have Teams bot and what I'm trying to do is to show some personalized content in static tab, like list of user's orders. I found pretty good description how to do it here Get context for your tab. In bot manifest I set contentUrl to https://domain/page?tenantId={tid}&userId={userObjectId}. It works pretty well. So I have tab in Teams which opens web page with tenantId and userId. Also user has authorized in my web application and I have connection between userId and user in my system. So the flow I want to have is:

1. User login into the app through the bot
2. User place order using bot
3. Static tab shows status of the orders placed by the user.

But are there any way to verify that url is called from the bot? I mean that user who is opening the tab is really who they pretend to be? I don't want to show personal information to some random user who knows the URL. Or should I rely on secret of tenantId and userId?

CodePudding user response：

This is not only possible, it's highly advisable for exactly the reason you state - anyone could craft the url to your system and access the data on behalf of any other user. To solution to this is to implement Tab SSO. Even though you might have implemented SSO for your Bot already, it's a separate process to do it for your tab, because it's a different context altogether.

To do this, have a look at the official docs: https://docs.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/tab-sso-overview as well as this great overview video: https://www.youtube.com/watch?v=kruUnaZgQaY