I couldn't find documentation describing the auth flow of the bot.
Could you please point me to it and/or describe it?
What I am interested is if the context that I get in TurnActivity can be trusted or not?
In other words, can I be sure that the message I received is really from the user with the given ID and email, or can an attacker spoof that message altogether and send it to my bots rest endpoint?
Goal
Why I am asking is that I will get users to login to a 3rd party service and associate their token to access the date in 3rd party service with user in teams that I get from message context.
The data in 3rd party service is secret so should not be possible to access for other users.
My question is when we get the REST call on our botframework message endpoint if the context comes as part of say JWT token that the SDK verifies against Microsoft identity provider and hence cannot be faked. Or is it just a simple field in body of the call. In the second case it would be pretty easy to fake the context and then through the bot get access to protected data.
Related
As my app is designed using flutter and all my app endpoints are created using Springboot. So can call direct APIs using Feignclient in Springboot to create my own endpoint to list all the envelopes for one recipient?
Do we have any endpoint to get all the envelopes by using the recipient name or email id? for example XYZ user needs to sign in 2 envelopes then using XYZ can we be able to fetch those 2 envelopes?
Yes, you are very welcome to call the eSignature REST API directly and not use an SDK. Use API version 2.1. About half of the developers who use the API do so directly.
Updated: authentication
To call the eSign REST API, each of your API calls must include authentication via an access token. You can obtain an access token via an OAuth flow.
If your users have DocuSign user accounts, then they should login/authenticate via Implicit grant assuming that you're using Flutter for a mobile app.
If your users don't have DocuSign accounts (they are signers, not senders), then you need to have a backend server that can securely use the JWT grant flow to obtain an access token on behalf of a "system" account such as "finance#example.com"
If you have questions about authentication, please open a new question on StackOverflow.
https://developers.docusign.com/docs/esign-rest-api/reference/envelopes/envelopes/liststatuschanges/
This endpoint has lots of filtering options including:
email={email_address} Limit results to envelopes sent by the account user with this email address.
user_name must be given as well, and both email and user_name must refer to an existing account user.
user_name={user_name} Limit results to envelopes sent by the account user with this user name.
email must be given as well, and both email and user_name must refer to an existing account user.
I'm sorry if this question is asked before, but I'm still confused.
I'm currently creating a REST API with laravel. I'm using passport to secure the API-endpoints. The API should be used/accessed from several websites and SPA's. BUT all this sites need to access the API on there own behalf. So there is no user that need to sign in! I found a lot of tutorials that cover the topic of authorization and authentication but only on behalf of a user.
So my question is: What oauth grant type shoud i use to secure my API considering that all api consumers act on there own behalf?
I tried to use the client credential grant because the documentation said that
The client credentials grant is suitable for machine-to-machine authentication.
But that creates a bearer token and it seems not save to store it in a SPA or generally on client side.
Has someone experience in this topic and can please provide an answer (maybe with a short explanation)?
A simple example of how I want to use some endpoints of the API to provide some context:
I created a location endpoint that receives a zip code and returns all the relevant places. I want to use this in a form. So that the user inputs his zip code and dynamically receives all the places in a select box, so that he can choose one and proceed with the form.
Thanks in advance!
I want to build a web application in Go. I'm using Google App Engine for deployment combined with Identity Aware Proxy (IAP) to authenticate user access.
I want to know how to access the authentication to get the user email, which I can link to app data stored in a back end database. Essentially I want to avoid my users logging in and then having to authenticate again to get their profiles from the back end.
I have looked into the IAP documentation and I can see it uses JWT Headers and that is where my knowledge lacks. My guess would be a link to the incoming request which accesses those headers to get the email.
I have successfully implemented Google Login in my web application, using OAuth 2.0 for Client-side Web Applications. For most needs, I just need to have the user log into my application once, and I pass the id_token back to my server to authenticate it, and give back a JWT token to the front end on success. The user doesn't have to log every time they visit the page by storing that JWT token in the browser.
Now I want to build some additional capabilities into my application that require me to act on behalf of the user, and so I have to incrementally ask for additional scopes. I think I have a handle on that aspect.
On the client side, I gain consent to use a Google API on behalf of a user, and then use the Bearer token I get back to make a request to that API, then I get back an object from Google.
Now I want to convey that object to my server (my back-end) to store some information in my database associated with the user that is logged into my system. How do I authenticate, on my server, that the object I got back from Google, by proxy through the browser, actually belongs to the user who is conveying it to my server.
What's to stop someone from using cURL with their valid JWT token to my server and conveying some arbitrarily constructed Google object of their own creation. I don't see anything in the Google response object that I can verify its authenticity on my server (like I can with the id_token I get from their successful login, as described here). Perhaps there is a 'sub' field (which I think is Google's notion of identity) on the object which at least lets me know it belongs to the Google User, if I can trust the object's authenticity in the first place.
Can anyone set me straight and give me a reasonably intuitive mental model to organize my thoughts around, and tell me if I'm way off base with my concerns here, or if I'm approaching this from an entirely wrong vantage point?
I'm developing an application that utilizes Google sign-in and the Gmail API. My test users, once logged in, keep receiving an email like the attached file.
Other applications with similar functionality (basic email access) do not seem to trigger these emails. Any ideas? It makes my app seem less trustworthy.
One possibility is that you are obtaining tokens with offline=true indicating a requirement to use the refresh token to renew expired access tokens. If you only require short-term access, perhaps you should remove the offline parameter in the construction of your auth request link.
In this scenario once the access token expires, then the scope will no longer be usable or renewable and so your end-users should not receive the alert emails.