I am using this sample (Botframework V4) [https://github.com/microsoft/BotBuilder-Samples/blob/master/samples/javascript_nodejs/18.bot-authentication][1] for performing authentication in my bot. I need few thoughts to implement this authentication functionality for my bot.
Currently in the sample. They are using Oauth prompt in the main dialog file which in deal case will repeat every time when we chat with the bot. The things which i am trying to achieve is listed below.
When the user Chats with the bot first time . He should login using the prompt . From next time the bot should not ask for the login . if he runs any dialog.
How can we keep this authentication away from dialog's. I mean it should not happen in main dailog which is not a recommended way to do it .
In some cases if i keep this bot in SSO enabled environment. How can these bot fetch the user info without asking for login.
If there is any best practice to follow . Could you highlight the same.
Let me know if you need more inputs.
Configuring an OAuth/AAD provider to enable end user sign in.
Capability:Automatic provisioning of AAD apps, and bot-optimized service for performing AAD user sign-in and SSO.
https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=aadv2%2Ccsharp#register-the-azure-ad-oauth-application-with-the-bot
Related
I'm writing a bot for someone in python using Discord.py. Kindly share some knowledge regarding this issue.
To add a bot to a server you need to firstly have the "Manage Server" or "Administrator" permission in that server.
Then head to the Discord Developer Portal > Your Application > OAuth2 and click on the scopes you need ("Bot" is the one needed for bot commands although you will need "applications.commands" if you plan to use the new slash commands. It will generate a link that you (or someone else, if you have made it a public bot in the bot tab of the portal) can click on to add the bot to their server.
A bot must be created. To do this, log into the Discord Developer Portal and see your applications there.
To make the whole thing a bot navigate in your application as followed:
Application - New Application - Bot - Add Bot
To add the necessary permissions I recommend the following page:
https://discordapi.com/permissions.html#
Here you will get a number spit out when you are done.
To add the bot you need the Manage Server or Administrator permission. The bot does not have to be public, because you as the owner can always add it, but not others if it is set to "Private".
The invitation link is/can be structured as followed:
https://discord.com/oauth2/authorize?client_id=ApplicationID&scope=bot&permissions=Permissions
Just add the ApplicationID (You can find it in the Developer Portal of the application under "General Information") and the permissions of Discord Permissions Calculator to the end.
(Replace the words with your Application ID and the permission "code".)
You can't do this unless you selfbot, however this is against Discord's ToS and the account that you're using can get banned because Discord often checks for people who selfbot.
I have a bot that was deployed in Azure and it was connected to Microsoft Team. However, there's a problem with authentication. I don't know what to call it so I'll be explaining it.
The bot was responsible for answering a series of questions. The user who chats to the bot will be asked to log in. We used the default log in mechanism from the bot documentation. Single user login is fine but when a second user from a different conversation or even different computer login as well, it will overwrite the token of the first user. The state of the conversation is not affected. In this pattern, if the third user login, the token will be overwritten again.
Why is the token result always the same?
Use the newer Teams auth sample found here. Teams works a little differently, and needs a slightly different approach.
I have a bot running on a hosting page where users are logged in using SSO.
I want to authenticate the user in the bot automatically when the bot starts and I do not want to use anAuthCard to do it. Just want to automatically authenticate the user without prompting anything to him, just using SSO.
I found an article that refers three ways to authenticate an user in the bot:
Sharing the client's user token directly with the bot via ChannelData
Using an OAuthCard to drive a sign-in experience to any OAuth provider
A third option, called Single Sign-On (SSO), that is in development.
And, according to the article my situation is:
WebChat in an authenticated website where the user is already signed in and the website has a token to the same identity provider but to a different app that the bot needs -> in the future, this is single sign-on, but for now you 'll need to use an OAuthCard.
Is there any update about this functionality? How can I authenticate the user into the bot without using an OAuthCard or a SigninCard?
Thanks in advance
Not sure if you have tried the option of using WebChat with Azure Bot Service’s Authentication which provides built-in authentication capability to authenticate chat users with various identity providers such AAD, GitHub, Facebook, etc.
If you are looking for this built-in feature, then probably you need to build your own custom built solution using Google sign-in by passing the token ID of the authenticated users. Or for an Account linking OAuth2 solution as explained in this link: How to implement Login in Dialogflow chatbot.
Microsoft guys Are looking at the issue now. you can track the progress here.
I implemented a solution that worked for me. I have the bot running in a .net core web app
Here's what I did:
Generate an userId before initializing the BotApp
When the user clicks on the button to open the webchat, I'm opening an authenticated controller in a popup that receives the generated userId. The page is authenticated, so you will need to authenticate. I store the userId in my DB, along with access_token and some user information. The controller should be created in the same webapp where the bot is running.
After storing all the information I close the tab and start the BotApp with the generated userId
In bot code you will be able to query your DB (using userId).
To wait until the popup close, you can have a look into this here.
I hope that this helps someone.
Best regards
Just looking for some general advice here.
I want to build a Slack app and publish it publicly to the Slack App Directory, for anyone to use. The basics of the app are:
When you paste a link to a specific domain in a Slack message, a bot will fetch additional information about that link from a Rest API my company built.
The roadblock I'm running into is that our Rest API uses Basic Auth for authentication, and I can't figure how or where in the Slack App setup flow to ask the user to enter their API key.
Does anyone have any advice on how to ask for user input when setting up a Slack app, so that the user can enter their API Key for our REST API?
Thanks!
OK, I will assume that the API key is individual to each user.
I would suggest to ask the API key as part of the installation process for your Slack app on your website and then store the connection between Slack user ID and API key as part of the installation process. It is in fact possible to have individual installations of the same Slack app to a workspace for each user. This is called "configurations" (e.g. the Twitter app for Slack is using this feature).
This requires each user who want to use the app to go through the installation process and also all users need to have permissions to install this particular Slack app (which can be configured by admin).
I am considering developing an application for the Apps for Business Marketplace. I see that new rules takes affect on November 19th. Referring to the new documentation (https://developers.google.com/apps-marketplace/) I do not see that any SSO requirement exists. There is allot of talk about migrating to new sign on methods, but I see no mention of sign on requirements.
What are the sign on requirements as of November 19th?
If SSO continues to be required or if I publish before Nov. 19th, my application requires security token from my API, in order to carry out API exchanges. To get this token a user/pass exchange is required one time. They would never need to enter a user/pass for my app after that. Will a one time exchange for the security token be denied under a SSO requirement?
For example the statement regarding SSO that an app cannot do is:
The end user should not be required to enter a username and password when invoking an application from within Google Apps. (https://developers.google.com/google-apps/marketplace/sso)
In my case it would not be required for the user to enter every time, just on the initial creation of the account. After that I would retain the token from my site, encrypted with the Installed App.
Would my app be denied for requiring this one time exchange under the SSO policy?
Mark
You will have to use SSO (or should if at all possible) -- see this part of the documentation: Besides, that is a better practice and should make your users feel more trust for your application.
From what I gather (note that I'm building my first marketplace app) you should not prompt users to enter username/password on your site. I am creating user record & storing token behind the scenes. So the user sees Google authorization screen, agrees to let my app use some data, accepts and sign-in right away without any prompt to create an account. After this, user will not be prompted in the future because I have their google id linked to a user record.
From their site - https://developers.google.com/google-apps/marketplace/sso#user_experience
As long as you don't have any intermediate screen, your app should be approved.