I created a virtual assistant with the ITSM skill attached with Token Authentication enabled and the bot runs well when using direct line through a browser.
Next, I added it into Teams and after a bit of troubleshooting, I got it working. I authenticatee and could interact with the VA and the Skill. The next day however, I was unable to get the bot to prompt for authentication and by then my token authentication had expired. Next, to verify I have a fix for this issue, I found if I completely cleared my MS Teams cache and my browser directories via the url below, my authentication request prompted this time and I was again able to login and the bot worked correctly. So my question is, what causes the token in teams to not be able to reprompt, can this be fixed and or is the right way to do authentication in Teams to use a Single Sign On solution and if so how does one do that in Teams with a Virtual Assistant from the botframework?
https://commsverse.blog/2018/09/28/clear-the-microsoft-teams-client-cache/
Related
I've put together this sample to integrate a bot in Microsoft Teams:
https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/46.teams-auth
Good news is, it works just fine out of the box with an Azure AD Connection as OAuth2 sign-in.
We use Amazon Cognito User Pools, and in order to call queries and other things, I need to be signed in, for obvious reasons. Therefore, I've tried configuring another connection, this time with a Generic OAuth2 Provider since Cognito is not in the list.
These are my connection settings for the Generic Provider
I've hidden the actual IDs for obvious reasons, but the core URLs are present, as stated in the Cognito docs.
I've also added "token.botframework.com" and "*.amazoncognito.com" in the validDomains list of the manifest.
Now, when I click on the sign in card button, the popup opens, but I'm getting a redirect_mismatch error in the URL, like so
I have looked up the reason for this error and it is stated that the redirection URL must match the atleast one of the callback URLs in the Cognito App Client corresponding to the provided ID.
However, in the sample's code for the bot, I can't seem to see where you specify such callback URL when dealing when the OAuth Prompt directly.
Any wizards in here have ideas about this? I would greatly appreciate any and all help.
Thanks!
EDIT
As requested, here's the settings page for the app client
Given that it's a MS Teams app, I have ngrok tunnels setup for traffic, so I put both URLs in there just to be sure... localhost:3000 is actually where the ngrok.io tunnel points to.
And here is proof that our Hosted UI, when opened from the User Pool, actually shows up, and at a redirect_uri of localhost:3000/
(Posting my comment above as an answer, since it seems to have solved the issue.)
When using the built-in auth support in Azure Bot Service, it fully handles the auth redirects. So your registered redirect URL ("callback URL" in Amazon Cognito?) should be https://token.botframework.com/.auth/web/redirect. This should have been your redirect URL when you tried it with AAD too, as indicated in the Bot Framework documentation for adding authentication to a bot.
I am using this sample (Botframework V4) [https://github.com/microsoft/BotBuilder-Samples/blob/master/samples/javascript_nodejs/18.bot-authentication][1] for performing authentication in my bot. I need few thoughts to implement this authentication functionality for my bot.
Currently in the sample. They are using Oauth prompt in the main dialog file which in deal case will repeat every time when we chat with the bot. The things which i am trying to achieve is listed below.
When the user Chats with the bot first time . He should login using the prompt . From next time the bot should not ask for the login . if he runs any dialog.
How can we keep this authentication away from dialog's. I mean it should not happen in main dailog which is not a recommended way to do it .
In some cases if i keep this bot in SSO enabled environment. How can these bot fetch the user info without asking for login.
If there is any best practice to follow . Could you highlight the same.
Let me know if you need more inputs.
Configuring an OAuth/AAD provider to enable end user sign in.
Capability:Automatic provisioning of AAD apps, and bot-optimized service for performing AAD user sign-in and SSO.
https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=aadv2%2Ccsharp#register-the-azure-ad-oauth-application-with-the-bot
I am trying to authenticate user from my bot using azure active directory.
I have done all the steps accordingly as per official documentation.
Unfortunately,while I run the bot emulator it doesn't prompt user login and anything only shows 401 directline.conversationUpdate. See the screen shot below:
I am trying this example from Git Hub
Note: I have also integrated ngrok exe and configured like below:
Based on your capture, pls have a check that if you have configed your app id and secret correctly as 401 error means you have not authorized successfully. At this period, the most related thing here is app id and secret.
You can find app id here in your bot :
And click "Manage" to create a secret.
Once the auth card pompted up, pls make sure that your account to login belongs to the tenant that you configed in OAuth Connection Settings on Azure portal.
I have a bot running on a hosting page where users are logged in using SSO.
I want to authenticate the user in the bot automatically when the bot starts and I do not want to use anAuthCard to do it. Just want to automatically authenticate the user without prompting anything to him, just using SSO.
I found an article that refers three ways to authenticate an user in the bot:
Sharing the client's user token directly with the bot via ChannelData
Using an OAuthCard to drive a sign-in experience to any OAuth provider
A third option, called Single Sign-On (SSO), that is in development.
And, according to the article my situation is:
WebChat in an authenticated website where the user is already signed in and the website has a token to the same identity provider but to a different app that the bot needs -> in the future, this is single sign-on, but for now you 'll need to use an OAuthCard.
Is there any update about this functionality? How can I authenticate the user into the bot without using an OAuthCard or a SigninCard?
Thanks in advance
Not sure if you have tried the option of using WebChat with Azure Bot Service’s Authentication which provides built-in authentication capability to authenticate chat users with various identity providers such AAD, GitHub, Facebook, etc.
If you are looking for this built-in feature, then probably you need to build your own custom built solution using Google sign-in by passing the token ID of the authenticated users. Or for an Account linking OAuth2 solution as explained in this link: How to implement Login in Dialogflow chatbot.
Microsoft guys Are looking at the issue now. you can track the progress here.
I implemented a solution that worked for me. I have the bot running in a .net core web app
Here's what I did:
Generate an userId before initializing the BotApp
When the user clicks on the button to open the webchat, I'm opening an authenticated controller in a popup that receives the generated userId. The page is authenticated, so you will need to authenticate. I store the userId in my DB, along with access_token and some user information. The controller should be created in the same webapp where the bot is running.
After storing all the information I close the tab and start the BotApp with the generated userId
In bot code you will be able to query your DB (using userId).
To wait until the popup close, you can have a look into this here.
I hope that this helps someone.
Best regards
I'm currently working on a VSTS Application, but every time I try to Login using my Visual Studio account, it keeps showing the Authorization dialog again. I have to re-authorize my App every time, which keeps generating authorizations on my Visual Studio profile, where the App is registered.
I'm using the OwinOauthProvider for Visual Studio.
https://github.com/TerribleDev/OwinOAuthProviders/tree/master/src/Owin.Security.Providers.VisualStudio
Is there any way to configure to provider to just authorize once and use the authorization for subsequent logins? Or any other suggestions to create a single-sign on from my App and connect to the VSTS Api's?
UPDATE:
Additional links on the issue:
https://github.com/TerribleDev/OwinOAuthProviders/issues/135
https://visualstudio.uservoice.com/forums/330519-team-services/suggestions/9261621-bypass-oauth-grant-step-for-previously-authorized
(vote for it if you're experiencing the same)
There is access token and refresh token, the access token will be expired after an hour, but the refresh token will be expired after one year.
So, you can refresh the access token according to the refresh token instead of let user to authorized again.
Based on this thread (VSTS API Refresh Token Expires), Christopher said that:
We obviously must honor the user's right to revoke a previously
granted authorization
Update:
I analyzed the whole workflow, that is by design, when you request the VSTS external login, the accept page is required, you can’t control it in your code or other ways.