I have a bot command that needs users to sign in first in order to get the answer. For example, if user types in list my saved movies, the bot will send a sign in card with a sign in button. After the user signs in, the bot should give user the answer for the original command, but currently I don't know how yet. Do you have any idea how can I achieve this?
The Bot Framework includes the ability to save different kinds of state, most particularly "user" state, which is tied to the user themself, and conversation state which is tied to just a particular conversation. One of these, in particular conversation state, could be useful - you could save the command into conversation state, do the signin, and then check from there what command triggered the signin and therefore what to do next. I haven't done a lot of work with signin, but I think that should work. More info on this is available at save user and conversation data.
Just to confirm, I see you've tagged the question with MSTeams, so I assume the command you're offering the user requires access to, say, the Microsoft Graph or similar? I'm asking because you don't necessarily need to authenticate the user per se, if they're just accessing data in your own database, as an example - they're authenticated via the Teams client already - you'd want signin, I guess, in order to get a token so that you can call something else on behalf of the user (e.g. OneDrive)?
Hope that helps
Related
I am developing an ASP.NET Core web application with user management functionalities. My question is about the email address changing algorithm. Almost every web app I saw before have the following flow:
User authorized
User requested an email address change
User received a message on the new mailbox with the confirmation link
User clicks the link and the email address updates
But I think, this algorithm might be a bit insecure and that is what I want to discuss here.
How about this flow:
User authorized
User requested an email address change
User received a message on the old mailbox with the confirmation link
User received a message on the new mailbox with the second confirmation link
User clicks the link and the email address updates
With this additional step in the middle of the algorithm, things may be much better from the security perspective, but would it be too complex or not? How do you think what algorithm I should implement? And what would you prefer if you will be in my shoes?
The second options might sound great, and it's not too much headache to implement too. But I'll stick with the first approach due to some reason:
Common work flow pattern.
As the backend side can be wrote by many language, by various developers, so common pattern would make things more standard when we need some kind of migration, and even maintaining by new developer. If the project doesn't require ultra-secure authentication flow, the simplicity of first approach was enough.
From user convinient pespertive
Let's just imagine when changing an email address, what case the user likely want to change email address ? I was register my facebook account long ago using yahoo mail, that's no-longer active, and i need to switch to a gmail one. What's the point of sending the email back to the old one ? Cumbersome... and i can do nothing in this case except get some help from the staff.
I totally aggree with the second approach on security angle. But that's not suitable for most of the case, only implement if the project have some requirement. And even in that case, I suggest don't even do that too, build some thing like sub-admin account role and grant permission to someone have responsible. Like Google enterprise email organize some account called admin if anything wrong happen to user account. As long as it has this kind of security level requirement, it's not gonna serve massively user.
The intension of all the flow
The User got authorized first, right, that's mean we Identified what the user are, and what she capable to do. Imagine when we hide a hotel room then request to change to another due to some reason. What's the point of proving that's I booked my own room, since we all know that's the fact ? Kinda weird... right ?
To conclusion, I think we shouldn't mess with something that's become common pattern that widely acknowledged, except we have some special requirements and the project have something uniquely to satisfy, and we consider ourself, as developer that's reasonable.
The main problem with this approach is: what happens if the user no longer has access to their original email account? Perhaps it was a work/school/uni account that they no longer have, or perhaps they've just forgotten their password or otherwise lost access to it.
With your second approach, they are not going to be able to update to the new account, because they'll never receive the first confirmation link.
How about the following approach instead:
User requests an email change.
Require the user to re-authenticate with their current password (just like when they change their password).
Send a confirmation link to their new email.
Send a notification to their old email, with the details of the change, and instructions of what to do if they didn't initiate the change.
User clicks the link to update or contacts your support to say their account has been compromised.
This way you still provide them with an alert that someone is trying to change their email (and potentially a means to stop it), but a user who has lost access to their old account will still be able to update their email.
I have a bot that was deployed in Azure and it was connected to Microsoft Team. However, there's a problem with authentication. I don't know what to call it so I'll be explaining it.
The bot was responsible for answering a series of questions. The user who chats to the bot will be asked to log in. We used the default log in mechanism from the bot documentation. Single user login is fine but when a second user from a different conversation or even different computer login as well, it will overwrite the token of the first user. The state of the conversation is not affected. In this pattern, if the third user login, the token will be overwritten again.
Why is the token result always the same?
Use the newer Teams auth sample found here. Teams works a little differently, and needs a slightly different approach.
In the documents of Google One-Tap sign in, it says:
Returning users are signed in automatically, even when they switch devices or platforms, or after their session expires.
Question 1:
But it doesn't say anywhere how it does this? Is the user refresh token saved in the browser's cache? How can it then auto log in a user cross devices?
Question 2: The reason I ask is because I have a setup where I initialize the Google API client for JavaScript ("GAPI"). The GAPI library also automatically logs in a user whenever the client is "initialised" through gapi.client.init().
Now the problem is that after I have added the Google One-Tap code (Or should I say "YOLO code"? : ) my user gets logged in through One-Tap and also through GAPI. I can prevent this by not initializing the GAPI client, but I don't think that's wise, because I thought this whole library is built to manage my refresh tokens etc. Is my understanding correct that One-Tap does exactly the same and in case I only want to Authenticate users I do not need the GAPI client anymore?
Really, which library does a better job at managing my refresh tokens? And how do they differ? I'm clueless...
The way I implemented my login is the following:
Try to login in the user first using gapi.auth2. Maybe the user was previously signed into the site.
If can't login user automatically, then use googleyolo to try to find existing user accounts.
If no existing accounts, then present a signin button for user to signin.
I can give you some code snippet if you need.
To answer your questions.
#1, the credential is stored within the browser/device. If the user has never signed into google in a device, then yolo won't be able to sign in the user.
#2. googleyolo will also login the user, the difference is that it will give the account selector even if there's only one user to select (it will automatically login the user if there's only one). gapi simply sign in the user without showing anything.
As the title says. This is the condition I have.
I wanted to make approval token before a user can do certain things. Here's my situation :
I have a web application made with Laravel 5.1
All user are already authenticated before they can use the web app
Before the user do any large transaction, the User needs approval from supervisor and in some case the director (software side). This is a preventive measure against fraud and employee stealing money.
Now I've been looking at a few solution but all that I've found are to further authenticate user when they login. I'm not sure I can modify it to do what I want.
Here are some of the solution I've been reading :
google 2fa
authy
This is the workflow I imagine to fulfill my need :
The user opens the web application and authenticate using their credential
The user navigate to a certain page and do a large transaction.
Before they press the "submit" button, the supervisor or the director must enter some kind of token (One Time Password perhaps) before the submit buttons activate.
On the server side, the application process all the inputs and authenticate the token (one time password), if the token (one time password) checks out, everything runs.
Can anyone gives me suggestion about the workflow? and Is there any solution to fulfill the needs?
I'm open to any suggestion.
Thank you very much.
*disclaimer : Sorry if the grammar is wrong or somethings are confusing, english is my 3rd language.
Customer want to restrict duplicate login for the App, once user login from another phone, the session of previous phone should be invalidated.
but I can't find the API for worklight to do this, besides using push, another suggestions? thank you very much.
Worklight indeed does not provide any API for this type of scenario.
Here is what I am thinking as an example of what can be done:
Device #1 is an Asus, device #2 is an LG
As the user log-ins, you will store the device information in the Worklight database (using WL.Client.setUserPref)
When the user will try to log-in again from another device, you could pull the existing pref (using WL.Client.getUserPref) and compare the device types
If they are not the same, logout current userId and re-login
(Consult the user documentation for additional API methods around userpref)
This could be a way to ensure the user is logged only from one device.
You could also use the userId associated with the deviceId and update upon every login if (currentDeviceId != latestDeviceId) logout(); and so on...
Here I have posted a implementation mechanism which strikes in my mind.
Its still a suggestion.
Whenever a user tries to login an entry can be made in backend[DB/Webserice] which tells about the user/device information.
If the user info is existing already then you can prompt a dialog box to the user The account has been logged in already, if you continue to login the previous session would be logged out trigger a push notification to the previously logged in user device, if user continues.
Now a notification will be reached to previously logged in device. Here you can implement the logic to execute the WL.Client.logout(realm, options).
It would be great if someone post answer better than what I did.
And also let me know if my suggestion was helpful or not.