AAD Authentication Directline & Teams, Disable Security Code - botframework

I would like to have users authenticated in a v4 bot in both Teams and Directline (rendered on webpage) with as little user interaction as possible. My code is based on MS BOT Samples Github: BotAuthenticationMSGraph and has not changed at all besides configuration settings.
Right now, the directline pops up an extra tab, if needed presents username/password signin, and always presents six digit code for the user to copy/paste into the chat window. This completes authentication.
Right now, on teams, the operation is the same aside from a problem where after entering credentials (if needed), the popup then closes before the code can be seen. However, if I complete the process manually in a browser, pasting the code into teams successfully completes the signin.
How can I disable the need for a six digit code? Additionally, if anyone knows a fix to prevent the teams signin popup from closing early let me know.

You can make use of OAuthCards for authentication in Microsoft Teams.
https://github.com/Microsoft/BotFramework-WebChat/issues/1001#issuecomment-434530463 is a solution which involves webchat which works with AAD and no magic code.
https://github.com/Microsoft/BotBuilder/issues/4632#issuecomment-441957719( refer to #compulim's comment here, who is the developer of Web Chat and has specified the steps to eliminate the magic code flow).
Additionally, this explains about the mechanism that’s both more secure and users do not need to deal with any “magic code”.
Also, If your browser is set to block 3rd party cookies, it will again fall back to the magic code flow.
With regards to your last question about the teams signin popup closing early, refer to this GitHub issue which deals with a similar issue.
Hope this helps.

Related

Get refresh tokens of Microsoft Graph API with OAuthPrompt

I'm creating a MS Teams bot which periodically checks the users' Outlook calendar by background threads spawned after the user logs in via OAuthPrompt.
To implement the feature, it seems that I have to configure an OAuth connection setting and an app registration supporting offline_access. Then, get a refresh token when getting an access token, according to Get access on behalf of a user.
But as long as I tried the example bot, the result of OAuthPrompt doesn't contain a refresh token. And I couldn't find the documented way to get it.
How can I achieve the goal? Do I need some hack on OAuthPrompt or some related classes? Do I have to build cards from scratch?
I concluded that we can't get refresh_token with OAuthPrompt from investigation. So I made up with a different way to achieve the goal.
The key idea is creating a tiny web app just for the "Sign in with Microsoft account" feature, which can easily get refresh_token as ordinary web apps.
Here is the example app: https://github.com/igrep/example-teams-bot-with-ms-account-refresh-token
The sample which you are using is for most of the channels, but Teams behaves differently. An Invoke Activity is sent to the bot rather than the Event Activity used by other channels. This Invoke Activity must be forwarded to the dialog if the OAuthPrompt is being used.
Refer to this documentation for adding authentication to your MS Teams bot, which makes use of Teams-auth sample.
For a better understanding of how OAuth works in MS Teams, you can refer to this documentation which explains the authentication flow.
Hope this helps!!
alwaysPrompt flag should be false. Then OAuth prompt will get refresh tokens silently without prompting login card.
Please refer the answer on github about this isse.
Bot composer OAuth refresh token
Another idea has flashed into my mind while writing this comment: running a dialog including OAuthPrompt in a TurnContext made with a ConversationRefrence, which is saved and passed to the background thread, may work. (But I have no time and no motive to try!)
In my case, I needed the refresh_token to get access tokens for other Microsoft resources like Exchange,
the solution was to use
const tokenResponses = await context.adapter.getAadTokens(context, this.connectionName, [
"https://outlook.office365.com",
"https://graph.microsoft.com",
]);

How Can I Cancel The OAuth Consent Verification Process?

I was testing functionality on a website that I'm developing that allows the user to sign in using their Google account. I filled in the "OAuth consent screen" in the Google Developer's Console, including all of the URLs to allow Google to redirect a user back to my website with the necessary OpenID information. Everything works, but I used test URLs on the "OAuth consent screen". Afterwards, I made the very costly mistake of clicking the button at the bottom of the screen labeled Submit for verification. I should have clicked the button labeled Save. The URLs on my OAuth consent screen all have internal hostnames, so they're not accessible from the Internet. Is there any way that I can cancel the request to Google for verification? The page is currently frozen, and it won't let me change any of the URLs until I inevitably fail the verification process. There is also a message that states that verification may take up to 4-6 weeks, which is a long time to wait for something with a known outcome...
I know this may not be the right forum for this question. However, Google's own support page links to StackOverflow, and I'm sure web developers must encounter this problem quite frequently. I tried looking on Google's FAQ pages, but didn't see anything about canceling the verification process. It's quite possible that I missed something....
Edit I've received an e-mail from the Google Cloud Platform notifying me that my request to have my app verified has been denied. This makes sense, since I completed the Consent form with incorrect test URLs. However, the Save button on the OAuth consent screen is still disabled. The screen appears to be in the verification process. Perhaps this is the intended workflow for the screen. At any rate, the original request for verification was denied within a day or two, which was quite fast considering the 4-6 weeks that Google allows for the process. If anyone can confirm or deny that this is the intended behavior of the OAuth consent screen, I would be happy to mark their answer as correct...
At this point, I'm inclined to believe that this is the intended behavior of the OAuth consent screen. 3 days after the verification request has been declined, the message Your consent screen is being verified. This may take up to several weeks. Your last approved consent screen is still in use. is still being displayed. I now believe that further changes to the screen, such as updating the URLs, will require the verification process to be restarted, since the Save button remains disabled.

How to perform Graph auth without hosting my bot in Azure?

From my understanding, the OAuthPrompt requires a connection name. To create this, I need to make use of the Bot Channels Registration (as per the documentation). However, this seems to require me to create an Azure account and enter my payment card details. I would like to avoid entering my details if possible as I would not like to be charged for using any Azure services. Is there any way to avoid this?
If I must manually handle the OAuth process, I would like my sign-in to pop up in a small window like the "Allow" button triggers within the Who bot. I have tried SignIn cards which I have read just don't work in teams, and I have also tried OpenUrl type actions in a card which, when pressed, open the URL in my browser as opposed to a pop-up. How can I achieve this?
You can create a Bot Framework bot (only for Microsoft Teams) using the guidance here: https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/bots/bots-create. To summarize that article, you can use this endpoint to create a non-Azure bot: https://dev.botframework.com/bots/new
If you chose to use the Azure Bot Framework, you will not be charged for the Bot Framework if Microsoft Teams is your only channel (this does NOT include your web service if you chose to host your bot code on Azure, although you can chose a free tier to avoid any charges).
For authentication, see this section of the MS Teams documentation: https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/authentication/authentication. Depending on how you chose to implement your authentication, there are a few articles in that section that may apply. The OAuth card does work in Teams (not the free version, does not work with guest accounts, and only works for Azure bots).
For authentication, if you're redirecting to a different domain make sure you add it to the validDomains in your app manifest.

Skype Bots - Please tell me I'm missing something

Working on an application and developing chat integration bot. Note that contrary to some news bots or other tools, there is no central website or server that the bot gets its data from. The software installation comes with a repository, and that is where the bot connects to. Thus, every user, upon installing the software, will basically get their own copy of the bot, alongside with their own repository, etc.
Now, having done that for Telegram: You open the telegram client, initiate a chat with the botfather, get the token for your new bot with one or two commands, and then add that token to my application. Done. Easy for the user to follow, takes a few minutes at most and they have a working bot.
Trying to do the same with Skype, the users must:
Sign up for an Azure account
Provide credit card and phone number verification (that's probably where some users will stop right away)
Log on to the Azure Portal
Create a bot channel, through a myriad of different screens I have to guide the user through.
Have the user obtain the bot's password, again through a variety of different screens he needs to be guided through. (if the user hasn't given up yet, at this point he'll definitely get grumpy)
Enable the Skype channel, and enable the bot to be added to group chats.
Attempt to locate the bot via Skype and eventually add it in.
Now, if I wanted to document this properly, this will be a 10-15 page document with tons of screenshots and all. To do what Telegram does in two minutes or even less. There's so many opportunities in all of this for something to go wrong, that I can't even consider forcing my users to go through this.
Surely, I must be missing something? It can't be that you have to go through this horrible mess of an over-engineering spectacle that is second to none, just to get the most basic bot to function?
All I need is a means to say "this is the bots name, give me its token and API URL so that it can send messages using the REST API". But I can't seem to find this for Skype.

Facebook Messenger Channel is not working with Microsoft Botframework

In Microsoft's Bot Framework, there is Facebook Messenger Channel. And according to the setup page, i followed everything and then have finished configuring things on both Bot Framework and Facebook App ends.
Finished setting up Facebook Webhooks and it's Callback URL (with the required Verify Token). Everything seems to be correct (Please refer to screenshots below)
But when i start trying to chat to my page (from my FB Admin Account), there's no reply, nothing.
What seems to be the problem? And what should i be looking at, please?
Thanks all in advance.
I got it working now.
Inside the Botframework's "Enter your credentials" section, there's Facebook Page Id field to enter, but i didn't know there's a specific Page ID for a Facebook Page (which can be found under "About" tab). In fact, i thought it was the one we used in the URL (For example: https://www.facebook.com/xxxxxxxxxxx, and therefore: xxxxxxxxxxx) but it was wrong.
Then, deauthorized and resubmitted credentials from Botframework.
Thanks everyone for all the helps.
Also, can you verify that your bot works correctly from the test panel and webchat control in the Bot Framework portal.
You may also wish to deauthorize and resubmit credentials.
it's odd that you're not seeing any errors in the bot framework portal for the Facebook channel, that would almost imply to me that the messages aren't making it from the Facebook messenger chat service to the Bot Framework. It looks like you've set the callback URL correctly (from the unmasked part).
You can also hook up Azure App Insights and give us the instrumentation key (via the portal) and we will send any error events to your app insights instance.

Resources