I have a few facebook bots created using Bot Framework, C# and running on Azure.
All of them stopped working at the same time after I went to facebook, changed password and clicked "Log Out All Sessions" under Security.
That's the error message that I can see in the Bot Framework website:
{"error":
{"message":"Error validating access token: The session has been invalidated because the user changed their password or Facebook has changed the session for security reasons.",
"type":"OAuthException",
"code":190,
"error_subcode":460,
"fbtrace_id":"Hh+N0op30L5"}}
I tried regenerating page access token and replacing it in the Bot Framework setting. I tried resubscribing the bot to the Facebook page. I still can't get the bot to work again.
When this happens, you just need to regenerate the access token then verify and save that Facebook can access your webhook.
You do this from the Edit Subscription section of Webhook.
Related
I have implemented OAuth using GitHub on my web app, so when I log in using GitHub I get logged in successfully. I wanted to know how to implement logout so that I get logged out of the web app.
when the user visits www.localhost:3000/login and clicks login/signup with GitHub, the user gets redirected to the GitHub login page, user logs in with his/her GitHub account and gets redirected to localhost:3000/homepage,
I sent a cookie from the server side for session purposes and get a cookie from GitHub (don't know why).
when I clear cookies from localhost:3000 and visit localhost:3000/login and hit login with the GitHub button I get logged in with the previously signed-in user account automatically. However, when I clear all cookies from www.github.com and do the same, this time it prompts the user to log in with the git account again.
I have not used any external library like passport.js for OAuth and also I don't want to use any.
so how to implement this logout that logs out of the GitHub OAuth session?
What you want is "single log-out" whereby logging out from your application also logs out from GitHub. But the relevant specification has been finalized only in September 2022 and I could not find any mention of it at docs.github.com. Perhaps this is also not desired, since GitHub sessions are long-lasting: Revisiting github.com with the same browser after a few days does not require a re-logon.
But as an alternative to logging out from GitHub upon logout from your application, you could require a renewed consent upon re-login to your application. If you have already been logged in once to your application via GitHub and then visit
https://github.com/login/oauth/authorize?scope=user:email&client_id=...
you are re-logged in silently. But if you visit
https://github.com/login/oauth/authorize?scope=user:email&client_id=...&prompt=consent
instead, the GitHub consent screen re-appears. (The parameter prompt=consent is not documented on docs.github.com, but is explained here.)
Perhaps that is sufficient to satisfy your requirement.
I am developing a website like Heroku. I confused what should I do with the Github OAuth part? when you wanna register in Heroku and login you can not use OAuth ways (login/register using Github).
but after login you can create App. now one of your options to upload your codes in the Heroku is to connect your Heroku account to your Github account.
My problem
When the user is logged in how could I redirect the user to another page and after authentication (Github OAuth) how could I detect that this user previously logged in and the user does not need re-login?
Exactly what the Heroku did.
I can not understand how can I send another data to the Github OAuth login page and retrieve it back in callback url to detect which user is logged in now and save his/her access_token & refresh_token in database.
Not that I use expressjs express-session sequelize and ejs.
GitHub, like all OAuth based APIs, requires that each request to the API made on behalf of a user is authenticated with an access_token. If you don't pass an access_token alongside your request, the request will fail with a 401 Unauthorized status code.
There's no way to ask GitHub if a random user has accepted your app. It's not something implemented in the OAuth framework - as it could lead to a security flaw. So it's your responsibility as the application's owner to record which user has authorized your app.
With this in mind, let's try to sum up the differents steps that Heroku had to achieve to display this "Connected" status under the GitHub logo.
When you've signed-up on Heroku, the status of the GitHub integration was "not_connected". If you visit the settings page, you would see a "Connect to GitHub" button.
At some point, in the Heroku dashboard, you have clicked on the "Connect to GitHub" button and have authorized Heroku's app for GitHub. This is where you've been redirected to the callback_url
At this particular time, while you were on the callback_url page, Heroku has recorded in its database the new status of the GitHub integration for your account. It was set to "connected". Heroku has probably saved alongside the access_token and refresh_token.
Every time that you visit the settings page of your app, Heroku can render that you are connected because it has the status in its database.
(optional) When Heroku performs requests to the GitHub API using your access_token it can confirm that the connection is still live. If ever the request failed with a 401 Unauthorized, Heroku can update its database and reset your GitHub integration status to "not_connected".
This work like this for the GitHub API, as well as with any other OAuth based APIs. If you plan to integrate with several APIs, I highly recommend you to use an API Integrations Manager, such as Pizzly. It will help you focus on the business logic ("is my user connected or not?") and totally handle the OAuth process for you.
I created a simple bot that I wanted to test channel integrations on and it worked properly in the Web Chat and in the Facebook Messenger integration. However when I followed the steps outlined here, I keep getting an error in the Issues column of the Slack bot that says: Verification token mismatch. Please check your bot's Slack configuration and make sure the verification token is correct.
Azure error message
The fields I used for setting up the azure service
I have tried regenerating the verification token several times and I still get the same error. I have also restarted my local bot, restarted ngrok, and changed the endpoint to the new ngrok address.
You could try using signed secrets functionality instead of token verification. See:
https://api.slack.com/interactivity/slash-commands#how_do_commands_work
"This is a verification token, a deprecated feature that you shouldn't use any more. It was used to verify that requests were legitimately being sent by Slack to your app, but you should use the signed secrets functionality to do this instead."
I have already generate test tokens to sign in to my Slack account from the following link; https://api.slack.com/docs/oauth-test-tokens
When I use API Methods, I add the token to URL.
Now I want to integrate users accounts. Are they going to generate test tokens from this url and I will get that generated tokens? I don't think so. Not so practical.
How can I authenticate them? By getting their username and password and basic Node.js https call with BASIC Authentication as it is in; https://dzone.com/articles/nodejs-call-https-basic
When I read the documentation for authentication it suggests; https://api.slack.com/docs/oauth
Should I get all information; client_id, scope, redirect_uri, state, team from the user? How will they know their client_id?
How can I sign in to users account in the Slack integration? I'm little confused..
If you want to authenticate Slack users with your external app you should use Sign-In with Slack. It will prompt the user to sign in to their Slack team with username and password and return their Slack identify to your app. You will also receive an individual Slack token which you can store for future use if you want to keep users "signed-on".
See here for a great explanation on how this feature works.
If you just want a bot or slash command to work with your Slack team, you don't need to authenticate each user. The token you receive after using the "Add to Slack" workflow will be sufficient. Also, The "test token" you can generate on the Slack API page will work. However, this "shortcut" is only supposed to be used for testing.
Trying to build a recipe ordering app via SMS using Bot Framework. How can I let the user 'login' to view all his previous recipes?
The user first must sign up through a website using Azure Active Directory B2C. I got the API sample template up and running and it lets me authenticate user through the website...
But I'm not sure how to authenticate this logged in user (on the website) on the bot chat level. How can I make Bot Framework be aware of this logged in user?
It'd be really nice if you could just turn on multi-factor authentication and access the phone number connected to the user but this is not possible programmatically at the moment according to Microsoft.
Any other ideas? I desperately need some way to allow a mobile phone user to authenticate via SMS and access their private data through it. I tried it with Active Directory's .net api sample but no documentation exists on how to make this all work together with Bot Framework...
I ran the pizza bot template and pondered upon the same question.
I ended up taking the user ID and store it along with any information I could get through claims. Then, I a reference for the user that I can look up and do stuff with. Not sure if this helps you.
This is how you can do it:
Generate an authentication URL and send it to your user via the bot. Ask him to login to the service using the URL.
The server would receive the result of that authentication (your API for the bot is now aware of the result) and if successful, you can show the data to the user through the bot.
You might want to take a look to the Facebook Auth sample to get an idea of a potential flow for the Auth scenario.
Hope this helps.