I am writing a bot that can receive messages from multiple chat platforms, and hence trying out UE using Skype first. But I am not able to proceed very far.
What I did till now:
a. Created a Skype Bot and got an App Id and password.
b. Created an UE App and got UE App Id, App Key and App Secret.
c. Added a Skype connector to my UE App.
d. Created a user using the user/create endpoint.
Now I want to connect the UE App with Skype.
Questions:
When creating my Skype connector, what should I use for App Key, App Secret? Should I use the Skype Bot App Id for App Key, and Skype Bot password as App Secret?
What exactly should be the body of the connection/add endpoint?
What should be the uri?
From the documentation it seems it should be something like:
"uri":"skype://access_token#skype.com?id=BotId","name":"skype"
Is this understanding correct? What should I put as the access_token?
Yes, you can use your Skype Bot App Id as App Key, and Skype Bot password as App Secret.
To communicate with the Bot Connector service, you must specify an access token in the Authorization header of each API request.
You can obtain the access token for your bot by issuing an API request. To request an access token that can be used to authenticate requests to the Bot service, issue the following request, replacing MICROSOFT-APP-ID and MICROSOFT-APP-PASSWORD with the App ID and password that you obtained when you registered your bot with the Bot Framework.
POST https://login.microsoftonline.com/botframework.com/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=MICROSOFT-APP-ID&client_secret=MICROSOFT-APP-PASSWORD&scope=https%3A%2F%2Fapi.botframework.com%2F.default
If the request succeeds, you will receive an HTTP 200 response that specifies the access token and information about its expiration.
Normally the access token expires within 1 hr. When your access token expires, you can call the refresh route to get the new access token.
Related
So I have a .net 6 rest api running as appservice in azure. the authentication is being done with AAD tokens. My app and web page can login but 1 device that needs to send some information to the database can only make simple HTTPS get, post, put and delete actions but it can never start a oauth2 authentication process to acquire a token.
The only thing the device can do is store a long url. When the get action is required it just sends the https call with that url string.
So have any of you encountered this problem before and how did you solve it?
I was thinking of a Token per device that never expires but AAD does not support this. As they should. :).
Should I create a separate endpoint with user and password login?
Thanks in advance!
I am using firebase for authentication with my custom server. This server exposes an endpoint for client to subscribe to server-sent-events. I initially open connection via new EventSource(myApi.com?:firebaseToken) and validate this token via admin sdk on the server.
But I have few questions / concerns:
Is it secure to send firebase token as a url parameter like that?
What happens if user is connected to this event endpoint longer than lifetime of the token, i.e. token now becomes outdate?
If the connection is encrypted, and the client trusts the server, then you can send whatever you want without problems.
The permissions granted by the token will expire in one hour. The client will need to provide a new token before then.
I'm looking to create a Microsoft Teams chat bot that sends an API call to an azure function which auths into the Graph API using an appID and secret specific to the organization that the Teams bot is running on. The bot sends an email to a hardcoded address from the user who sent the message.
Problems:
I need a way to pass in sensitive unique app IDs and secrets to the azure function based on the organization
Assuming I can pass the values uniquely, making an API call to generate a bearer token takes awhile (a few whole seconds). Once I have the bearer token the graph API call to send the email is near-instant. I'd like to trim the few seconds off of the response time when authing for the bearer token if possible. Keeping the bearer token saved somewhere isn't worth it because it will likely expire before the user calls the application next.
What I have so far:
A bot that works successfully end to end in an emulator and auths using a hardcoded appID, secret, endpoint, and user GUID (since the emulator GUID doesn't exist in the org, but I can get it dynamically when it's deployed).
The bot sends the auth API the secret and app id, then sends another api call to send the email using the bearer token received in the response from the last API call.
I have a REST api and the authentication is done using jwt tokens. To make may api more secure (users and authentication mechanism) I would like to use firebase authentication. I would like to know can we use firebase as a authentication server for my REST APIs.
My understanding is that the client app will send the username and password to the firebase server and they will provide a token. Using that token client app will send an api call to our server. I need to integrate firebase admin SDK in my server and validate the token using admin SDK to get the data from my database.
Please correct me when I am wrong.
Also, i have a concern that how to manage refresh tokens to keep my app logged in.
Please help me to integrate this in the right way, and I am using nodejs/expressjs to create the APIs.
can we use firebase as a authentication server for my REST APIs.
Yes, it's one of the services they provide: https://firebase.google.com/products/auth/
My understanding is that the client app will send the username and password to the firebase server and they will provide a token.
Correct. The usual Firebase auth is done entirely client side.
But if there is a specific auth mechanism you need such as LDAP/AD or some other form of enterprise shenanigans, then you would need to create your own tokens that the client will use to authenticate: https://firebase.google.com/docs/auth/admin/create-custom-tokens
Using that token client app will send an api call to our server.
Correct. Once the client has successfully logged in and retrieved their ID tokens, you on the server side need to verify the ID token: https://firebase.google.com/docs/auth/admin/verify-id-tokens via middleware.
Also, i have a concern that how to manage refresh tokens to keep my app logged in.
You need not worry about that so long as the client uses the appropriate method to retrieve the ID token. For example, on the Web side the client would call: https://firebase.google.com/docs/reference/js/firebase.User#getIdToken which states (emphasis mine):
Returns the current token if it has not expired, otherwise this will refresh the token and return a new one.
As you can see, the client side Firebase SDK handles everything for you. There is no need for you on the server side to keep track of ID tokens, refresh tokens, or anything really. All you need to do is verify the token, that's it.
Please see my previous answer for more details on server side verification: Firebase authentication using NodeJS
I started working with instagram APIs using node.js and walked through the official instagram API docs here but it does not explain clearly.
Here I have 2 questions:
what is the difference between Client ID and Client Secret?
what is access_token ? and what is it used for ? and
when we should request for it ?
The client ID is is basically a unique id assigned to your application by an Oauth provider. It considered public information, and is used to build login URLs, or included in Javascript source code on a page.
An app requesting an access token has to know the client secret in order to gain the token. This prevents malicious apps from ever obtaining a valid access token. The client secret id doesn't state anything about authenticating a user, but it's instead for authorising an app to request access tokens.
The client secret must be kept confidential. If a deployed app cannot keep the secret confidential, such as single-page Javascript apps or native apps, then the secret is not used.
When you login with an Oauth provider, the server responds with an access token and expiration time in ms if the login is successful.
{
"access_token":"RsT5OjbzRn430zqMLgV3Ia",
"expires_in":3600
}
Every time client requests a resource from the server, the server validates the access code. The access-token is used to verify every request from the client. You will request for an access_token whenever you login through an Oauth provider.
You can refer this and this for more information.