I had implemented authentication to my bot application by referring here. I had successfully implemented and able to sign in but application is authenticating user using magic number. Is not there any way to disable magic number?
Note: I had created bot application using Bot Framework V4
There have been improvements to the channels to support new authentication features, such as new WebChat and DirectLineJS libraries to eliminate the need for the 6-digit magic code verification. You can follow these links to prevent the magic code from showing up:
https://github.com/Microsoft/BotBuilder/issues/4632#issuecomment-441957719( refer to #compulim's comment here, who is the developer of Web Chat and has specified the steps to eliminate the magic code flow).
https://github.com/Microsoft/BotFramework-WebChat/pull/1218( pull request for the token server sample).
Related
I am trying to understand how to integrate BotFramework (C#) with an existing application without the use of Azure and using DirectLine, but everything I have seen so far requires an Azure subscription. I have looked at ngrok, but not sure if that is reliable for a production environment. I have also been digging around the source code repositories of BotFramework-Emulator and BotFramework-WebChat, but haven't found good information that relates to my use case.
If we have an existing "chat box", that has already been styled and has some basic commands that a user can enter, how could I reuse that chat box, but just implement the BotFramework routing? The idea being it is our standard chat box, but when the user types a command like /todo it would start a new bot conversation.
Without Azure, how would we generate a DirectLine token to access our C# WebAPI BotFramework Chatbot? I tried just opening a WebSocket in devtools to try and send messages, but wasn't successful
Sure, it is possible to just to plain REST routing, but would ideally like to use WebSocket to send/receive messages.
Generally speaking, the Azure Bot Service is a required component of using the Microsoft Bot Framework as it serves as the connector (via the supported channels - DirectLine, Teams, Slack, Facebook, etc.) between your bot and the specific channel. It is also responsible for generating the tokens that allows your bot to connect and pass messages around.
However, it is possible to run your bot without the use of the Azure Bot Service. Two options that may serve your needs are:
offline-directline: "Unofficial package to emulate the bot framework connector locally."
InDirectLine: "[T]he DirectLine is a bridge that connects your bot and your client. This project (InDirectLine) is a custom implementation of my own..."
You will need to research both to identify which, if either, could/would meet your needs. But, in short, both projects allow you to run your bot locally, or seemingly from a hosted remote environment, and connect to it.
Hope of help!
I am using the Docusign Authorization Code example (https://github.com/docusign/code-examples-csharp) to create a C# application connected to Docusign (which is already configured with our Single Sign On).
I also have another Azure App Registration to invoke my Custom API from Azure and I need to successfully get a token to invoke it.
I have successfully used MSAL javascript to invoke the custom API.
However, I am not sure if this is the safest or should i go with MSAL.NET (to do everything server side).
Anyone got ideas how to incorporate this additional MSAL.Net auth to my existing Docusign based C# code.
Thanks in advance !
I think both MSAL js, and MASL.NET are secure, but there are some limitations to what you can do with the former. If all you need is a token to invoke an API - you should be good, but Microsoft support more things that you may need the server side code for.
This article has a table that tells you all the different authentication flows Microsoft supports, and the different features each of them supports.
I don't know exactly if I should ask this question here, neither if I'm using the exact right tags, but... I need to add a 2FA to a system I'm developing and, while I was looking for the best available options of 2FA, we thought about adding Microsoft Authenticator support to it (We liked Authy, Google Authenticator, etc, but we tend to prefer Microsoft solutions here). It seems it used to exist a way of adding Microsoft's 2FA to our site, but is there a way to do it now in 2019? If so, is it free (We got Microsoft developer accounts... If having them is the only paid requirement, we're ok)
Microsoft Authenticator just implements the Time based OTP mechanism ( https://en.wikipedia.org/wiki/Time-based_One-Time_Password ).
If you do not have Azure accounts, the Microsoft authenticator can scan a QR code with the following embedded URL
otpauth://totp/UserName?secret=Some-long-secret&digits=6&issuer=CompanyName
Once the Microsoft Authenticator has scanned this QR Code, it will start showing you one time passwords.
On the server side, you can use a library like https://github.com/samdjstevens/java-totp
The library can be used to generated the secret or verify the OTPs generated by the Microsoft Authenticator.
The Microsoft and Google Authenticators just implement the TOTP mechanism to provide a serverless (read: offline, you only need an accurate timestamp) one time password mechanism. You can use any generic TOTP library to generate a user specific shared secret, possibly encode that one as QR image for ease of configuration and then validate if a provided token matches the shared secret and has been created in the last +-n seconds.
You can get started here: https://github.com/BrandonPotter/GoogleAuthenticator
Although the library is called "Google Authenticator" it can also be used with Microsoft's Authenticator because they basically function the same way. TOTP
I'm taking a summer development course and have been working on writing an API that will allow the user to log in to a personal, work, or school Microsoft.com account and do basic CRUD operations on the events in their calendar. Things like querying for all events within a date range or events that have a specified Open Extension property, etc.
Having finished that, I'm now working on writing a front end for it using ASP.net Core 1.1 MVC. The basic goal here is to list the results of the user's query with a few details, then allow the user to select an event to view all its details, edit it, or delete it. There would be a separate view to allow creation of new events. However, the authentication method I was using prior to switching from a basic console application to ASP.net Core 1.1 MVC (from the Microsoft Graph UWP Snippets located here) does not seem to work with ASP.net Core 1.1. Specifically, line 58 from the link above (AcquireTokenSilentAsync()).
I've done a good bit of digging before deciding to come and ask a question here, but I honestly feel like I'm getting nowhere/have been wasting time that I need to be spending on development. For reasons related to the course the professor is very hands-off, so asking him for assistance isn't an option.
How would one go about setting up an ASP.net Core 1.1 MVC app to allow access to the logged-in user's calendar? I've honestly not been able to find much, and since my API is currently very dependent on the token returned from the above Authentication method (it is used with both the HttpClient and GraphServiceClient used in my API) I'm going to need to figure something out soon.
UPDATE: I found a tutorial for using OpenIdConnect to log a user in to their Microsoft.com account in Asp.net MVC 6, however I'm not sure if there is a way to get at the authentication token that I need to use the Graph Client/HttpClient. Additionally, I haven't been able to find a similar tutorial for ASP.net Core 1.1 MVC. I'll keep digging and post anything I find here.
UPDATE 2: Wasn't having luck with that, have switched to attempting to use the OAuth 2.0 Authorization Code Grant Flow. Currently having a bit of trouble understanding how to get the authorization code to get the access token. If I set responseMode=query, do I actually have to query my application's redirect url (in this case localhost:xxxx/) that was created when I registered my app, or is the response automatically returned after the user logs in/consents to letting my app access their data?
UPDATE 3: I'm getting closer to having a functioning authentication process by following the steps in the link in Update 2. At this point I guess I'm just curious if my original method of authentication (almost identical to what is contained in the link in my original post) could have worked, or if I was going to find myself in this position no matter what.
I managed to use most of this sample repository: Microsoft Graph Webhooks Sample for ASP.NET Core to connect to Microsoft Graph API. It demonstrates using webhooks and MS Graph subscriptions, but it's how it gets the access token that is useful for us.
The relevant code snippet:
AuthenticationResult authResult = await authContext.AcquireTokenAsync(GraphResourceId,
new ClientCredential(AppId, AppSecret)); // For sample purposes only. Production apps should use a client certificate.
return authResult.AccessToken;
How to create access token for JIRA Rest API? Of relevant data I have
User key
Private/public key combo
Jira's Rest API Oauth example assumes 3-legged approach, and is very unclear on what the actual parameters to send are (I wish Swagger is more widely used standard!).
In more detail, I have following use-case:
When creating new employee in Web Forms (ASPX) portal application I need to create new JIRA account and assign it to project (and role inside the project).
As such I would like to use OAuth2 2-legged authentication to accomplish this. I can probably hack it with Basic Authentication, but I would really like to do it properly.
Problem arises when trying to find code examples that use this approach. .NET examples are really scarce, and even examples in other languages usually use Basic Authentication (username and password transmitted on each call) or few that use 3-legged approach.
I found AnotherJiraRestClient but looking at the code it's using RestClient nuget (this is good) but with HttpBasicAuthenticator (this is bad).
I went through all Authenticators that are on offer and OAuth2AuthorizationRequestHeaderAuthenticator looks promising but it requires me to already have access token. So that is why the question in the end is "How to create access token, using 2-legged approach?"
I already created application link on JIRA's side with this settings:
Application Type: Generic Application
Outgoing Authentication: (gives 500 server error on Jira's side... but don't think it matters as I am not using it)
Incoming Authentication: OAuth
Status: Configured
Consumer Key: TEST_JIRA_KEY
Public Key: ... (generated online private/public key combo)
Atlassian currently doesn't support OAuth 2.0, but only 1.0(a).
There is a feature request for this: https://jira.atlassian.com/browse/JRA-43171
I have made an Open Source Jira client in C#, >=.NET 4.5 and fully async (with proxy support), which is available on GitHub and as a NuGet Package. See: https://github.com/dapplo/Dapplo.Jira
Today I added OAuth 1.0a support, which I got working and use the information here for testing:
https://bitbucket.org/atlassian_tutorial/atlassian-oauth-examples/src/d625161454d1?at=default
I used the public key from that repository to setup a test link on my Jira Cloud server, and use the private key in my test case.
The code for testing is here (it's commented out, as the OAuth process opens a browser, which is bad on the test-server)
https://github.com/dapplo/Dapplo.Jira/blob/master/Dapplo.Jira.Tests/JiraOAuthTests.cs
I am still looking at a way to make the certificate/private key reading easier, but in a way this is not the job for the library itself...
If there are any questions, I guess issues on GitHub are the best way to communicate.