I have developed MS Teams Message Extension using Java[Spring Boot] and registered the bot in Botframework Development portal[https://dev.botframework.com/]. It is working fine in local. I tested in local environment using a tunneling application named localtunnel. I tested the extension in MS Teams.
I pushed the code to cloud[AWS] as it was working fine on local and also changed the message endpoint URL to point to our test server. But, unfortunately i am getting " Bot returned unsuccessful status code unauthorized."[You can see the screenshot]. Test server message endpoint doesn't require JWT token, I am able to call it successfully from postman with out giving token.
As per the documentation, this error occurs usually when:
The Messaging endpoint specified on the Settings page for your bot in the Bot Framework Portal is incorrect. Make sure you have included the proper path at the end of the URL (e.g., /api/messages).
The Messaging endpoint specified on the Settings page for your bot in the Bot Framework Portal does not begin with https or is not trusted by the Bot Framework. Your bot must have a valid, chain-trusted certificate.
The bot is configured with missing or incorrect values for app ID or password. Verify that the bot configuration settings specify valid values for app ID and password.
All the points are correct in my case.
In this documentation, It is mentioned about Azure Bot resources in the "Test your bot" section of "Step 4: Test your bot in the cloud".
https://learn.microsoft.com/en-us/azure/bot-service/bot-service-troubleshoot-authentication-problems?view=azure-bot-service-4.0&tabs=csharp#step-3
So in order to test the bot on cloud, is it necessary to register it on Azure Bot services instead of Botframework development portal? Can't we just test it just by registering it on Botframework development portal?
The dev.botframework.com portal is deprecated, so I'd advise against continuing to use it. The Azure Bot resource is the evolution and replacement of the Bot Channels Registration, so you will need to use it to test your bot in the cloud. It effectively does the same things, but it better handles various new security and tenancy features that the old portal did not.
Furthermore, the documentation you linked mentions that extra security configuration steps must be taken for non-Azure deployments to get your bot to use https. Ensure you do this before filling in the messaging endpoint in your Azure Bot configuration.
I figure out the issue. Even though message endpoint could be called without any JWT token of our app, code was verifying the token if in case it is present in Authorization header instead of ignoring it. MS Teams sends JWT token in Authorization header of every request to verify it is coming from teams, but extension app was comparing this token sent from teams against our app. Since this token is not created by our app but instead by bot framework, so it was throwing 401 unauthorized.
So make sure your app is in ignoring the token sent in Authorization header for message endpoint.
About the other doubts I had:
It is not mandatory to register bot in azure in order to test in cloud, you can register it in development portal as well. Since development portal is depreciated, I highly recommend to use azure as it is highly secure.
You can do non azure deployment as well. You can deploy your extension app or message API endpoint in any cloud provider of your choice. But you have to register the bot either in development portal or azure which will call your extension app.
Related
I'm trying to develop a simple java client that needs to access Skype for Business APIs in order to setup an online meeting (i.e. I need to retrieve a simple setup meeting URL by invoking an UCWA API).
I followed this Microsoft tutorial step-by-step:
https://learn.microsoft.com/en-us/skype-sdk/ucwa/developingucwaapplicationsforsfbonline
I have an Office 365 Business Premium license and I configured a custom domain (correctly registered and added at the zone DNS file);
I configured and registered my java client app on Azure (taking care to assign required delegated permission for Skype for Business capabilities);
I performed the Sign-in phase and Azure is able to recognize me;
I performed the Autodiscovery phase in order to retrieve the user's UCWA home pool;
I sent a GET request to the Azure oauth2 endpoint with response 401 error (and this is the expected behaviour by the authentication handshake);
Unfortunately, I failed when I request an access token using implicit grant flow: Azure responds with a Sign-In HTML page rather than the json object containing the oauth2 access token.
What's wrong on this GET request?
GET https://login.microsoftonline.com/oauth2/authorize?
response_type=id_token
&client_id=my_application_client_id
&redirect_uri=configured_redirect_uri
&state=UUID_generated_code
&resource=UCWA_home_pool
HTTP/1.1
This GET URL looks like that one used for the Sign-In phase (step 3); I suspect that it isn't the right request URL.
I tryed to put my domain on the URL:
https://login.microsoftonline.com/my_domain_name/oauth2/authorize
and I tryed to put a common domain name (as reported on the documentation):
https://login.microsoftonline.com/common/oauth2/authorize
But Azure still reponds with a Sign-In page (and response code 200 OK).
Can someone help me please?
Please check the oauth2AllowImplicitFlow property in manifest of your application after downloading the latest manifest file. It should be set to true for this to wrok. If it's still false, only then I would expect the redirect to sign-in page as you're seeing.
More detailed steps here -
Configure your app for OAuth implicit grant flow
I have created a simple application in Java which Connects to my Office 365 Account and retrieve the unread messages. I am performing some text matching and pattern matching to generate some reports which I receive via Email.
I am using the below url with basic Authentication to do so.
https://outlook.office365.com/api/v1.0/me/messages?$filter=IsRead%20eq%20false
However, I have read a couple of articles and most of them have suggested that Basic Authentication will not be supported and suggested to use OAUTH2.0.
I am not sure how to use OAUTH2.0. A couple of articles mention about registering the Application with AAD for which i need to have access to Azure Management Portal which i do not have. Please can any one guide me how this can be done.
PS: I am using my Corporate Domain Account to access Office
You are correct that Basic will not continue to be supported. You do not need the Azure management portal to register an application, you can use the App Dev portal (apps.dev.microsoft.com) to get a client ID and secret.
Here's a walkthrough for creating a Java web app from scratch: https://dev.outlook.com/restapi/tutorial/java. It shows how to register the app and do the authentication.
I have a web application that provides several rest services (Jersey). Most of the endpoints are secured by BASIC authentification. Further more I use SSL for transport and demand POSTs for every call.
The clients/consumers are android apps.
So far so good. The only service that seems to be vulnerable is the registration. It's the 'first' service to call and a user does not exist yet. So I cannot use OAuth, etc. I also have to keep the endpoint easy accessible to enable the user to regster.
How do I secure this service, so it's not spammed by a bot flooding my database?
How about these?
Use a registration link with a token in the request parameter. Ensure that the tokens expire after sometime. You could create a token endpoint url as well for a client to get a valid token.
Use a custom header or a dynamic custom header in your request. Additionally, you could check for a dynamic custom header to validate the request's authenticity.
Use registration confirmation workflows, such as an email / text verification as soon the registration is done. Run a process every day to delete any user accounts, which are not validated in say x days.
I do not think you can really secure the registration URL in a HTTP way. IMHO, anyone who has the registration url can be a right guy trying to register. So if you ask me, option 3 is better than others.
I'm developing a html5+jquery+phonegap application. Server side is written in java and Spring MVC.And I hope to implement an authentication model as follows.
client signs up using his email which would be used as his userID.
A token is sent to his email.
He is given a screen to enter the token.
That token is stored in the local storage of the client.
everytime the client calls a webservice, his userID and token is sent by the app over https.
Server authenticates him and responds.
What are the options available to implment this kind of security from the server side? can Spring-security be used in this way? I tried to find any implmentation with Spring-security, but couldn't find any implmentation other than basic authentication.
You can use PreAuthenticationProcessingFilter to achieve this requirement, have a look similar case and spring security doc
I am trying to implement hybrid Google OpenID + OAuth protocol in order to identify my users and to access their Google calendar data.
Sample request looks like:
https://www.google.com/accounts/o8/id
?openid.ns=http://specs.openid.net/auth/2.0
&openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select
&openid.identity=http://specs.openid.net/auth/2.0/identifier_select
&openid.return_to=http://www.example.com/checkauth
&openid.realm=http://www.example.com
&openid.assoc_handle=ABSmpf6DNMw
&openid.mode=checkid_setup
&openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0
&openid.oauth.consumer=www.example.com
&openid.oauth.scope=http://docs.google.com/feeds/+http://spreadsheets.google.com/feeds/
I am using openid4java. I tried to follow this post: library-to-integrate-googles-oauth-openid-hybrid-in-java-web-app
But I came into trouble when testing my application on localhost.
As you can see in aforementioned sample request, there are three attributes that must be equal:
openid.realm
openid.oauth.consumer
openid.return_to
I have registered some domain with google and obtained consumer key and secret. But when I want to develop and debug my application on localhost (i. e. openid.return_to=http://localhost:8080/ and openid.realm=http://*.mydomain.com and openid.oauth.consumer=www.mydomain.com) and supply my key and secret, openid4java RealmVerifier rejects such authentication request.
I have even tried to supply completely valid options (my registered domain instead of localhost) - it seemed to function, but the redirection went away (I don't want to/can't deploy the application in that domain because of missing technologies.).
Could you please advise, how to develop such application on localhost? Is there any trick how to test such application?
Thanks for any help!
Try adding your your-machine.your-domain.com which points to 127.0.0.1 in the /etc/hosts (on linux) on your dev box and then hit your application as http://your-machine.your-domain.com
(note: replace your-machine with your machine name and your-domain with the domain you have registered with Google)