search

microsoft / BotFramework-Composer

Dialog creation and management for Microsoft Bot Framework Applications
https://docs.microsoft.com/en-us/composer/
MIT License
870 stars 371 forks source link

Bot composer OAuth refresh token #3629

Closed kshyambabu closed 4 years ago

kshyambabu commented 4 years ago

Hi, I am implementing authentication for Active directory v2. Authentication is going pretty well and recieving the token, But not getting the refresh token. The access token is expiring in 1 hour.

  1. Is there way to get the refresh the token for the Active directory v2 from the bot composer?
  2. If we dont get the refresh token, what would be the best way to handle the token expiration in bot composer?
DingmaomaoBJTU commented 4 years ago

Yes, the oauth prompt will help you refresh token. Note: please do not store the token by yourself, when you want to use token, get it from oauth prompt. Then it will help you manage your token.

kshyambabu commented 4 years ago

I am using the settings as described below, I should not give login card every time token expires. Do I need to set extra configuration for OAuth prompt to get the refresh token without prompting to user login again? image

SattaRavi commented 4 years ago

@DingmaomaoBJTU can you please explain a bit further on how to refresh tokens using the oAuth prompt.

i understand the access token can be retrived from the oAuth prompt but, how does one refresh tokens.

our scenario is we authenticate users against AAD and once authenticated the user will be using the bot for an extended period of time.

given the scenario what is the recommended approach to handle token expiration. (asking the user with oauth prompt often would be a bad experience)

DingmaomaoBJTU commented 4 years ago

The logic of oauth prompt is like this: 1) retrieve token from service 2) if failed, prompt. When in step 1, the service help you refresh token and always return a useful token if user log in. There is nothing special to set for OAuth prompt (the only thing you need to notice is don't enable the alwaysPrompt flag). So that means, if a user is log in, the OAuth Prompt won't prompt, if user is not log in, the OAuth prompt will prompt. It does not prompt everytime. So be free to add many OAuth prompts in your flow.

Please have a try, if oauth prompt not work as expect, you can log a bug for us~

Not sure whether I'm fully understand what you required. Please add more comments if there is any.

DingmaomaoBJTU commented 4 years ago

And here is the official doc, you can take a look~

kshyambabu commented 4 years ago

@DingmaomaoBJTU Thanks. The answer gave us the insight on how to use OAuth prompt and how it is performing internally.