search

microsoft / BotFramework-Services

Microsoft Bot Framework Services
Creative Commons Attribution 4.0 International
38 stars 11 forks source link

Generic OAuth2 configuration #140

Closed inirudebwoy closed 5 years ago

inirudebwoy commented 5 years ago

Hi,

I'm working on a bot that integrates with Bitbucket and Jira. I have followed this guide https://docs.microsoft.com/en-gb/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=csharp%2Cbot-oauth and managed to successfully use OAuthPrompt for Bitbucket. BTW this is a great feature that saves a lot of time.

Unfortunately I'm not able to make it work for Jira and the problem is missing parameter that should be configured in OAuth Connection Settings in Web App. Jira requires additional argument of audience during authorization flow. https://developer.atlassian.com/cloud/jira/platform/oauth-2-authorization-code-grants-3lo-for-apps/

https://auth.atlassian.com/authorize?
  audience=api.atlassian.com&
  client_id=YOUR_CLIENT_ID&
  scope=REQUESTED_SCOPE_ONE%20REQUESTED_SCOPE_TWO&
  redirect_uri=https://YOUR_APP_CALLBACK_URL&
  state=YOUR_USER_BOUND_VALUE&
  response_type=code&
  prompt=consent

This is not possible to configure in Generic OAuth2 service provider and nor there is a service provider for Atlassian/Jira. Is there a workaround for this?

jwiley84 commented 5 years ago

Taking a look at the Generic Oauth 2 settings on the Azure blade, I see this:

image

Couldn't you just put the 'audience' in as part of the auth URL? Like, instead of putting just 'https://auth.atlassian.com', put the whole thing?

https://auth.atlassian.com/authorize?audience=api.atlassian.com&

Either that, or use 'Oauth 2 generic provider', which offers more oauth configuration options.

inirudebwoy commented 5 years ago

I have tried adding audience like you said Screenshot 2019-10-16 at 10 58 00 PM Unfortunately URL that is constructed after this change is not what JIRA expects. cliend_id in params becomes ?client_id.

Screenshot 2019-10-16 at 11 01 52 PM

After changing to "Oauth2 generic provider" I got a bit further than that. I login into JIRA, see the consent screen and after I agree there is 400 response.

Screenshot 2019-10-16 at 11 06 37 PM

Same URL works for "Generic Oauth2" I have configured for BItbucket.

It could be that my configuration of "Oauth2 generic provider" is incorrect but since I couldn't find any examples beside this https://stackoverflow.com/questions/57676376/oauth-2-generic-provider-template-examples it is not bad 😄

jwiley84 commented 5 years ago

Let me reach out to a teammate, see if I can figure out what's going on. If that '?' in client_id was removed, would it (hypothetically) work as expected?

inirudebwoy commented 5 years ago

Thanks. Yes, it would. I've opened URL with same params (except state) in the browser, I saw consent screen where I approved my app. I received 400 response from https://token.botframework.com/.auth/web/redirect but I'm guessing it's because my state param has not been matched.

EricDahlvang commented 5 years ago

@inirudebwoy Can you try the OAuth 2 Generic Provider? (you might get away with adding audience param to the Authorization URL Query String Template, or the Token Body Template)

Property Description AADv2 example
ClientId The AAD v2 AppID -a guid-
ClientSecret The AAD v2 Password -a pwd-
Scope List Delimiter The character to use between scope values (often a space or comma) ‘ ‘ (space) // currently there is a bug, so enter ‘,’
Authorization URL Template The authorization URL https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Authorization URL Query String Template The query string to append to the authorization URL, templated with any wanted parameters: {ClientId} {ClientSecret} {RedirectUrl} {Scopes} {State} ?client_id={ClientId}&response_type=code&redirect_uri={RedirectUrl}&scope={Scopes}&state={State}
Token URL Template The token URL https://login.microsoftonline.com/common/oauth2/v2.0/token
Token URL Query String Template The query string to append to the token URL, templated with any wanted parameters: {ClientId} {ClientSecret} {RedirectUrl} {Scopes} {State} ‘?’ (question mark character)
Token Body Template The body to send for the token exchange code={Code}&grant_type=authorization_code&redirect_uri={RedirectUrl}&client_id={ClientId}&client_secret={ClientSecret}
Refresh URL Template The refresh URL https://login.microsoftonline.com/common/oauth2/v2.0/token
Refresh URL Query String Template The query string to append to the refresh URL, templated with any wanted parameters: {ClientId} {ClientSecret} {RedirectUrl} {Scopes} {State} ‘?’ (question mark character)
Refresh Body Template The body to send with the token refresh refresh_token={RefreshToken}&redirect_uri={RedirectUrl}&grant_type=refresh_token&client_id={ClientId}&client_secret={ClientSecret}
Scopes The list of scopes -scope list-
inirudebwoy commented 5 years ago

I got it working 😄 I tried already with audience in Authorization URL Query String Template and it did not work. What was wrong in my case was Refresh Body Template. I can not remember where I got it from.

Thanks for help.

inb18 commented 2 years ago

Hi, I am working on bot that and implementing user authentication , I did oauth connection setting with generic oauth 2.0 but i get this error while I test connection on url:-https://token.botframework.com/.auth/web/redirect?code=zNEUkT&state=82e83c4f6bd7425c929f9c6b0fe140fe { "error": { "code": "ServiceError", "message": "Missing session cookie (consent82e83c4f6bd7425c929f9c6b0fe140fe) in consent redirect request." } }