search

microsoft / BotFramework-WebChat

A highly-customizable web-based client for Azure Bot Services.
https://www.botframework.com/
MIT License
1.58k stars 1.53k forks source link

Azure Gov WebChat: DirectLine Enhanced Authentication resulted in magic number authentication #2970

Closed AngryVirginian closed 4 years ago

AngryVirginian commented 4 years ago

Screenshots

Bot channel registration directline settings image

Load bot from trusted URL image

OAuthPrompt card displayed in webchat image

Error in F12 after clicking on the button image

A new tab for magic code was opened image

Version

4.7.1 through NPM

Describe the bug

v4.7.2 .NET Core Bot is hosted in Microsoft Azure Government (MAG). DirectLine Enhanced Authentication does not work in trusted urls and resulted in magic code authentication instead of the expected behavior (new tab open and close automatically without user having to do manual input). F12 on browser displayed the following error

GET https://directline.botframework.azure.us/v3/directline/session/getsessionid 500

The error

Steps to reproduce

  1. Setup a sample auth bot in Azure MAG.

  2. Use the following values in appsettings.json { "BotEnv": "usgovprd", "ChannelService": "https://botframework.azure.us", "MicrosoftAppId": "[Omited]", "MicrosoftAppPassword": "[Omitted]", "ScmType": "None", "isAzureGovernment": true, "OAuthConnectionName": "aadv2" }

  3. Use the following codes before prompting the OAuthPrompt card. OAuthClientConfig.OAuthEndpoint = "https://token.botframework.azure.us"; MicrosoftAppCredentials.TrustServiceUrl("https://token.botframework.azure.us");

  4. Configure directline channel on the bot channel registration. Enable Enhanced Authentication and add a trusted url.

  5. Configure an OAuth authentication connection with AADV2 as provider. The service principal used is from a GCC tenant.

  6. Get a token from https://directline.botframework.azure.us/v3/directline/tokens/generate with a user id 'dl_[new guid]'

  7. Add a webchat control to the home page of the trusted url with code similar to below

          let directLineConnection = window.WebChat.createDirectLine({
          token: accessToken,
          domain: 'https://directline.botframework.azure.us/v3/directline' 
      });

      .....

      window.WebChat.renderWebChat({
          directLine: directLineConnection,
          store,
          styleOptions
      }, document.getElementById('webchat'));

  8. Go to the trusted url to launch the homepage and webchat.

  9. Interact with the bot to get an OAuthPrompt card back.

  10. Click on the OAuthPrompt card.

  11. Magic code authentication screen is displayed instead of the expected behavior

Expected behavior

The OAuthPrompt card should open up a new browser tab, close it, and auth token is received automatically in webchat as on the Azure commercial side.

Note

The magic code can be used to successfully authenticate the user.

p-nagpal commented 4 years ago

I am able to reproduce the failure and am in the process of collecting additional logs to get to the bottom of the issue. I will post an update as soon as I have more information. Thank you for your patience.

p-nagpal commented 4 years ago

@AngryVirginian I have deployed a fix and the OAUTH flow is now working with my test bot. Could you check if your bots works as expected?

AngryVirginian commented 4 years ago

@p-nagpal It is still not working. I am getting a 403 error instead of 500 now though.

image

mmarinoNet commented 4 years ago

I am running into a similar issue. The magic code always comes back. I get a status of 400 with the https://directline.botframework.com/v3/directline/session/getsessionid]. I don't have the webchat in any Iframe and I have the trusted origins defined property. I followed all the instructions and tried it with all the samples. I don't know what to do next.

p-nagpal commented 4 years ago

Hello @AngryVirginian , @mmarinoNet I am looking at this new problem.

@mmarinoNet, is your bot in Azure Gov or Azure public cloud? Could you perhaps share a failing conversation id or your botid. This will help me investigate better. Thank you.

mmarinoNet commented 4 years ago

Yes is is in the Azure public cloud. I would be happy to do whatever I can to help. Please let me know. I tried everything and can't seem to get it to work. Months ago when I tested this it worked, now it does not seem to.

mmarinoNet commented 4 years ago

Please let me know what I should provide and I will be happy to do so.

Thank you for your help.

Monty

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: Pooja Nagpal notifications@github.com Sent: Friday, March 13, 2020 8:36:36 PM To: microsoft/BotFramework-WebChat BotFramework-WebChat@noreply.github.com Cc: mmarinoNet dot-net-developer@hotmail.com; Mention mention@noreply.github.com Subject: Re: [microsoft/BotFramework-WebChat] Azure Gov WebChat: DirectLine Enhanced Authentication resulted in magic number authentication (#2970)

Hello @AngryVirginianhttps://github.com/AngryVirginian , @mmarinoNethttps://github.com/mmarinoNet I am looking at this new problem.

@mmarinoNethttps://github.com/mmarinoNet, is your bot in Azure Gov or Azure public cloud? Could you perhaps share a failing conversation id or your botid. This will help me investigate better. Thank you.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/microsoft/BotFramework-WebChat/issues/2970#issuecomment-598901123, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABMLVBAY5BBT2H34O6NSMW3RHKKNJANCNFSM4LAAPIUQ.

p-nagpal commented 4 years ago

@mmarinoNet this failure is in a different environment and has different symptoms. I have created https://github.com/microsoft/BotFramework-Services/issues/192 to help make progress with the 403 failure and 400 failure together.

p-nagpal commented 4 years ago

@AngryVirginian , I found a few things

  1. I can see this error in the logs: _Request origin is not in the list of trusted origins_
  2. Can you check your directline site settings and ensure that Enhanced Authentication settings is still turned on?
mmarinoNet commented 4 years ago

Yes it us turned on, I am running the web client locally.

[cid:image002.png@01D5F993.A59064B0]

nt from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: Pooja Nagpal notifications@github.com Sent: Friday, March 13, 2020 6:35:08 PM To: microsoft/BotFramework-WebChat BotFramework-WebChat@noreply.github.com Cc: mmarinoNet dot-net-developer@hotmail.com; Mention mention@noreply.github.com Subject: Re: [microsoft/BotFramework-WebChat] Azure Gov WebChat: DirectLine Enhanced Authentication resulted in magic number authentication (#2970)

@AngryVirginianhttps://github.com/AngryVirginian , I found a few things

  1. I can see this error in the logs: Request origin is not in the list of trusted origins
  2. Can you check your directline site settings and ensure that Enhanced Authentication settings is still turned on?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/microsoft/BotFramework-WebChat/issues/2970#issuecomment-598972869, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABMLVBH5ZCW4SRVGIWI32W3RHK7KZANCNFSM4LAAPIUQ.

AngryVirginian commented 4 years ago

@p-nagpal you are right. My mistake. I turned off Enhanced Authentication during testing. It is working in the Fairfax datacenter now. I will test the other us gov bot that is in the Arlington datacenter on Monday.

AngryVirginian commented 4 years ago

@p-nagpal I confirm that the issue has been resolved in both Arlington and Fairfax datacenters. Please proceed with closing the ticket. Thank you fort he quick responses.