OAuthPrompt returns expired token and exits without showing the sign in card

[lukasvolf]

In my bot (ASP NET Core, Bot Framework 4 latest one compiled locally) I tried using the OAuthPrompt to authenticate the user in my service. I used the following piece of code:

OAuthPromptSettingsWithTimeout settings = new OAuthPromptSettingsWithTimeout() { ConnectionName = "connection", Title = "Title", Timeout = 300000 }; _oauthPrompt = new OAuthPrompt(settings);

var result = await _oauthPrompt.Begin(turnContext, promptOptions); string token = GetLoginResult(result); if (!string.IsNullOrWhiteSpace(token)) { .. } else { // store the state and call "continue" in the next turn }

For Skype, this worked and I was able to get the token. Issue 1: The URL I was navigated to after logging in (https://token.botframework.com/.auth/web/redirect?some_params) returned "BadRequest". Refreshing the URL in the browser returned the "Magic" code and after entering that in Skype I was able to get the token in my service. Token was set, I was able to call my API.

Issue 2: The token has expired after some time. The previous code, however, still returns the expired token. In the Bot Framework code in OAuthPrompt.cs, line 106 I can see: if (tokenResult != null && tokenResult.TokenResponse != null) { // end the prompt, since a token is available. await dc.End(tokenResult).ConfigureAwait(false); }

That's great, but it means there is no way to force the SignInCard to show up again so the user can re-authenticate after the token expires.

Issue 3: Cortana times out after logging in and authorizing the skill (debug response is that the service has become unreachable). Is OAuth supported for Cortana skill already?

Issue 4: Back in Skype, I did not figure out any way to clear the token and force the Login dialog to re-appear. Is there a way to clear it?

Issue 5: Skype for UWP shows the sign in card without any issues. Skype 8 for Desktop shows only a card icon and text "Card". Since Skype 8 is marketed like the future of Skype, the fact that Sign In card does not work is an issue of Bot Framework 4, or Skype?

[cleemullins]

Thanks for the bug report! @swagatmishra2007 is the author & owner of this code, and I would like to get his opinion.

[swagatmishra2007]

Some of the issues seems to be service side. I am following up and will update this thread once i get clarifications.

[lukasvolf]

So I made some progress yesterday: Issue 4: I was able to log out using this piece of code: var client = turnContext.Services.Get<IConnectorClient>() as ConnectorClient; OAuthClient cl = new OAuthClient(client, AuthenticationConstants.OAuthUrl); await cl.SignOutUserAsync(turnContext.Activity.From.Id, _connectionName); I still haven't figured out how to do this in Skype.

Issue 1: Looks like a temporary problem with the API, I haven't got Bad Request again yesterday during my testing.

Issue 3: I started using Cortana Connected account instead of the SignIn card. Works well, but needs special code just for this scenario in my Bot. I am looking for "AuthorizationToken" in turnContext.Activity.Entities and if it's present I skip the SignIn dialog.

[mingweiw]

Issue #2: We shouldn't be returning expired tokens there. I'll take a closer look. Do you have the approximate time when that happened? What's the bot id? What service provider was "connection" for? Do you know the user id of the token? That's in Activity.From.Id.

Issue #3: Cortana doesn't support the new OAuthCard. The v3 / v4 SDK downgrades it to the old signincard. However Cortana doesn't fully support the old signincard either. You must have a connected account setup and Cortana only supports signin card for a connected account. It doesn't look like this is documented though. I chatted with Cortana folks briefly. They are aware.

Issue #5: this would be a Skype client issue. Please reach out to them. I don't have a contact handy though. Sorry.

[sidecus]

@mingweiw Not sure whether Cortana team has checked the current documents for connected account - it's just a mess with the new Azure bot service migration/knowledge.store deprecation. I've spent quite a few hours searching and still cannot get it to work with simple Microsoft account auth on aadv2.

To be specific, I found quite a few documents and none of them is really up to date... I tried everything possible, now Cortana is prompting for sign in, but after putting in the user name it falls back to the "signin/cancel" card and never asks for my Microsoft account password. https://docs.microsoft.com/en-us/cortana/skills/configure-connected-account https://docs.microsoft.com/en-us/azure/bot-service/bot-service-channel-connect-cortana?view=azure-bot-service-3.0 https://docs.microsoft.com/en-us/cortana/skills/mva61-authentication

Would highly appreciate if somebody can help carry this feedback to Cortana team. A clear documentation about the steps with Azure bot service will be super useful.

[lukasvolf]

@mingweiw #2: The bot was configured to authenticate against a custom IdentityServer 4 instance running locally. My guess is that the token would be refreshed automatically provided the service was running, but since it is "in development" right now, it is running only when I am testing/debugging. After the token expiration, however, there should be some way to re-authenticate.

[mingweiw]

If the access token expired, we should try to acquire a token using the refresh token. if you have your identity server running, can you repro?

[cleemullins]

@lukasvolf, I've assigned this over to @Jeffders who will take a look. Hopefully we can get to resolution pretty quickly.

[mingweiw]

Assuming we have the issues here covered. Feel free to reopen if not. Thanks.