Calendar Skill login - BadRequest

[andreatosato]

Calendar Skill

Language: C#

Description

After configure Calendar Skill, I select "Create meeting" button. On bot framework I see "Login" with Outlook but, after some seconds, message is "Bad Request"

Screenshots

[darrenj]

Are you using the calendar skill directly? I.e. Not as a skill through a virtual assistant?

[andreatosato]

I follow this docs:

1. https://github.com/microsoft/botframework-solutions/blob/master/docs/tutorials/assistantandskilldeploymentsteps.md
2. https://github.com/microsoft/botframework-solutions/blob/master/docs/reference/skills/productivity-calendar.md So, I deploy only skill.

[darrenj]

If so, we don't have docs covering that scenario of use but will get that addressed shortly. Tracked here: https://github.com/microsoft/botframework-solutions/issues/1382 and links to an older doc with the key steps under skill authentication.

You can follow all the steps apart from the final msbot one, instead of that update your app settings.json file with the auth connection name you just created and you should be good to go.

Alternatively if you add your skill to a virtual assistant bot we add auth connection automatically.

[andreatosato]

This is my appsetting

{
  "microsoftAppId": "aadbbbbbb",
  "microsoftAppPassword": "obbbb~(@",
  "oauthConnections": [
    {
      "name": "Outlook",
      "provider": "Azure Active Directory v2"
    }
  ],
  "appInsights": {
    "appId": "4d3bbbbb85",
    "instrumentationKey": "c59bbbbcc"
  },
  "blobStorage": {
    "connectionString": "DefaultEndpointsP.......t",
    "container": "transcripts"
  },
  "cosmosDb": {
    "authkey": "bt.....==",
    "collectionId": "botstate-collection",
    "cosmosDBEndpoint": "https://my.documents.azure.com:443/",
    "databaseId": "db"
  },
  "DefaultLocale": "it-IT"
}

This app settings is created with ARM template output. I have only added "DefaultLocale" settings. I have set Azure Active Directory with scopes, reply url and Access Token. What is my "auth connection name"?

I haven't .bot file

[andreatosato]

I follow this docs

I add this in appsettings: "ConnectionName":"BotCalendarSkill" And then add OAuth Settings in Bot Channel Configuration.

I test connection and work great. what am I doing wrong?

[darrenj]

Can you change your appsettings oauthconnectionname to BotCalendarSkill instead of Outlook please?

[andreatosato]

Same result with this changes. BadRequest message on login process

"oauthConnections": [
    {
      "name": "BotCalendarSkill",
      "provider": "Azure Active Directory v2"
    }
  ],

[darrenj]

Thanks - this error is coming from the AD service so something is up with the Authentication Connection I suspect but as you say Test Connection works. Are you debugging locally or publishing to azure? Just want to make sure the appsettings.config check has been published if your testing remotely.

Your scopes don't look right for the Calendar Skill - perhaps double check that's not the issue with the following:

User.ReadBasic.All, Calendars.ReadWrite, People.Read, Contacts.Read

[andreatosato]

I'm debugging bot on Azure with Test chat and Bot Emulator. I have update scope with: User.ReadBasic.All, Calendars.ReadWrite, People.Read, Contacts.Read

[darrenj]

Could you confirm your emulator version please?

[andreatosato]

4.2.1

[darrenj]

OK - here are the new documentation steps, would be good to double check everything is correct. If you could set back to ID Token on the Azure AD Application rather than access token (that's not needed now) but shouldn't have caused your issue.

Authentication Connection Settings

If you plan to use the skill as part of a Virtual Assistant the process of registering a skill with your Virtual Assistant will create the supporting authentication connection information automatically for your Virtual Assistant. This skill uses the following authentication scopes which are registered automatically:

• User.ReadBasic.All
• Calendars.ReadWrite
• People.Read
• Contacts.Read

However, if you wish to use the Skill directly without using a Virtual Assitant please use the following steps to manually configure Authentication for the Calendar Skill. This is not required when using the Skill with a Virtual Assistant.

If you wish to make use of the Calendar, Email and Task Skills you need to configure an Authentication Connection enabling uses of your Assistant to authenticate against services such as Office 365 and securely store a token which can be retrieved by your assistant when a user asks a question such as "What does my day look like today" to then use against an API like Microsoft Graph.

The Add Authentication to your bot section in the Azure Bot Service documentation covers more detail on how to configure Authentication. However in this scenario, the automated deployment step has already created the Azure AD v2 Application for your Bot and you instead need to follow these instructions:

• Navigate to the Azure Portal, Click Azure Active Directory and then App Registrations
• Find the Application that's been created for your Bot as part of the deployment. You can search for the application by name or ApplicationID as part of the experience but note that search only works across applications currently shown and the one you need may be on a separate page.
• Click API permissions on the left-hand navigation
  • Select Add Permission to show the permissions pane
  • Select Microsoft Graph
  • Select Delegated Permissions and then add each of the following permissions required for the Productivity Skills:
  • User.ReadBasic.All
  • Calendars.ReadWrite
  • People.Read
  • Contacts.Read
  • Click Add Permissions at the bottom to apply the changes.

Next you need to create the Authentication Connection for your Bot. Within the Azure Portal, find the Web App Bot resource created when your deployed your Bot and choose Settings.

• Scroll down to the oAuth Connection settings section.
• Click Add Setting
• Type in the name of your Connection Setting - e.g. Outlook
• Choose Azure Active Directory v2 from the Service Provider drop-down
• Open the appSettings.config file for your Skill
  • Copy/Paste the value of microsoftAppId into the ClientId setting
  • Copy/Paste the value of microsoftAppPassword into the Client Secret setting
  • Set Tenant Id to common
  • Set scopes to User.ReadBasic.All, Calendars.ReadWrite, People.Read, Contacts.Read

Finally, open the appSettings.config file for your Calendar Skill and update the connection name to match the one provided in the previous step.

"oauthConnections": [
    {
      "name": "Outlook",
      "provider": "Azure Active Directory v2"
    }
  ],

[darrenj]

Here are some screenshots that might help:

Client ID and Client Secret above should match the appId/Password below in appSettings.config

[andreatosato]

I followed your guide, I changed the settings. Despite these changes, the error is still present.

[darrenj]

Can you try a more recent emulator build just to rule that out?

[andreatosato]

Same Error with 4.4.1

[darrenj]

I'm all out of ideas. Adding our Support Team to see if they can help repro or have any other ideas around Auth Prompts and Emulator with "Bad Request"

Repro Steps are:

• Clone the github.com/microsoft/ai repo
• Follow these updated docs to deploy the Calendar Skill and then follow the manual auth connections (not being used as a skill)
• Use Emulator against the newly deployed Skill and ask "what meetings do I have", click login and use a outlook/hotmail account (we have internal o365 demo accounts if helpful) to validate it logs in OK.

[andreatosato]

Image for latest bot framework emulator: 4.4.1

[stevkan]

Attempting to repro the issue.

[darrenj]

Thanks @stevkan

Whilst it doesn't resolve the BadRequest problem - docs/new nuget pushed to resolve the earlier issues for others: https://github.com/microsoft/botframework-solutions/blob/master/docs/reference/skills/productivity-calendar.md

[darrenj]

OK - I have some more context from another issue.

If you check your Web App Bot resource in Azure, click settings and scroll down to Auth connections I suspect you'll see no auth connection?

If so - that's the cause of the issue. When you use the add_remote_skill.ps1 it asks for the Bot name and manifest endpoint of the skill. The other issue I've just triaged appears to be where the name of the bot passed does not match the Web App Bot resource name so the script can't find the resource and add the Auth connection.

I think the script should have shown an error when running, also the add_remote_skill log file may have some error message too.

If you use the remove_skill script to remove your Skill and run again ensuring the name matches let's see if that helps.

We have also just introduced the botskills CLI. Feel free to try that if you want (from the assistant directory) (but make sure you have removed using the older script first)

npm install -g botskills
botskills connect -b YOURASSISTANTNAME -r https://YOURSKILL.azurewebsites.net/api/skill/manifest --cs

[andreatosato]

Hi @darrenj, I run this script: https://github.com/microsoft/botframework-solutions/tree/master/skills/src/csharp/calendarskill/calendarskill/Deployment

I have only skill, not virtual assistent.

[darrenj]

OK - you need to follow these security config steps : https://github.com/microsoft/botframework-solutions/blob/master/docs/reference/skills/productivity-calendar.md#authentication-connection-settings

[waqarghani]

Hi ... Following ... as i am facing the same error ... bad request ... i hope @stevkan can repro this error

[darrenj]

BadRequest is due to there not being an auth connection. if your using the Skill directly you'll need to follow these steps: https://github.com/microsoft/botframework-solutions/blob/master/docs/reference/skills/productivity-calendar.md#authentication-connection-settings

[waqarghani]

Hi @darrenj, i am getting this error when i am deploying it as a part of virtual assistant, not separately: so here it is as part of Virtual Assistant:

This is my Virtual Assistant:

This is basic fucntionality, just for security check if everything else is working fine like QnA and genral LUIS and Dispatch:

Skill was added to Virtual Assistant using this CLI:

.\Deployment\scripts\add_remote_skill.ps1 -botName "YOUR_BOT_NAME" -manifestUrl https://YOUR_SKILL.azurewebsites.net/api/skill/manifest -luisFolder [path]

As mentioned here: If a Skill requires Authentication connections to Office/Office 365 in most cases the above script will automatically add this configuration to your Bot and associated Azure AD Application.

Here i ask for dispatch to go to skill dialog:

After clicking on the Oauth card this is the Bad Request Error i get:

This error persists if you publish the bot and use it with direct line , so it has i think not much to do with Emulator but still if you are interested i am using 4.4.2

Finally, i though may be i need my Admin to allow me to access outlook or something along the line as i am only of user status in my company's Azure AD so i ask for permission, that's how my App Registration looks like:

FYI: If you run the skill separately and don't do any authentication settings as mentioned above by you ... then Calendar skill bot will work up to same point i mean general intents will be answered but when you trigger Calendar intents it will ask similarly for OAuth card and afterwards this bad request. So in the end may be when i am deploying it with VA there is some Authentication issue happening but as mentioned by the docs it should happen for VA automatically, then the question why it is not happening for me?

Thank you for your assistance and support.

[lauren-mills]

Hi @waqarghani and @andreatosato, just a quick troubleshooting step... Can you hit the test connection button in the Azure Portal for your bot oauth connection and verify that it successfully retrieves the token, like in the second screenshot?

Also, are you using personal microsoft accounts (i.e. outlook.com or hotmail.com) or organizational accounts?

[andreatosato]

In my previews comment I tried test connection. I works, but bad request is already present. I use my work account

[darrenj]

Can you check appsettings.config has an entry for the oauthconnection that matches the name of the one you just did "test connection" on?

[andreatosato]

Yes @darrenj, connection name is the same. ☹️

[darrenj]

Based on previous issue diagnosis the issue has been around the Virtual Assistant not having the appropriate Authentication Connection information as part of the Web App Bot configuration. BadRequest seems to occur when the Authentication Connection name in appsettings.config is missing or is referencing a connection that does not exist.

This authentication connection should be created by the add_remote_skill.ps1 (or the new botskills CLI) if the skill you are adding has skill authentication requirements. you can validate this is present in the azure portal as below. Note this is not on the skill but the Virtual Assistant bot registration.

Then in appsettings.config you'll see something like this:

"oauthConnections": [ { "provider": "Azure Active Directory v2", "name": "Outlook" } ]

If created automatically it's called Outlook and both names most match.

If this is all in-line Bad Request should not happen - you should be able to click the signin link and then be prompted for username/password.

If you created the Azure AD Application manually rather than the deploy script then you need to make sure the following are correct:

[stevkan]

Unable to repro the exact issue, yet. Am continuing to test.

[darrenj]

Closing as no update, feel free to update if you haven't got it working. The above steps have addressed the other instances we had with similar behaviour.