I've been working on this problem for a week now and I've got no further and was hoping someone had encountered this before. The documentation around this is frustratingly sparse and glosses over the particular issues i'm having trouble with.
So I have a bot I wish to integrate into a teams application, but before that I wanted to test it in the emulator and ensure it works in Azures Test in Webchat feature. The Web App Bot is hosted on Azure, as is the App Bot Service, which is what I deploy to. When I test it in web chat, There is an error in my browsers console, and in the Channel there is a listed issue stating "There was an error sending this message to your bot: HTTP status code Unauthorized"
What I assume is happening is that my Web App Bot is sending a malformed request to my web app service. But I don't understand why.
So, looking around here and other places, it looks like the cookie cutter answers for this are a combination of check your AppId and AppPassword are correct, make sure your endpoint is correct, make sure the admin has consented, test it in the emulator, update your bot framework nugets, make sure you subscribed your bot correctly, delete and resubscribe your bot etc etc, naturally all of these I've done.
I'm sure the Id and Password, endpoint, and consent are all correct, as I can connect to the bot fine in the emulator.
What I'm not clear on is the consent process. I think I've consented to everything I need to, but it might be worth double checking.
I've also tried remote debugging to see if it hits my code, and it does, but the postAsync() controller just throws out the request
[HttpPost, HttpGet]
public async Task PostAsync()
{
// Delegate the processing of the HTTP POST to the adapter.
// The adapter will invoke the bot.
await Adapter.ProcessAsync(Request, Response, Bot);
}
Is there anything I need to configure, or any thing I can look into here? Azure can be a confusing place so it would be nice to have some advice from someone more knowledgeable.
So that's my question. Why am I not authorised to test this in Test Web Chat on Azure? And why do I get the same errors when I include the bot ID in my teams manifest?
Make sure these things:
When you connect your Bot just mention the URL of the Bot Channel.
The UnAuthorized message comes when you have (unintentionally) mentioned MicrosoftAppId and MicrosoftAppPassword in your appSettings.json. Make sure you don't mentioned them. Pass empty string.
If you have created your Bot in Azure Portal you will get the MicrosoftAppId (in Overview section) and MicrosoftAppPassword (in Keys or may be Security on left side of the Azure Portal Bot pane). Use these credentials when you Connect to a BOT and also in your appSettings.json
Note: Step-3 only applies if you have created a Web bot in Azure Portal. Ignore otherwise.
You can also visit this link: https://stackoverflow.com/a/49377915/6029001
For those who stumble onto this thread, the answer was that I just had to delete my app service and deploy it again.
I originally created the service manually, and then used continuous deployment to deploy onto it, but I found that just deleting the app service, and having visual studio create the service for me, the bot suddenly began authorizing.
As far as I know, no configuration was different, so it must've been something to do with setup. Marking as solved.
Related
I have a chatbot that is developed using sdk v4 in .Net Core. I deployed the bot on Azure and it was working perfectly. By the end of the day I interacted again with it and I started getting the following error:
One or more errors occurred. (Operation returned an invalid status code ‘Forbidden’)
and in my browser console I saw this:
Access to XMLHttpRequest at 'https://botservice.hosting.portal.azure.net/botservice/api/ClientTrace' from origin 'https://portal.azure.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
Is there anything I am missing? Why did it started happening out of the blue? What is the reason and ramification?
After lots of trial and error, this was the issue:
I was attempting to dig into your issue more, but when chatting with your bot, I get "The subscription is in a disabled state". Did you turn off your Azure subscription?
I just found out that that particular subscription where my dev bot was places has been turned off or whatever.
My first recommendation is that you need to make sure azure portal > your resource group > your app service > Settings > CORS looks like this:
Second, in azure portal > your resource group > your web app bot > Channels if you have the DirectLine channel enabled and you're using Enhanced authentication options, make sure you have the appropriate client hosts listed.
This is not a common error--at all. Make sure that you deployed the bot following the Deployment Docs.
Let me know if you still run into trouble. This "answer" was just too long for a comment, but I can edit it if you try these and let me know how it goes.
Update 1
By any chance are you using Websockets? If so, try disabling them.
I'm not seeing a single error hit the backend, which leads me to believe it may be something on your side. Are you behind a proxy or firewall that might be preventing access?
In Azure Portal > Your Resource Group > Your App Service > TLS/SSL settings, do you have TLS 1.2 enabled?
Does Application Insights show any errors? If so, please update your question with them.
I've been working on a multi-app project for a few months now using Azure App Service for my database and ADD B2C for authentication. There are three applications in this project: an admin WPF app, a client web app, and an employee WPF app. All three applications use client managed authentication with my B2C tenant by getting a token from B2C and using that token to login to the App Service database. Everything has been working fine until seemingly overnight I am no longer able to authenticate with the app service. I have no problem displaying the B2C login screen and getting an access token as a result of the authentication, but when I package the token in a JObject and call the 'mobileServiceClient.LoginAsync()' function, all I get back is a 403 "forbidden" error.
First I tried seeing if all three projects were affected, which they are. I then tried rolling back to my last commit. Still the same thing. I then tried re-cloning to see if there was any little quirk with still the same results. Because I know my Azure resources have not hit their limits, I then tried making a completely separate WPF project and I made a table on the app service that allows anonymous access. After setting "Action to take when request is not authenticated" to "Allow anonymous access" on the app service, I was able to read and write to the anonymous table without issue. I then tried to have this new project authenticate the same way the others have been only to get the same 403 error. After checking all of this I can say I'm almost completely sure that there is no issue with the client applications and the issue has to be on the server side.The most confusing part for me is that aside from adding a new table to the database, I haven't changed a single thing server side. I've checked out both the B2C tenant and the authentication settings on the app service but nothing seems to be different than before I was experiencing this problem. Investigating a little bit more in the app service, I tried to find some JS code that handles authentication to see if I could find any useful information using the console output. I did not find any code, but I did find out the console outputs PID[31680] Information Sending response: 403.76 Forbidden whenever a client tries to authenticate.
Additional information that might help is that my request header timestamp is correct. I know from research that Azure only allows a 15 minute variance for incoming requests from its time.
Any help or suggestions for solving this issue would be greatly appreciated! Thanks!
I'm trying to deploy a test bot on messenger however, when it comes to the endpoint url I'm not sure how to do that.
I'm not completely clued up on how the hosting works.
I've got it linked to my Facebook page but I get no response and I'm told no endpoint detected.
Please take a look to the Deploy a bot to the cloud documentation section.
Also, make sure to review the topic around how to Connect a bot to Facebook Messenger to ensure all the steps are being done correctly.
I'm trying to build a bot that would integrate with a REST API. To be more specific, the bot should log into the API, based on credentials provided by the user. Based on certain questions that is asked by the user, the bot should then perform certain actions against the API and report with the results. Something like, 'hey mr. bot, I would like to know my latest sales figures' or 'submit my outstanding events'. The API uses forms authentication, thus after login, the bot would need to send the cookie to the API, otherwise a response of 401 (from API).
Is something like this possible?
[Update]
Since it's unclear as to what I'm asking (down vote), I'll extend my question. I would like to know whether the bot would be able to pass the cookie required by the API to and from the client it's communicating with. Otherwise, with each request to the API, from the bot, the API will see the request as one that is not authorized.
Thanks!
I'm not fully sure if this is going to work with cookies. Maybe in the WebChat channel, because of the nature of the channel, may work just fine.
A common pattern I've seen working pretty good with bots is communicating through APIs via OAuth. A good way to implement this is: you send to the user in the bot a link to log in, then the reply will callback to your API where you will basically resume the authentication with the bot and store the access token in the bot state; so you can reuse it on every call.
Since you are using C#, I would recommend checking AuthBot ( is a .Net library for Azure Active Directory authentication on bots built via Microsoft Bot Framework).
Also, you can check AzureBot to see how the Auth library is being used.
I followed this Microsoft Azure Mobile Service Authentication Tutorial, to try to add a server authentication function for my Windows Store C# app. However, after completing every step, when I run my app, it showed that the application cannot connect to the service.
I found this useful blog tallking about troubleshooting Azure Authentication issues in Azure Mobile Service. To troubleshoot, I type the link in the firefox web browser: myServiceUrl/login/aad, but I receive the error response:
Authorization has been denied for this request.
I also followed the same tutorial to test with Google Log in. It turns out to work properly. And when I type the link: myServiceUrl/login/google, the web browser directed me to the google log in page, unlike the Unauthorization error message when I type in myServiceUrl/login/aad.
Although google log in works out fine, but it is desired for us to use Azure Active Directory authentication. Could anyone tell us what could possibly be wrong? Any troubleshooting suggestions are also appreciated. Thank you.
The "Application cannot connect to the service" error comes from whenever the Web Authentication Broker in Windows receives an error response from the resource it is trying to reach. There are a couple of issues that can cause this, and I'll try and address the most common ones.
I noticed the tutorial you linked to is for the .NET backend. If you are using the Mobile Services .NET backend, there is an extra step required to configure the AAD server flow, and it's a common cause of the issue being described. In the tutorial, it's under the title "Configure your .NET mobile service for AAD login." On the backend project, you will need to install the Mobile Services .NET Backend Security Extension NuGet package. Then, in WebApiConfig.cs, you will need to include
options.LoginProviders.Remove(typeof(AzureActiveDirectoryLoginProvider));
options.LoginProviders.Add(typeof(AzureActiveDirectoryExtendedLoginProvider));
This allows the runtime to use the server flow in addition to the client flow (leveraging the Active Directory Authentication Library) which was first released with the .NET backend.
Pending that, or in the case of the Node runtime, the next thing to do is check the AAD configuration. In the AAD portal, make sure that your application registration uses your mobile service's /login/aad endpoint for the resource URI. It must match exactly the value provided in the Mobile Services portal. This should also be one of the redirect URIs if you are using the Node backend. For .NET, you would use the /signin-aad endpoint for the redirect URI instead.
You should also check that you have copied the Client ID from the AAD registration and pasted it into the Mobile Services portal's Identity Tab. For completeness, the "Allowed Tenants" field should also be filled out, but I don't believe it is the cause of this issue.
Lastly, if your AAD tenant is federated with ADFS, then there is a wide range of issues that could lead to this. The biggest case comes from the WAB needing to be configured for Enterprise Authentication. This typically only causes problems when the device is domain joined / on the corporate network. That behavior is a known bug for the Mobile Services Windows Store SDK, but there is a workaround available. Glad to provide that if needed.