I am currently trying to develop an application in C# using the SlackConnector library. SlackConnector
The application would receive and send messages to slack channels and DM. (I am successfully able to send and receive messages from my slack using the test token generator.) TEST TOKEN GENERATOR
The thing I dont understand is how is it possible for the user who will use the app to give full authorization to access their Slack account and so from there on they can send and receive messages likewise.
Is OAuth 2.0 something that I need to use ? I created a slack app and followed steps to get access token from users but the access tokens for some reason do not establish a connection, like the test tokens do ? I suppose with that token you can post messages on behalf of user only not receive messages have only limited access, not sure !!
Is there a way to programmatically get a signed-in users generated test-token? or a way that the user can give my desktop application full access to the slack account without having to generate a test token manually?
Even if I were to go to production with only me as a user what access token would I use the same Test Token ? Isn't it only for testing where is the actual token ?
To answer a few of your questions here:
Yes, you'll need to use OAuth 2.0 and a Slack app to offer your integration for installation on other Slack teams.
Yes, test tokens are just meant for developing against one team. They represent the full capabilities of whichever account created it, within the context of the team it was created on.
To connect to the RTM API and to read and write DMs, you'll need to make a few decisions about which OAuth scopes you'll want to request, and whether you're wanting to operate from the perspective of your application as a kind of "bot user" within a channel, or from the perspective of the user using your app. Generally, apps operate from their own perspective.
The most common way an app like this is built is by asking for the bot OAuth scope, which grants a package of permissions. The tricky part is that the bot permissions aren't granted to the top-level token at the end of the OAuth flow -- they're granted to the bot_user_token you'll find under the bot part of the response hash. Using that token will let you connect to the RTM API and interact via direct messages with team members. (See the bot user docs for info about "Tokens and scopes".
If your intent is to operate directly on behalf of a user (posting and responding to messages as if you were the user authorizing your app), then you need to ask for very distinct OAuth scopes that will be applied to the top-level user token in the final OAuth response.
Related
I am trying to figure out how to create a envelope on behalf of another user's account within my domain.
I have been looking at the Send On Behalf Of...but several of the links in StackOverflow are broken.
I am using the Rest 2.1 Api, using C# and following a JWT automated examples.
I need to be able to create a envelope from a system account and make it look like joe#company.com sent the envelope to the recipients.
Thanks
jlimited
You use the OAuth JWT grant flow to impersonate the other person.
"Send on behalf of" is part of the deprecated DocuSign Legacy authentication and is not supported for new eSignature REST applications.
Note that you'll also need to obtain that person's consent for your application to impersonate them. Or use Administrative Consent to proactively grant consent.
I needed to validate my domain in the Org Admin. Once I did that, it started working great.
Problem Statement:
I'm trying to create a module in C# console application that I intend to plug and use in Azure Bot once it is operational. I want to connect my bot with Azure DevOps. I am able to do that with PAT token but I need the bot to only display the resources from DevOps on which the logged in user has access.
Attempts:
I am able to get the necessary details using PAT token. It gives me all projects irrespective of the logged in user details.
I have tried to use the Azure AD token for the logged in user but it gives me unauthorized error on trying to use it to invoke Azure DevOps REST APIs
Referred this article but I am unable to get the auth code or token silently.
To summarize, I'm basically looking to:
Obtain a user token for Azure DevOps silently (without user confirming with a click)
Use REST APIs to fetch details like projects, work items etc.
A Personal Access Token inherits the permissions from the user that created it. So if you, as a project collection administrator, create a token, that token has the samwe permissions as you do.
Unfortunately there is no public REST API that you can use to create a token at runtime. They have to be created by a logged in user through the portal.
Another option is using OAuth. OAuth asks the user to login and then gives you a token that you can use in the REST APIs. Unfortunately that doesn't meet your criteria where a user doesn't have to do anything,
The only other way I see is adding the users to the resources they have permissions for. Then from your REST API you can use the admin PAT to check their permissions and then retrieve only what they are allowed to see. Which also isn't really pretty :-(
How can I authenticate a multi-tenant bot silently on behalf of a user? I'm trying to replicate the behavior of the Microsoft Flow bot in Teams. This bot does not prompt the user to authenticate with an Oauth2 card, and it seamlessly retrieves my flows. How can I get the token of the current session from Teams to use it, for example, in a call to the Graph API?
Update : SSO is now supported for Tabs, Bots and Messaging Extension.
Please take a look at following documentation:
Single sign-on (SSO) support for tabs
Single sign-on (SSO) support for bots
Single sign-on (SSO) support for messaging extensions
Per the docs:
Currently, silent authentication only works for tabs. It does not yet work when signing in from a bot.
That being said, if you create a bot that has tabs, the user can click on the tab to silently authenticate. It's not ideal, but for now, that's all there is.
The official Teams Sample Bot does this.
Follow the linked sample and docs to accomplish this. The docs, especially, lay it out pretty well.
OAuth prompt can be used to sign in the user. As of now , the user needs to sign in only once,then when the token expires , the user will be authenticated silently.
https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=aadv1%2Ccsharp%2Cbot-oauth
Please check out this sample:
https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/csharp_dotnetcore/18.bot-authentication
My use case is as follows. At regular intervals, a daemon process needs to:
Scan an email account in Office 365 for Non-Delivery Reports,
Extract some info from the email body,
Perform a task for the user account identified from that info.
My approach was to use Microsoft Graph (at which I'm new) to get in and do this - however if there is an easier approach please let me know. I'm having trouble with the .NET graph API in authenticating & getting tokens without user interaction.
I have been successful in using a Microsoft Graph console sample (https://github.com/microsoftgraph/console-csharp-connect-sample) to connect to the email account, after doing the usual setting up of the app and its permissions/scopes in Office 365, and using the App ID and "secret" to connect.
However, after spending a whole day researching and trying various ways to authenticate in the sample app, it always pops up a login window (see https://i.imgur.com/SmtPpYd.png) before API actions can be performed. Sadly I've failed to discover how to authenticate and get tokens without user interaction.
Can anyone help me in how this sample needs to be modified - i.e. how the authentication needs to be altered - in order for it to work without asking the user to log in?
I do have full admin access, so can grant whatever permissions needed in Office 365, I just need help working out what to grant and what to alter in the console app to skip the user interaction. This is my first encounter with MS Graph and my head is spinning so please be gentle. :)
Note this will eventually run as a daemon on a server, but initially I'm just trying to learn by performing actions in this console app.
This application sample is using a public client (that can't store secrets because you don't control the device/OS/environment) as you can see here.
Here the acquire a token using apps public identity and user's identity (hence the prompt).
You have to replace it by a ConfidentialClientApplication instead providing an additional secret (that you can generate from the portal) and then replace the acquisition by a client only token request.
As your application is not going to hold any user identity none of the /me shortcuts are going to work.
Lastly, as you want to crawl all users, you need to change the permissions you're requesting to an admin permission/scope and replace User.Read and Mail.Read by User.Read.All and User.Read.All. (don't forget to click on the "grant permissions button" once you save the scopes.
Hopefully that helps
I have an API that uses another API (example google calendar API) which is authenticated with OAuth 2.
httpRequest => MyApi under test => uses external Oauth2 enabled API
If the "Oauth2 enabled API" were using HTTP basic authentication, I could just hardcode the username and password somewhere to test the application —using the username and password of a test user created in the external APP that exposes the API that I am using.
As with Oauth2 we require the user to consent (the user is usually redirected to a web page) to ask them for consent to the app to access their data through the API.
I just want to create simple Integration Test: For example, my API creates an event in the google calendar, then deletes it for cleanup, but without human intervention.
Is this possible and how?
If you're developing an API, then your tests should be against that API only. You are not responsible for the work done in the external Oauth2 API, the author of that API is. Only test your own code.
Which means, you should find a way to mock out the calls to the external API if possible.
I've been wondering about the best way to do this myself.
So far I've found a few of options:
Use the password grant type, to authenticate as a user. This is apparently no longer recommended as per best practices, but that's for end-users. Not for testing.
Use the client_credentials grant type, to authenticate as the app itself. The problem with this is that if your test depends on being able to retrieve user data, the app won't have any associated to itself, unless you manipulate it beforehand.
Request a refresh_token, to re-authenticate as a previously authenticated user. This is done by requesting the offline_access scope. A user will have to do the first authentication, get a refresh token and provision the test script with it. The script then must be able to keep updating itself with a fresh refresh token each time it runs. And if the refresh token should expire before the next run, human intervention will be required again.
Use the device_code grant type to poll for end-user consent elsewhere. This is like what YouTube uses to pair your SmartTV, whereby you start the login on your SmartTV and consent to it with a pairing code on your mobile device. Here, human intervention is required as well for the consent, at least the first time, and then again should the consent expire.