Botframework-sdk: bot forgets trusted services/urls/channels?

Created on 18 Jan 2017  路  8Comments  路  Source: microsoft/botframework-sdk

I followed the proactivemessage sample code (https://github.com/MicrosoftDX/botFramework-proactiveMessages) - and hope that its just something that I overlooked.

I made the following changes

  1. When a message is received - save the activity to azure blob storage - using the senders id as the blob name.
  2. Changed the endpoint to be a simple get with no parameters.
  3. get will get blob list and for each saved message - will create a new direct conversation and send a simple "hello".

If I publish the site (to azure), send a message to the bot; it will successfully save/over write the blob and then if I call the trigger, it will send me a message from the data in the blob - so all is good till here.

If I republish the site and then try to recall the same trigger (the activity message has already been saved to blob from the first attempt) it fails - giving me a "Service url webchat.botframework.com is not trusted and JwtToken cannot be sent to it."

If I send another message to the bot, then call the trigger again, it successfully send the message again.

It seems it cannot create a direct conversation for some reason if it's not already (recently?) received a message from that channel as this is the line that throws the error:

await connector.Conversations.CreateDirectConversationAsync(botAccount, userAccount)

Any thoughts on what I could be doing wrong?

help wanted
Source
picture zxed

All 8 comments

@dandriscoll?

eanders-MS picture eanders-MS on 26 Jan 2017

Hi @zxed, when you're dealing with ServiceUrls across process boundaries, the SDK needs you to tell it whether the ServiceUrl was transmitted in a trusted way.

When you receive and store a message, keep track of whether or not it was trusted:

bool isTrusted = MicrosoftAppCredentials.IsTrustedServiceUrl(activity.ServiceUrl);
// Here are some example lines showing how you could store the message for later
storedMessage.Activity = activity;
storedMessage.IsTrusted = isTrusted;
UploadToBlobStore(storedMessage);
...

Then, when you rehydrate the message, you can tell us to trust the URL.

storedMessage = GetFromBlobStore();
if (storedMessage.IsTrusted)
{
    MicrosoftAppCredentials.TrustServiceUrl(storedMessage.Activity.ServiceUrl);
}
dandriscoll picture dandriscoll on 26 Jan 2017
1

Thank you - Can you share what your storedMessage obj looks like?

I was storing the activity object as json in azure.

using (var ms = new MemoryStream())
            {

                var json = JsonConvert.SerializeObject(activity);
                StreamWriter writer = new StreamWriter(ms);
                writer.Write(json);
                writer.Flush();
                ms.Position = 0;


                await blockBlob.UploadFromStreamAsync(ms);
            }
zxed picture zxed on 27 Jan 2017
1

The storedMessage object is up to you.

It looks like you're just serializing the Activity object, which would not have space to contain this added field. The ResumptionCookie object* is pretty close to what you want. You could store all three in an object like this:

public class StoredMessage
{
    public ResumptionCookie ResumptionCookie { get; set; }
    public Activity Activity { get; set; }
    public bool ServiceUrlIsTrusted { get; set; }
}

Two things:

  1. If you're using ResumptionCookie, you probably don't need to store the Activity object as well.
  2. We're thinking of renaming ResumptionCookie in a future SDK release, so be aware the name may change soon.
dandriscoll picture dandriscoll on 27 Jan 2017

Thank you. In what instance would ServiceUrl not need to be trusted? are there some integrations that dont require it?

zxed picture zxed on 27 Jan 2017

It should not happen if your bot is properly configured. This is primarily a defense mechanism in case you delete or disable your BotAuthentication attribute. In that situation, we want to detect that the ServiceUrl came in through an unauthenticated endpoint.

Keeping the isTrusted flag connected to the ServiceUrl is our recommended approach for ensuring the URL was securely transmitted.

dandriscoll picture dandriscoll on 27 Jan 2017

Thanks.

zxed picture zxed on 27 Jan 2017

bool isTrusted = MicrosoftAppCredentials.IsTrustedServiceUrl(activity.ServiceUrl);
if(!isTrusted)
MicrosoftAppCredentials.TrustServiceUrl(activity.ServiceUrl, DateTime.MaxValue);

rbolanoherrera picture rbolanoherrera on 7 Nov 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Vigneshramkumar picture Vigneshramkumar  路  3Comments
RaoVenka picture RaoVenka  路  3Comments
stijnherreman picture stijnherreman  路  3Comments
clearab picture clearab  路  3Comments
maba4891 picture maba4891  路  3Comments