Botframework-webchat: OAuth flow always requires magic code when using OAuthCard
According to the documentation WebChat is supposed to work without requiring a magic code.
Using the basic Authentication Bot from the SDK samples this does not appear to be the case.
To reproduce:
- Build and publish AuthenticationBot to an Azure Bot Service web app configured for v1 AAD authentication as described in documentation and using a Direct Line channel;
- Clone, build and publish WebChat client to Azure Web App (or run locally);
- Initiate chat using ?s=[DIRECT_LINE_SECRET] querystring and type any phrase (or logout if already logged in);
- Click Sign In from the OAuthCard prompt displayed by WebChat.
When following this, a new page/tab is opened, and the user needs to login or select their previously logged in user.
The user is then presented with a 6-digit magic code that needs to be entered in the WebChat client to complete authentication.
ISSUE:
This does not match the documentation and introduces an additional step to the UX that is clunky and potentially undesirable.
martinabbott
All 10 comments
UPDATE: The key is the use of the Direct Line token rather than secret, so I think I have this working now...
I'll revert back to here when fully tested with the steps I used.
martinabbott
on 26 Oct 2018
One more tip: if your user's browser has set to block 3rd party cookies, we will fallback to magic code flow.
We desperately need a graph to explain how it works. Will ask the team.
p.s. I built my own OAuth sample (out of public docs), you can try https://microsoft.github.io/BotFramework-WebChat/full-bundle/ and then type oauth.
compulim
on 26 Oct 2018
closing due to inactivity. please open a new issue if the above guidance doesn't address your issue.
sgellock
on 30 Oct 2018
I've added comments and code to #1001 on how I solved this, so linking here to close the loop.
martinabbott
on 31 Oct 2018
Thanks @martinabbott, your solution is very detailed. And your link to RFC is awesome.
compulim
on 31 Oct 2018
@compulim I used all sorts of WebChat samples, they all fall back to the magic code. It works in the Emulator but doesn't work on WebChat
I used this sample https://github.com/Microsoft/BotFramework-WebChat/tree/master/samples/18.customization-open-url which works in Mockbot but doesn't work for me. I also checked the cookie blocker, it is disabled.
narihane
on 22 Apr 2019
@narihane I have been experiencing similar issue with the magic code and I have followed all the steps provided with no luck. But finally got it working by just Regenerating the directline secret.
dhinag
on 25 Apr 2019
@dhinag which sample/steps did you use?
I tried to use Skype and even that went to magic code.
narihane
on 25 Apr 2019
Using DirectLine with enhanced authentication settings worked for me in the last few months to avoid the magic code. In Chrome, the new tab to https://token.botframework.com will open and close automatically. In Edge, I have to click ok to close the tab. No magic code is needed in both cases. I only built my bot for browser though.
AngryVirginian
on 26 Apr 2019
@narihane Sorry for the delayed response. I used the 18. Authentication Bot (V4) with the Generic OAuth Provider connection setting.
dhinag
on 26 Apr 2019
Related issues
adriantan08
路
3Comments
stevengum
路
4Comments
compulim
路
3Comments
compulim
路
3Comments
vikramdadwal
路
3Comments
Most helpful comment
I've added comments and code to #1001 on how I solved this, so linking here to close the loop.