What is the best way to authenticate with an external API from a conversation with a bot on the facebook messenger platform?
For a broad example, I would like a user of my bot to create items on their own profiles of an external website. Is there a way to get login information from the user, or connect my bot to the external website, without the user explicitly sending a message to the bot with their username and password?
What I found in the documentation under User Profile API:
You can personalize the conversation using the person's name or profile pic from the User Profile API. In order to get this information, make a GET request to https://graph.facebook.com/v2.6/?fields=first_name,last_name,profile_pic&access_token=. Read more details in the Send API reference.
This isn't quite what I'm looking for but it helps. Here's more info from the docs:
User Profile API
Request
curl -X GET "https://graph.facebook.com/v2.6/<USER_ID>?fields=first_name,last_name,profile_pic&access_token=<PAGE_ACCESS_TOKEN>"
Response
{
"first_name": "Peter",
"last_name": "Chang",
"profile_pic": "https://fbcdn-profile-a.akamaihd.net/hprofile...70ec9c19b18"
}
It depends how they come in.
If they come from your website, you can use the Send to Messengee button from within their account. Use the pass through param to link your account to the user thread.
Here's an excerpt from the documentation:
The plugin takes in a pass-through parameter defined by you. This parameter is sent back to you via a callback. You can use this to link the authentication event to a person and/or transaction. For example, a person may enter an online flow for a specific transaction and click the Send-to-Messenger button. You can pass in data to know which user and transaction was tied to the authentication event. You should encode and encrypt this parameter.
If they come directly to your bot, you would have to present them with a login of some sort (your login) from within the conversation. This would happen in a link to an mobile web URLs.
Related
With PHP, I create a smartsheet from excel file with smartsheet API. Everything is working fine so far. But I also want to give right access to the new smartsheet to a specific user to allow him to open it from a browser.
The user already has a smartsheet account.
Is there a smartsheet endpoint that allows this to be done?
Thank you
The operation you're looking for is Share Sheet.
The following example request grants the Smartsheet user who's registered with email address jane.doe#test.com EDITOR (write) access to the sheet that's specified by sheetId in the request URL.
POST /sheets/{sheetId}/shares
[
{
"email": "jane.doe#test.com",
"accessLevel": "EDITOR"
}
]
A couple of notes:
By default, the Share Sheet operation won't send an email to the user to notify them that they've been granted access to the sheet. If you want it to send them an email, you'll need to specify the query string parameter/value sendEmail=true on the request URL, and specify the message and subject properties in the body of the request. See Share Sheet in the API docs for details about this.
If you want the user to be able to share the sheet with others, you'll want to specify EDITOR_SHARE as the access level (instead of EDITOR). See Access Levels in the API docs for details about the various permissions.
For my users to be able to send money to each other on my website I figured the following flow:
User is authenticated with paypal connect
"Clicks on a pay button" calling my api
In the api
Create an order calling /v2/checkout/orders
what returns HATEOAS links, order id. And, I need the user to follow the authorize order
link from the HATEOAS links to authorize the order.
User follows the link.
I capture the order calling /v2/checkout/orders/{id}/capture
And, here is a question: how do I know when users follow the authorize order link to call the capture api? If that is not possible, is there a way to authorize orders calling the paypal api directly without making users following some links?
First of all, what you are actually talking about is user "approval", not authorizing.
The best approval flow to use is this one: https://developer.paypal.com/demo/checkout/#/pattern/server
This way, they don't follow a link and are not redirected away from your site. Your site stays loaded, but is just greyed out while they are presented with an in-context approval flow, and return to your site's JS, which will do a fetch call to your server, which can then do the capture.
An alternative legacy flow is to provide a return_url in your initial create call, where the payer will be redirected back to after approval. This is not recommended, the above solution (that uses no redirects at all) is much more modern and preferred.
This got stuck in my head from many days, can anyone help or say at-least this is not at all possible?
I'm working on developing a chat bot using dialogflow which integrates multiple applications along with google home assistant, dialogflow, actions on google and an application which i want to manage using chat or voice commands. Until now its good and got amazed of features providing by google.
But i'm expecting one more feature. Don't know whether any alternatives available for this or not, but i tried exploring and reached to desert. Below are my requirements, if others think this is really unique and useful to them as well then i can say they are improvements or add-ons i'm expecting from DialogFlow.
Let's take an example of a chat bot which is serving users through google assistant and as a web bot as well. Now while conversing, intents may trigger web-hook in fulfillments which may require an authentication like OTP(Nope if anyone thought it for payments) which means registered users or limited users only can perform actions. This is same as we use roles and groups in all the applications.
The way google is sending google prompt to the user for logging into gmail, is there any way that we can collect PIN or OTP or PASSWORD through some notification sent to the users phone as some card's or input box like and html while conversing with chatbot through web or home assistant etc..., so that it helps in adding more security.
I recently worked in a chatbot project where I had to authenticate my users. I'm writing an article about it, but I'll tell you what I did:
First of all, I'm using OAuth 2.0 protocol to authenticate my users, but if you doesn't use OAuth, there's no problem, you could do something equivalent.
I'm using Authorization Code Grand flow.
Let's see the steps:
Step 1 - Authorization Url:
My bot generates an authorization url which contains all needed data to identify the conversation in callback moment. Like this one:
https://authorization-server.com/oauth/authorize
?client_id={your-client}
&response_type=code
&state={conversation_id: 123456789}
&redirect_uri={your-callback-url}
Notice that the state parameter contains the conversation_id which identifies your conversation, this state parameter will be back when users return to your handler.
Step 2 - User Authentication
When users click in this link, they'll be redirected to your login page at your authorization server.
Step 3 - Callback
After users get authenticated, they'll be redirect back to your handler (an endpoint which will receive the authorization code from authentication server and the state parameter).
When it received this authorization code, it'll be exchanged by an access token in authorization server.
Step 4 - Store token
In the final step, you already has an access token and the conversation_id parameter, you can store it in a database, in a cache or be stateless. Your rules!
In my case, I'm using Watson Assistant with Cloudant database, and I store those access tokens in my database. So, when users request something to my bot, it could get this token from database and pass to my back-end servers.
This kind of approach, I call "magic link". And you could improve it by shortening the url as bit.ly does.
I hope it could help you, feel free to ask me if you need.
Best
You probably don't want to implement the OTP scheme yourself. While you could do this, there are other systems already in place that will do this for you.
The best is the one that you reference - Google Sign In.
Fortunately, you can leverage Google Sign In for both your website (where you would get the user to sign in and then pass this information along as you do the Dialogflow calls) and for the Assistant (where Google will pass along an ID token, indicating it has authenticated the user).
Im writing a user registration mechanism by hand so I dont want to use existing plugins or something.
Im wondering what the best way would be. I planning to do the following abstract steps:
Writing an component which is in charge to output a button which calls the facebook-api --> login in via facebook (Im getting token and user name/id)
In my route im using that Data to call the REST-Server-Backend of my app. I will pass the token as well as the username/id to the Server. (POST api.myapp.com/users)
The Server recieves the request and will validate via Facebook-API
the user data and token on its own --> if valid: Add new user to
database.
If the user wants to login now (after registration) he will do again
step no.1 and than will ask the server if the user is existing. But
how: Since ember suggest that the REST-Server is somekind of a
CRUD-Server and using the store is for working for model data only, there
is no possiblity to do a "logic"-call to the server like "ask
him if user with id is existing". Should I call "GET ../users/" and than check in my route if the sum of the returned records are smaller than 1?
So is that a common pattern?
Sounds like a fairly simple OAuth workflow but obviously refer to the facebook docs. As far as point 4 is concerned, I would suggest that yes, on login you make a request for the login route on your server (which should abstract the facebook OAuth call), and if the user is authenticated, then send down the user resource, otherwise redirect them to the login and send down some sort of 401 HTTP error.
As all your API calls should be authenticated too your user won't be able to access any protected API resources.
I would also suggest you look into an ember plugin like ember-simple-auth which also supports OAuth.
You can find more information about OAuth2 workflows here.
I am developing a iOS app, that will require the users to log in with third-party SNS account, like facebook, or twitter. However, I want to allocate "native" user id for each users for the benefits of future use.
For example, since each FB user is assigned an unique ID, say, 12345678, when this user log in with his/her FB account, I can get this FB id via FB's iOS api, then I can simply add a prefix "FB" to this id, stored a local text file with "FB12345678" as content in the i-device.
Then next time the app launches, it simply check the existence of this text file, and if not, pop out a view to require users to login, otherwise just use the content, like "FB12345678" as keyword to fetch data from my server.
Above is my own thinking. But I think there are some severe problems:
first, is it safe to store a string locally without encryption?
Second, if I use, say in the example, "FB12345678" to fetch data, is it safe to transmit via the Internet?
Chances are this " FB12345678" can be easily intercepted, and used to forge the identity of a user.
Lastly, if the user changes his/her FB password, I think my app should require the user to re-authenticate, but from the above strategy, obviously it does not work out.
So could anyone elaborate what is the most commonly used strategy, or algorithm, to enable thirdparty SNS account login? (like Instagram, Parse, etc.)
you can use the SDKs Provided by different Social Medias. It will maintain the session at your side. It is not proper to save userid on application side and other thing is that in almost all the medias you will require to send the access token and secret to request a data. and the Token Changes so its not good to save it. You can send it with your request and if it will be expired it will automatically ask you for the second time login.
please visit:
www.developers.facebook.com //for facebook
www.dev.twitter.com // for twitter
Try following links:
https://github.com/fhsjaagshs/FHSTwitterEngine
https://github.com/nov/fb_graph
hope this will help you.