Botframework-solutions: Authentication is not working in TypeScript Skill

Thanks @tomSauret847 for reporting this issue! As soon as we have any update, we will back to you 😊.

Hi @tomSauret847 - sorry about the delay. We have successfully reproduced the issue using the TypeScript Skill following these steps:

1. Uncomment the lines in skillDialogBase marked for authentication
2. Pass an OAuthPromptSettings array to the MultiProviderAuthDialog constructor
3. Add appsettings.oauthConnections to the properties of botSettings
4. Add an AADv2 connection
5. Set up an AADv2 connection to the registration in Azure

As soon as we have any update, we will back to you 😊.

Hi @tomSauret847 - we have fixed this issue in this commit.

This was actually a problem in the bot-solutions library, and we have scheduled the fix to be released with the version 1.0 of the library.

In the meantime, if you want a way to test the fix for yourself, you can follow these steps:

1. Checkout this branch, with the fix applied for version 0.8 of the library.
2. Go to the bot-solutions folder
3. Execute npm install to install its dependencies.
4. Execute npm run build to build the solution.
5. Execute npm pack to generate a .tgz file. It should create a file at the same location, named bot-solutions-version.tgz
6. Point at the generated tgz in your Skill bot, replacing the bot-solutions reference in the bot's package.json from "bot-solutions": "^1.0.0" to "bot-solutions": "<PATH_TO_TGZ>"
7. Validate the authentication using the Skill

We will be attentive to your replies 😊.

Thank you for looking into this @Batta32 I am still receiving an error on this process. The error is
Error: Could not find Connection Setting with name {connection name}

I am setting it up the connection as outlined here for setting up the SSO for a skill.

Do we still need to have a authentication connection in each skill with the typescript skills?
Or can we use the single SSO like it is outlined for the C# skills?

If I add the connection on the skill I will get the sign in prompt as you did but I will not receive the token back after completing the log in. If you could clarify if we are needing to setup a single connection in the VA or if we need to setup connections in each of the skills that require authentication.

Thanks @tomSauret847 for your reply. As soon as we have any update, we will back to you 😊!

Hi @tomSauret847 - we have successfully reproduced the issue. It's because the name property in oauthConnections of the appsettings.json differs to the connectionName property in the OAuthPromptSettings you are using.

We will continue reviewing this and analyzing the questions you have mentioned above. As soon as we have any update, we will back to you 😊.

The steps we followed to reproduce the issue were:

1. Follow the steps of this comment
2. After this, follow the steps of this comment
3. Check that the name property in oauthConnections of the appsettings.json differs to the connectionName property in the OAuthPromptSettings you are using
4. Start the Skill and type "run sample dialog", and see the error

_When connectionName and name are different, the issue is reproduced_

_Issue reproduced_

Hi @tomSauret847

Do we still need to have a authentication connection in each skill with the typescript skills?

You need to have an authentication connection in each TypeScript Skill until the version 1.0 of TypeScript Skill is released.

Or can we use the single SSO like it is outlined for the C# skills?

SSO for TypeScript can't be used as it is outlined for the C# Skills since the version 1.0 of TypeScript is not released yet.

Let us know if these helps you 😊.

@tomSauret847 - the error Error: Could not find Connection Setting with name {connection name} is because the name property in oauthConnections of the appsettings differs to the connectionName property in the OAuthPromptSettings you are using.

To solve this, you have to check that both properties are equal.

For more information, you can check the comment of above.

Thank you @Batta32 for looking into this. I can confirm that if I create a connection property on the skill I can get the login prompt. Your comment has brought up another question. We are getting ready to move into testing with our new VA and after that into production. The question I have,

Is this fix for the authentication going to be published to NPM before the 1.0 release?

For our production environment we will need published NPM packages so we would need this fix to be published before we can move this VA into production. I will be attentive to your answer.

@tomSauret847 - Thanks for your reply! We are adding these fixes in the PRs of TypeScript version 1.0:

• PR #3583: [TypeScript][Bot-Solutions] Implement changes in Bot-Solutions to 1.0 release
• PR #3584: [TypeScript][Virtual Assistant] Implement changes in Virtual Assistant to 1.0 release
• PR #3585: [TypeScript][Skill] Implement changes in Skill to 1.0 release

We will inform you as soon as we have any update on this. Meanwhile, we are working on validating the Authentication process in TypeScript.

@tomSauret847 - we identified another issue that the Skill State variable was _undefined_ during the Authentication process.

We took as a guide the PR #3561 which sets a default value for the Skill State accessor that we incorporated in this commit.
After applying these changes, the authentication process correctly works. This issue will be fixed as soon as the TypeScript v1.0 is merged.

This is our environment using this branch: feature/southworks/test-fix-auth-skill:

• TypeScript Skill Sample

In the meantime, if you want a way to test the fix for yourself, you can follow these steps:

1. Go to the bot-solutions folder
2. Execute npm install to install its dependencies.
3. Execute npm run build to build the solution.
4. Execute npm pack to generate a .tgz file. It should create a file at the same location, named bot-solutions-version.tgz
5. Go to the Skill Sample folder
6. Point at the generated tgz in the Skill Sample bot, replacing the bot-solutions reference in the bot's package.json from "bot-solutions": "^1.0.0" to "bot-solutions": "<PATH_TO_TGZ>"
7. Execute npm install to install its dependencies.
8. Execute npm run build to build the solution.
9. Validate the authentication process

We're attentive to your answer. 😊

_SkillState variable getting an undefined value_

_Authentication process correctly working_

Thank you again @Batta32! I did use the 1.0 package for the testing. I still need to keep a connection setting in the skill, but I am able to get the authentication to work. I was able to see where the VA is receiving the token response and forwarding that to the skill to process.

@Batta32 We have setup authentication in 2 of our skills and it is working good in the Teams channel. The direct line channel is not getting past the authentication prompt. The skill is not receiving the token back after successful login. This issue is only present in our direct line channel. We are using the sample direct line client that was provided and enabled the enhanced authentication options so we do not enter the "Magic code". It worked before adding the enhanced authentication but after adding this feature the skill is no longer receiving the token response back. If we cancel out of the skill and go back into that dialog the token will be present and we can complete the dialog. Let me know if you have any thoughts on what might be causing this.

Thanks @tomSauret847, we will be reviewing that scenario and we will back to you as soon as we can!

Just to start to review the scenario:

1. What do you mean with "sample direct line client"?
2. Which client are you using?
3. What do you mean with "Magic Code"?

Thank you again @Batta32 for looking into this. We are using the direct line sample from the botbuilder-solutions repo located here
The "magic code" is explained some in this stack overflow question here
It is just the code the bot user is required to copy and paste back into the conversation after successfully authenticating. By implementing the enhanced authentication it removes this step for the bot user so they only need to authenticate and the conversation moves forward as the token is passed back to the bot behind the scenes.

Thanks a lot @tomSauret847, we will be reviewing this and we will let you know any update here 😊!

Hi @tomSauret847, we could not reproduce this issue as we have the authentication scenario correctly working.

We came up with some questions for you:

1. Have you checked if this issue happens talking directly to the Skill, without connecting to a Virtual Assistant?
2. If you are going through a V.A. to connect to the Skill, are you enabling the Directline channel in the V.A. too? What else have you set in it, Azure AD v2 auth, enhanced authentication?
3. What do you mean with "If we cancel out of the skill and go back into that dialog the token will be present and we can complete the dialog"?

This is the setup we've been using:

• A TypeScript Skill created with the [email protected]
• Azure AD v2 type authentication set-up on that Skill
• Directline channel enabled with enhanced authentication on the Skill
• The Directline web sample from the repository set to a specific user id ("dl_xxxx")
• The appsettings.json at the Directline client set similarly to this:

{
    "Logging": {
        "LogLevel": {
            "Default": "Warning"
        }
    },
    "AllowedHosts": "*",
    "BotName": "skillbot-name",
    "DirectLineSecret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "EnableDirectLineEnhancedAuthentication": true,
    "SpeechServiceRegionIdentifier": "",
    "SpeechServiceSubscriptionKey": ""
}

The steps we followed are:

1. Contacting the Skill through the Directline client
2. Invoking the login dialog ("run sample dialog")
3. Clicking on the login button (no need for the "magic code")
4. We successfully login and the bot greets us
5. From that time on, every time we repeat steps 1 and 2 we are automatically logged in and greeted by the bot

We will be attentive to your answer.

Thank you @matiasroldan6 for looking into this. To answer your questions

1. We are unable to contact the skill directly as we have it inside a VNET so it cannot be reached by the channels
2. We are reaching the skill through the VA and have the direct line channel configured on just the VA. We are using Azure AD V2 auth in the connection properties on the Skill and VA. We have the enhanced Authentication set on the VA
3. if we complete the sign in when presented with the sign in card. The bot will hang and not move forward. If we cancel then go back into a skill that has authentication it has the token and bypasses the signin prompt and allows us to continue. We have 2 skills with authentication and if we authenticate in one we are authenticated in the second as well.
   here is a screen shot of our configuration for the direct line channl on the VA
   

We do have the user ID set to "dl_xxxx" in the direct line client
We have the Azure AD v2 authentication in the connection on the Skill and VA
We have the appsettings.json of the direct line client set the same as you have above
We are unable to use the direct line channel on the skill and only use it on the VA
We are able to use Authentication in the Teams channel with the only issue is the dialog messages are out of order. It is failing to send the first stepContext.context.sendActivity('message') until a minute later in the conversion. This only happens on dialogs that have authentication include in them and in the Teams channel only.
We are using the bot-solutions 1.0 that is located here

Please let me know if you need anymore information on the skill and VA

Hi @tomSauret847, we could reproduce an occurrence of this issue.
In our scenario, the problem were the trusted origins addresses set in the Directline channel. For instance, the Directline popup states that the trusted origins need to be _https_, or _http_ for _localhost_. This would explain Directline as the only channel that's failing for you.

To check in case this is also your problem, can you try to set as trusted origins:
Your bot address (either https://xxxxx.azurewebsites.net or https://xxxx.ngrok.io if you are debugging locally)
Your localhost if you need it, as http://localhost

The setting to reproduce this was:

• A 1.0 Virtual Assistant with
  
  
  
  • Bot-Solutions 1.0 at the dependencies
  
  
  • Azure AD v2 authentication enabled
  
  
  • Directline channel enabled with enhanced authentication on
  
  
  • Trusted origins in the Directline channel set to https://localhost:xxxx (_xxxx_ being the Directline client address) and the bot address (https://xxxxx.azurewebsites.net or https://xxxx.ngrok.io for local connections). We did this emulating the settings from the picture you attached in your last message.
  
  
• A 1.0 Skill with
  
  
  
  • Bot-Solutions 1.0 at the dependencies
  
  
  • Azure AD v2 authentication enabled
  
  
  • Connected to the Virtual Assistant.
  
  
• The Directline web client set with user id and enhanced authentication with the same configuration from our previous message.

Our repro steps were:

1. Connect the Directline sample to the Assistant.
2. Attempt to trigger authentication ("run sample dialog").
3. The Authentication dialog shows up but after clicking the button nothing happens, and the bot becomes unresponsive, even to further attempts to invoke authentication.
   

1. Cancel the flow and then re-run steps 1 and 2, then we get automatically authenticated and we get greeted by the bot.

Please let us know if this is of any help. We'll be attentive to your responses.

Thank you @matiasroldan6 for looking into this. The settings you show above are the same as we are using. We removed the localhost route and just have the bot address in the trusted origins for the direct line channel (https://xxxxx.azurewebsites.net). The skill is still unresponsive after the sign in prompt and if we cancel the conversation and invoke the skill again it will have the token and continue the dialog. We are still unable to get the skill to receive the token after the user signs in.

Thanks for your reply @tomSauret847 - we will keep working on this trying to find the fix for this issue 😊.

We have questions in order to understand how you are using the azurewebsites.net endpoint taking into account the version 1.0 of bot-solutions (PR #3583):

1. Are you using the Messaging endpoint of your published Web App Bot (Virtual Assistant)?
2. How did you integrate the version 1.0 of bot-solutions in your published Virtual Assistant and Skill? We understand that you used the .tgz package of the library. Is this correct?
3. Is there any possibility to test using the localhost endpoint configuring it as above in the Direct Line Channel configuration?

Thank you @Batta32

1. We are using the messaging endpoint of the VA in the trusted host configuration.
2. we are using the .tgz package that was cloned from the 1.0 release. We removed the node_modules folder and the package-lock.json files prior to moving over the the .tgz package. Then updated the package.json file and then ran the npm install
3. We have tested with the local host and received the same response. We are still unable to get the token to pass through the conversation, but when the dialog is canceled and started again the token is present.

Thanks @tomSauret847, we will continue reviewing this issue with this new information that you provided! As soon as we have any update, we will back to you 😊.

Hi @tomSauret847, we successfully reproduced an occurrence of this issue.

One thing we noticed from your previous responses is that you're using your bot URL as a trusted origin.
According to this comment, and this documentation, you should have the URL of your chat client.

Our setup was:

• 1.0 Bot-Solutions
• 1.0 Virtual Assistant deployed to Azure with:
  
  
  
  • Azure AD v2 authentication connection
  
  
  • Directline channel enabled with enhanced authentication
  
  
• 1.0 Skill deployed to Azure with:
  
  
  
  • Azure AD v2 authentication connection
  
  
• Directline web client (C#) with Enhanced Authentication enabled

Steps:

1. Use the Directline web client to contact the Virtual Assistant
2. Invoke the Skill ("run sample dialog")
3. Be presented the authentication button by the Skill, click on it (nothing happens)
4. Repeating step 2 authenticates us automatically, without displaying the authentication button.

We will continue reviewing this issue as we confirmed and as you mentioned, that in Microsoft Teams and Emulator this is working.

Hi @tomSauret847, we successfully executed the authentication process using Enhanced Authentication.

We came up with some questions so you can check in our side:

1. Can you check if you have the published folders of the deployed bots accessing in Kudu (https://.scm.azurewebsites.net/ZipDeployUI) replacing <WEB_APP_BOT_NAME> with the name of your bot resource? Check if you have the node_modules , lib , and the rest of the folders.
2. Can you check if the Messaging Endpoint of the bots is the production endpoint (azurewebsites.net)?
3. Have you connected the Virtual Assistant to the Skills using the production endpoint?
4. Can you check if you can access to the Skill Manifest of the published Skill? If not, add the changes of the PR #3601

This is our environment:

• 1.0 TypeScript Virtual Assistant Sample (PR #3584)
• 1.0 TypeScript Skill Sample (PR #3585)
• 1.0 Bot-Solutions (PR #3583)
• Sample Direct Line Channel
• Enhanced Authentication configured in the Virtual Assistant

We followed these steps:

1. Apply the changes of the PR #3601 in the Skill
2. Create a folder to store the Bot-Solutions 1.0 .tgz file on both samples
3. Point the bot-solutions reference to the local tgz, such as "bot-solutions": ".//TGZ//bot-solutions-1.0.0.tgz" of the bots
4. Deploy the bots using deploy.ps1
5. Connect both samples with Botskills using the remoteManifest
6. Configure the OAuth Connection Settings of both samples with an AADv2
7. Configure the oauthConnections in the appsettings of each sample
8. Publish both samples using the publish.ps1 script
9. Activate Directline channel on the Virtual Assistant
10. Enable Enhanced Authentication on the Directline of the Virtual Assistant
11. Connect the Directline sample to the Virtual Assistant
    
    
    
    1. Note: Update this line to a static GUID if you wish to preserve the conversation
    
    
12. Finally, trigger the authentication using run sample dialog
13. After login in, the Skill will ask for a name
14. Check that the enhanced authentication is working correctly

Last but not least, we confirmed the same steps using C# bots and checked that is correctly working too.

We will be attentive to your reply 😊

_Configuration of the Enhanced Authentication_

_Successful communication using Enhanced Authentication and TypeScript bots_

_Successful communication using Enhanced Authentication and C# bots_

Thank you @VictorGrycuk. Sorry for the late response we needed to setup a testing instance to verify the fix. We have been able to get the authentication to work in the test instance and have narrowed down where the issue is.

For our instance of the VA /Skills we have them behind a app gateway with a firewall. It appears this is the reason the enhanced authentication is not working. When we implement this on a VA and skill outside of that configuration it is working properly. the app gateway places another host in the mix and we are thinking this is what is blocking the token. So we have the following question,

Is there a way to get the enhanced authentication to work with a bot behind an App Gateway?

Great @tomSauret847! We will do a research and some tests in order to review a way to get the enhanced authentication working with a bot behind an App Gateway.

As soon as we have any update for this, we will let you know here 😊.

Hi @tomSauret847, we did a little research, and we came up with some questions.

1. Are you testing using the bots deployed in Azure or on promises' server?
2. Is your application gateway an Azure Application Gateway?
3. Are you using TypeScript or C# bots? As you previously mentioned you transitioned to C# bots.

We will be attentive to your answer 🙂

Thank you for responding @VictorGrycuk here is the answers to our questions,

1. We are testing with the bots deployed to Azure. We are unable to create a tunnel to test locally.

2. Yes we are using a Azure application gateway with a WAF as outlined in your link

3. These are TypeScript bots (VA and 2 Skills with authentication) we are only using 1 C# skill to get around the synchronous loop issue and it has no authentication in it.

Hi @tomSauret847, sorry for the delay - we think it should be possible to use Enhanced Authentication with an Azure App Gateway having the bots behind it.

A couple of additional questions:

1. Can you connect to the Virtual Assistant with an emulator using the Gateway's public IP? In our testing we confirmed that this is possible
2. Can you connect and communicate with a skill through the VA without enhanced communication?

Components:

• Deployed TypeScript Virtual Assistant 1.0
• Deployed TypeScript Skill 1.0
• TypeScript 1.0 Bot-Solutions
• An Azure Application Gateway and WAF
• Direct Line sample

Configuration:

• Virtual Assistant using Enhanced Authentication, as explained in this comment
• The Skill connected to the Virtual Assistant configured with the authentication
• Direct Line as configured in the same comment as above
• Application Gateway pointing to the deployed bot as explained in this article

We will be working on replicating this scenario.

Thank you @VictorGrycuk The answers to your questions are
Can you connect to the Virtual Assistant with an emulator using the Gateway's public IP? In our testing we confirmed that this is possible

• We do not have tunneling available to we are unable to connect to the VA with a emulator but we have web chat available. The VA will connect to the skill and complete the dialogs.

Can you connect and communicate with a skill through the VA without enhanced communication?

• Yes, if we do not use Enhanced Authentication we can copy and paste the code and the authentication works as expected. We would like the seamless integration that the enhanced authentication provides for our users.

Hi @tomSauret847, we can confirm that Enhanced Authentication does work with the bots behind an Azure Application Gateway.

We created the PR #3694 that includes a new documentation on how to configure an Azure Application Gateway with a deployed bot.

We did our test by following these steps:

1. Follow the steps described in this comment to deploy bots with Enhanced Authentication
2. Follow the steps detailed in the document Configuring a Gateway's health probe with a TypeScript bot to connect the deployed Virtual Assistant to the Azure Application Gateway's Backend pool
3. Test the login of the deployed skill using the Directline sample
4. The Enhanced Authentication worked and the Skill Sample Dialog continued as expected

As this seems a configuration issue of the Azure Application Gateway, I suggest you to ask in https://stackoverflow.com/questions/tagged/botframework for suggestions; and if you are okay, we can close this issue 🙂.

Thank you @VictorGrycuk We will work through the information that you posted. I did notice already that this link is broken.

Thanks @tomSauret847, that link will lead to Configuring a Gateway's health probe with a TypeScript bot (as well as this image) once the documents are merged into master branch, as the documentation uses {{site.baseurl}} to generate the URLs.

@peterinnesmsft - we can close the issue due to inactivity. @tomSauret847 if you are still experiencing issues, feel free to reactivate and we can pick this up again, or create a new issue!

Also, if you have any question, please ask in https://stackoverflow.com/questions/tagged/botframework.

The entire authentication process will be solved as soon as the following PRs are merged for TypeScript version 1.0:

• PR #3583: [TypeScript][Bot-Solutions] Implement changes in Bot-Solutions to 1.0 release
• PR #3584: [TypeScript][Virtual Assistant] Implement changes in Virtual Assistant to 1.0 release
• PR #3585: [TypeScript][Skill] Implement changes in Skill to 1.0 release

Thank you @Batta32 for your assistance on this. We are having to put this section on hold for the moment so I will close this issue and reopen it if we have issues when we pick it back up again.

@Batta32 We have a quick question on this issue. Is the SSO for typescript available yet? We found the issue is our skills are behind a firewall and are unable to receive the token response. When we pass the VA's credentials in it is not forwarding the token to the skill it is just restarting the conversation. If SSO for typescript is not available when do you expect it to be? Thank you for all your help on this issue.

Hi @tomSauret847, SSO is not available for TypeScript currently as it's introduced in 1.0 version. The PRs of TypeScript version 1.0 should be approved and merged in order to release a new version with that feature.

We will let you know as soon as we have any update 😊.