通过使用Microsoft Bot Framework将Cortana作为通道添加到我的机器人来获取错误
[英]Getting an error via adding Cortana as channel to my bot using Microsoft Bot Framework
问题描述
Error when Cortana tries to authenticate my Bot 
当Cortana尝试验证我的Bot时出错
I am trying to connect Cortana to my QnA Bot using MS Bot Framework with Azure Bot Service. 我正在尝试使用带有Azure Bot Service的MS Bot Framework将Cortana连接到QnA Bot。
While testing on Windows 10 Desktop when I speak the Invocation Phrase - Cortana tries to authenticate me but gives the below error. 在我说出调用短语时在Windows 10桌面上进行测试时-Cortana尝试对我进行身份验证,但出现以下错误。 Please let me know what am I doing wrong? 请让我知道我做错了什么?
2 个解决方案
解决方案1
1 2019-03-23 18:24:06
I recently implemented a Cortana skill and had several challenges with making authentication work. 我最近实现了Cortana技能,并且在使身份验证工作时遇到了一些挑战。 However, I see a few issues with your configuration: 但是,我发现您的配置存在一些问题:
- User.Read.All requires Admin Consent. User.Read.All需要管理员同意。 Is this really what you want or are you looking for User.ReadBasic.All . 这真的是您想要的吗?还是您正在寻找User.ReadBasic.All 。 Depending on your setup, this will already block authentication. 根据您的设置,这将已经阻止身份验证。 See the Microsoft Graph documentation for details. 有关详细信息,请参见Microsoft Graph文档 。
- On the Cortana channel configuration under Client authorization scheme, make sure you selected Credentials in request body . 在“客户端授权方案”下的Cortana通道配置上,确保选择了“请求正文”中的“凭据” 。 I can't see this from your screenshots but I believe it is worth checking it. 从您的屏幕截图中看不到此信息,但我认为值得检查一下。
In addition, here are my best practices that should make your scenario work: 此外,以下是我的最佳做法,可以使您的方案发挥作用:
- Don't use the service principal (application registration) of your bot for Cortana authentication. 请勿将您的机器人的服务主体(应用程序注册)用于Cortana身份验证。
- Instead create a dedicated application registration on your tenant (eg with branding name Your Bot for Cortana ) and configure this one on your Cortana channel configuration (appId / client secret) 而是在您的租户上创建一个专用的应用程序注册(例如,商标名称为Your Bot for Cortana ),然后在您的Cortana频道配置(appId /客户端密钥)上进行配置
- Assure you configure the scopes you need not just on the Cortana channel configuration of your bot, but also on your app registration as well ( Go to AAD - App registrations (Preview) - API Permission ). 确保配置范围,不仅需要在机器人的Cortana通道配置上,而且还需要在应用程序注册上( 转到AAD-应用程序注册(预览)-API权限 )。 Remember that the scopes on the Cortana channel configuration can be a subset of the scopes configured on the app registration. 请记住,Cortana通道配置上的作用域可以是应用程序注册上配置的作用域的子集。 This is one reason why I recommend dedicated application registrations for your bot and Cortana. 这就是为什么我建议为您的bot和Cortana专门注册应用程序的原因之一。
- Make sure that the scope order on the Cortana channel configuration is openid offline_access profile User.Read User.ReadBasic.All (order for some reason is important - at least in my experience). 确保Cortana通道配置上的作用域顺序为openid offline_access配置文件User.Read User.ReadBasic.All (出于某种原因,顺序很重要-至少以我的经验而言)。
解决方案2
0 2019-03-23 20:00:04
If you followed this guidance... 如果您遵循此指南...
- https://docs.microsoft.com/en-us/cortana/skills/authentication https://docs.microsoft.com/en-us/cortana/skills/authentication
- https://github.com/Microsoft/cortana-skills-samples/tree/master/Consumer/CSharp/OAuth2Example https://github.com/Microsoft/cortana-skills-samples/tree/master/Consumer/CSharp/OAuth2Example
- https://docs.microsoft.com/en-us/graph/permissions-reference https://docs.microsoft.com/en-us/graph/permissions-reference
Hopefully you learned about scopes. 希望您了解了范围。 If not, file a github comment to clarify. 如果不是,请提交github注释进行澄清。
User.Read is needed to access profile for AAD IAM. 需要User.Read来访问AAD IAM的配置文件。 You don't need it unless you are making profile calls against MS graph. 除非您要针对MS图进行配置文件调用,否则不需要它。
If you are just logging in against AAD IAM, you need openid scope. 如果您只是针对AAD IAM登录,则需要openid范围。
If you want the email address in the JWT token returned, you add email scope. 如果要返回JWT令牌中的电子邮件地址,请添加电子邮件范围。
If you want user profile data (name) in the JWT token, you add profile scope. 如果要在JWT令牌中使用用户配置文件数据(名称),则添加配置文件范围。
If you want Cortana to handle refresh tokens for you (ie not re-log in every two hours) you add offline_access scope. 如果您希望Cortana为您处理刷新令牌(即,不每两个小时重新登录一次),请添加offline_access范围。
When you add your app registration, you need to grant all these scopes to the web app and add cortana's redirect URI. 添加应用程序注册时,需要将所有这些范围授予网络应用程序,并添加cortana的重定向URI。 Like mentioned, some scopes need an admin to grant (if you are using AAD accounts). 如前所述,某些范围需要管理员授予(如果您使用的是AAD帐户)。
Your cortana channel configuration must request these scopes (exactly). 您的cortana频道配置必须(完全)请求这些作用域。
Then you won't get permission errors. 这样就不会出现权限错误。
You can see what scopes have been granted to a JWT token by decoding it. 您可以通过对其进行解码来查看已授予JWT令牌哪些范围。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.