Getting an error via adding Cortana as channel to my bot using Microsoft Bot Framework
Question
Error when Cortana tries to authenticate my Bot
I am trying to connect Cortana to my QnA Bot using MS Bot Framework with Azure Bot Service.
While testing on Windows 10 Desktop when I speak the Invocation Phrase - Cortana tries to authenticate me but gives the below error. Please let me know what am I doing wrong?
2 answers
solution1
1 2019-03-23 18:24:06
I recently implemented a Cortana skill and had several challenges with making authentication work. However, I see a few issues with your configuration:
- User.Read.All requires Admin Consent. Is this really what you want or are you looking for User.ReadBasic.All . Depending on your setup, this will already block authentication. See the Microsoft Graph documentation for details.
- On the Cortana channel configuration under Client authorization scheme, make sure you selected Credentials in request body . I can't see this from your screenshots but I believe it is worth checking it.
In addition, here are my best practices that should make your scenario work:
- Don't use the service principal (application registration) of your bot for Cortana authentication.
- Instead create a dedicated application registration on your tenant (eg with branding name Your Bot for Cortana ) and configure this one on your Cortana channel configuration (appId / client secret)
- Assure you configure the scopes you need not just on the Cortana channel configuration of your bot, but also on your app registration as well ( Go to AAD - App registrations (Preview) - API Permission ). Remember that the scopes on the Cortana channel configuration can be a subset of the scopes configured on the app registration. This is one reason why I recommend dedicated application registrations for your bot and Cortana.
- Make sure that the scope order on the Cortana channel configuration is openid offline_access profile User.Read User.ReadBasic.All (order for some reason is important - at least in my experience).
solution2
0 2019-03-23 20:00:04
If you followed this guidance...
- https://docs.microsoft.com/en-us/cortana/skills/authentication
- https://github.com/Microsoft/cortana-skills-samples/tree/master/Consumer/CSharp/OAuth2Example
- https://docs.microsoft.com/en-us/graph/permissions-reference
Hopefully you learned about scopes. If not, file a github comment to clarify.
User.Read is needed to access profile for AAD IAM. You don't need it unless you are making profile calls against MS graph.
If you are just logging in against AAD IAM, you need openid scope.
If you want the email address in the JWT token returned, you add email scope.
If you want user profile data (name) in the JWT token, you add profile scope.
If you want Cortana to handle refresh tokens for you (ie not re-log in every two hours) you add offline_access scope.
When you add your app registration, you need to grant all these scopes to the web app and add cortana's redirect URI. Like mentioned, some scopes need an admin to grant (if you are using AAD accounts).
Your cortana channel configuration must request these scopes (exactly).
Then you won't get permission errors.
You can see what scopes have been granted to a JWT token by decoding it.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.