botframework-sdk
botframework-sdk copied to clipboard
microsoft
OAuthPrompt and OAuthInput should check token expiration
Issue
The current recommendation is to not store tokens in the bot, but make a call to the service whenever a token is needed.
https://github.com/microsoft/BotBuilder-Samples/blob/main/samples/csharp_dotnetcore/18.bot-authentication/Dialogs/MainDialog.cs#L74
// Call the prompt again because we need the token. The reasons for this are:
// 1. If the user is already logged in we do not need to store the token locally in the bot and worry
// about refreshing it. We can always just call the prompt again to get the token.
// 2. We never know how long it will take a user to respond. By the time the
// user responds the token may have expired. The user would then be prompted to login again.
//
// There is no reason to store the token locally in the bot because we can always just call
// the OAuth prompt to get the token or get a new token if needed.
This is great. However, the tokens are sometimes expired. The service does not check this, and the sdk prompts do not check this: they just return the expired token.
Proposed change
Add code to OAuthPrompt and OAuthInput to logout the user, and re-show the sign-in prompt if the token is expired.
Component Impact
OAuthPrompt and OAuthInput will be more resilient.
Customer Impact
Customers will not be required to handle expired tokens in their code.
Tracking Status
Dotnet SDK TODO
- [ ] PR
- [ ] Merged
Javascript SDK TODO
- [ ] PR
- [ ] Merged
Python SDK TODO
- [ ] PR
- [ ] Merged
Java SDK TODO
- [ ] PR
- [ ] Merged
Samples TODO
- [ ] PR
- [ ] Merged
Docs TODO
- [ ] PR
- [ ] Merged
Tools TODO
- [ ] PR
- [ ] Merged
