Is there a standard authentication mechanism/protocol by which REST api's could be accessed without the need of user password. The resource system could be configured with a trusted app. The api calls coming from this app should be assumed to be trusted (i.e. already authenticated) and they should respond back with the correct api response for the requested user. Below is the use case that I am trying to address -
We have a chatbot built using botpress platform. It is exposed to users through microsoft teams. Through the teams integration assuming we get to know the username that is interacting with the bot, we want to make an api call for this user using his username to fetch the information of this user like his paid leaves, expense reports etc (imagine an HR service kind of chatbot). When making the api call we don't have the user password for api authentication. Hence I am trying to understand if there is a standard around this.
Thanks.
--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/api-craft/db7fc797-03da-4b62-9017-f5c054e59dff%40googlegroups.com.
There is oauth aunthentication mechanism we can use for this purpose. It’s a token based authentication.Thanks!
On Thu, 31 Oct 2019 at 9:18 PM, API Dev <ami...@gmail.com> wrote:
--Is there a standard authentication mechanism/protocol by which REST api's could be accessed without the need of user password. The resource system could be configured with a trusted app. The api calls coming from this app should be assumed to be trusted (i.e. already authenticated) and they should respond back with the correct api response for the requested user. Below is the use case that I am trying to address -
We have a chatbot built using botpress platform. It is exposed to users through microsoft teams. Through the teams integration assuming we get to know the username that is interacting with the bot, we want to make an api call for this user using his username to fetch the information of this user like his paid leaves, expense reports etc (imagine an HR service kind of chatbot). When making the api call we don't have the user password for api authentication. Hence I am trying to understand if there is a standard around this.
Thanks.
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/api-craft/db7fc797-03da-4b62-9017-f5c054e59dff%40googlegroups.com.
Yes but OAuth would mean two steps1. The user would have to generate the token before interacting with the bot - not a good user experience
2. The user would have to share his token to the bot - which is kind of similar to sharing his password. Again not ideal
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/api-craft/1cb78a62-9ba4-451c-89bc-a8517d1be70f%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/api-craft/CALh-ykKCBujMArpNmTQJ%2Ba41YFWasP3Qq3iunMm8Pie1gAb%3DGA%40mail.gmail.com.
Some sites also ask for your phone number and sends you a SMS with a code to enter, and hence you know who it is.Sune
On Fri, 1 Nov 2019 at 09:09, Jørn Wildt <j...@elfisk.dk> wrote:
Here is one solution, I could see working in our environment - using Single Sign On.So, first time the user interacts with the chatbot, (s)he is redirected to a local SSO endpoint which would recognize the user automatically based on her/his Windows AD login. From there the SSO endpoint would do the OpenID Connect (OAuth2) dance which in the end would give the chatbot a trusted token containing details about the current user.All the user experiences is a quick, almost invisible, redirect back and forth, and then the chatbot would have a suitable access/ID token representing the user.Have fun,Jørn
To view this discussion on the web visit https://groups.google.com/d/msgid/api-craft/1cb78a62-9ba4-451c-89bc-a8517d1be70f%40googlegroups.com.
--/Jørn--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/api-craft/CALh-ykKCBujMArpNmTQJ%2Ba41YFWasP3Qq3iunMm8Pie1gAb%3DGA%40mail.gmail.com.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/api-craft/dc21f4c0-5616-46a7-9b23-e694394e305a%40googlegroups.com.