ServiceNow to Circuit Integration - circuit-sdk

Use Case scenario :
In case of Priority 1 incident in ServiceNow, we need to automate the system to start a conference meeting with pre-determined users in Circuit application.
REST API to create conversation is available but not to start conference.
We need to avoid manual intervention and to auto start the conference on creation of Priority 1 incident.
Queries :
1) Kindly advise if there is any way we can achieve this or circuit team will have some development plan to develop API to auto start conference.
2) If we use JS SDK, which have functionality available to create and start conference, so do we need to login every time while starting the conference from ServiceNow.
3) For JS SDK (implicit grant type), how authorization works for end user. How client id generated in circuit will be used for each end user. Can end user user their own circuit credentials to create and start conference.
4) When I use JS SDK to start conference, conference is getting started in my ServiceNow application then I need to pull request is Circuit application. Is there any way we can directly start conference in Circuit application.

There is an undocumented REST API (/remote/call/start) to start a call on the user's webclient or desktop client. Note that this API is undocumented which means there is no guaranteed backwards compatibility, but it will likely remain backwards compatible. The destClientId can be used to start the call on a specific device.
E.g. If the user has the desktop client and web client running you could specify which one. If not provided but the user is logged on to multiple devices, then a prompt will be shown to start the call. Use API /telephony/deviceInfos to get the destClientIds.
await this.axios.post('/remote/call/start',{
mediaType: 'audio', // audio, video or telephony
destClientId: ..., // optional. client id of user's device to start call on
emailAddress: ..., // email of user to call, only for direct call
phoneNumber: ..., // dialabe phone number
convId: ... // conversation ID, used for group calls
});
If the user still has a circuit session (30 days if the user uses Circuit clients with "private computer" checked) and the the access token is still valid according to TTL setting in application registration, then the JS SDK can logon without the user having to enter any credentials, or to accept permissions. logonCheck can be used to automatically login.
re what you question is here. For implicit, the clientId for the application is hardcoded in the application JS code. But since the client_id is restricted to be used on the registered domains, nobody else can use your client_id. The logon is shown the circuit-sdk github page:
const client = new Circuit.Client({
client_id: '<your client_id>',
domain: '<circuit domain> // e.g. circuitsandbox.net
});
const user = await client.logon();
Yes, use API startConference and pass the clientId (aka destClientId) of the client you wish to start the call at. Use getDevices to find the user's clientIds. This is the same as the REST API described in #1 above.

Related

Prevent multiple login of same account (Desktop app)

I have a Desktop Application developed with python and pyqt5.
I want to implement a login system for some reasons.
the scenario will be like this (this section is done so far):
Client has created an account on my website and downloaded my desktop application.
They run the application for the first time => A login window displayed asking users to input their data.
The application made a request to URL: http://ip/api/login with a JSON object {username, plaim_pw} (the API developed with Flask).
The API will process that request and check whether that user's data inside that request exist or not and if that PW is correct or not then it will return a response.
If the user successfully logged in then every run time the app will not ask the user again about his/her data, it will be stored somewhere in their machine.
What I want is:
If user ' A' successfully Logged in with account ' X', And at the same time user 'B' trying to log in with the same account that user ' A' is using => Then I want to tell user 'B': "can't log-in at the time because another user using the same account" or something like that. in short description: only one user can use the same account at the same time.
My questions are:
How to accomplish that mechanism? is it good or bad?
I read about JWT, could it be helpful in my case? If so, Then how should I implemented it?
Here is extra information:
I don't have many APIs, I only have a route for "login" nothing more for now, And I want the login system for some reason.
And in the future, I will be using HTTPS instead of HTTP.
Once the user has logged in write this down on the server. Then the subsequent login attempt can check this. When checking consider an expiration timestamp. This can easily solve the first question. Consider looking at topics such as session management: https://en.wikipedia.org/wiki/Session_(computer_science), https://en.wikipedia.org/wiki/Session_ID.
JWT is not necessary for your scenario yet.

Does / can Alexa replace its generated UserId for a linked user?

We have an application utilizing Alexa skill with account linking for user details.
According to Alexa's account linking documentation:
Our skill is set up for Account Linking which in turn refers to a 3rd party (or it could be internal) Identity Management System (IMS) for user authentication. Our application (as well as our organization) does NOT internally maintain the app's user identities.
Let's say the user enabled our skill on her device, at which point (according to the above docs) she was issued an Alexa generated userId, something like:
"userId": "amzn1.ask.account.AFMWOL5WIGQZLYYEMM2IJL2BJ26ICPQHBPR2DSLRX46CHW36R6CPVH7RZTUZMBCHHJLQQNU3YO2BWZWNIRTM3PCAGTNZKILK33PM2XVI36H4RSINFH2A26OLURAIB2RVPV6GMK56BR5BLBIFNJKT64EANASM7IDTQJBQLGDIEUZHUIM6VSHTTOUPVPITIPOIOPESUK53TSALU5I"
Consequently, upon further interaction with the skill, she wanted to access some more personalized information which triggered account linking so her identity was confirmed and re-established via provided account linking details (OAuth 2 Authorization Code Profile), which, while doing so, as mentioned before contacted the 3rd party Identity Management System (not LWA) to verify the user identity:
the user is presented with a login screen,
she enters her credentials, say: "alice"/"password123"
she answers the relevant questions to permit certain actions that our app can do on her behalf and
is allowed to further interact with the system on a more personalized basis
Let's say that inside our app, we want to be able to identify the user by her real userId: alice and NOT the one auto-assigned by Amazon, as described above.
Does Alexa allow for this?
Upon successful account linking, does Alexa overwrite in its JSON request (or can it somehow pass it through, along with now embedded accessToken field) the userId it receives from the 3rd party Identity Provider) so that that "real" userId (is it called subjectId in OAuth parlance?)can then be used to identify the user actions during her further interactions with the app?
If yes, how can we obtain the user details from JSON via Alexa Java API?
If no, what would be possible ways to facilitate such ability?
Can the real userId be obtained from the accessToken that Alexa puts in its request after authenticating a user? If so, how?
I'm not sure if it's related to this, seems to be a similar request, has it been put on Alexa's roadmap or became a feature already?
This seems to be a detailed version of How to obtain userId specified by Alexa user during account linking
Generally speaking, after the user complete the OAuth authentication, the application (i.e. Alexa in this case) would receive a access_token and refresh_token. If you want any additional data, e.g. username alice, email, phone, address...etc., you would need to check with your OAuth provider and see if they have an API to retrieve those based on the access_token with the appropriate scope.

When connecting to an API do I need an access token per each user using my application?

I'm connected to an API that provides information about cars based on their registration. According to the docs the api can provide both user specific data and general data about the registration supplied.
I am using the connection method which does require specific users data, and therefore does not require me to gain access to any specific users account.
On my end users will visit my application and enter a registration number which I will use to call the API and return all of the information about the car.
Am I right in my thinking that my application is essentially the 'user' as far as the api is concerned, and I will only need to use one access token. I can then use this access token to make multiple API calls (one for each user that searches on my application)?
Or will i need to set up an access token for each user that visits my application and treat them separately.
Only your application making the API requests requires a token, unless the licence agreement/documentation of this car API says otherwise.
As far as your users are concerned, your application is just magically sourcing the registration info from its database.

Is Firebase's built-in authentication able to be used on a 3rd party server?

I'm looking to create a game server backend for a game I'm creating. We're currently using Firebase for handling of data and ads, and Firebase has built in authentication. Is it possible to have a user log into our app via Firebase's auth system, then confirm the user's authentication when they connect to the game server to ensure it's who they say they are?
Basically, after someone logs into our firebase, can we use that authentication information for a separate server, and what protocol/method would need to be used (if there's a specific one)
I've figured out the two steps you need to get the information required to auth, one clientside and one serverside. Note: the following examples are for the Java apis, but you can use any of firebase's equivalents.
Clientside: In the Firebase-Auth package, there's the FirebaseUser object. This contains information about their auth state, unique details, etc. There is a method here called getToken(), which will grab your token for the current authentication. Once you have this, you want to send it to the server when you need to auth.
Serverside: On the server, there's a FirebaseAuth object. Once you get the token from the client, you can use verifyIdToken(), which will confirm this is a valid token and give you the details about the user when you get the result. I suggest cross-checking the UUID against one a client sends, to just confirm someone didn't get their hands on a token and send a random ID.
Hope this helps.

Parse login with phone number (no password)

Using Parse.com, I want my users to login only with their phone number, just like WhatsApp.
Enter your phone number, get a verification code by SMS, enter the code - you are logged in and stay logged-in!
I can see how I can use Twilio to send a verification code.
My problem is how to tie it in with the Parse authentication framework.
When to use signUp vs login?
What is the password?
What to do the second time the app is launched?
What to do when the application is re-installed?
I don't think you should use the predefined Signup and login classes provided by parse as they do not allow you to create a user without a password,
Nor should you use the Anonymous Users as the data will be lost once the user sign out/uninstall.
For Signup, Use another object to store the numbers , Implement a onSave hook in cloud code to ensure that all the username"phone nos" are unique during Signing in.
For each device, perform an OPT(one time password) to the phone of the user by using the installation class's id
Perform a query and load the data connected to the number during Login
To keep the user logged in , use the local data store , pin a Boolean variable that indicates the status of a user, either logged in or out.
In the parse DB , You can use the phone num as the link to the other data of the user.
In this way, no password , only OTP
You will need to store something on the user settings/profile to pin that user, I do not recommend using a boolean but rather something that ties that device with the user so that if someone decides to copy that file and paste it into a rooted phone you will be able to determine if the app install corresponds to that user.
I would recommend using the a unique token to create a password for a user in Parse.com - you can use the token that RingCaptcha generates for this, ensuring it will never collide with other users and that every phone number will only be able to verify one time for each device. RC is a new service that helps you onboard verified users into your apps in seconds via SMS. Integration is a breeze with all the available plugins for web, APIs, and SDKs of all flavours.
[Disclaimer: I'm part of the team behind RingCaptcha]