I'm seeing a weird behavior in Alexa developer console whereby a skill with a configured endpoint value:
uses some old cashed value of the endpoint (note the url difference with the above one in configuration: https://87d44b5e.ngrok.io/kai/api/v1/alexa) leading to a SKILL_ENDPOINT_ERROR:
The configured endpoint (https://87d44b5e.ngrok.io/kai/api/v1/alexa) is perfectly accessible outside Alexa.
The endpoint value referred to in the exception stack of the device log is different: https://simeonleyzerzon5.localhost.run/kai/api/v1/alexa. I don't know where it originates, but it's a legacy endpoint that I have been using several days ago. As those values expire several times a day one needs to keep them reconfigured in Alexa dev console. Seems it has been cached by Alexa somewhere internally.
The skill has account linking enabled.
I tried cleaning browser cookies, restarting the browser, running it in incognito mode, re-saving and re-building model in Alexa json editor, re-saving the correct value of the endpoint in there, disabling account linking on the dev console, disabling and re-enabling the skill via https://alexa.amazon.com - nothing seems to help. Same error also persists for me in different browsers.
I shared a skill with a coworker by inviting him via Developer Console's | Setting | User Permissions, and he's able to run the skill without errors and not experiencing that erroneous caching behaviors (his skill uses the newly updated endpoint), whereas for me it continues happening.
It seems that Alexa saves a skill's snapshot at some point per user at which time the endpoint value (perhaps some other values too?) is memorized and then reused, can someone explain when this memorizing is happening and how one can reset that?
Is above a correct assumption and if so, is that memorization done to prevent a risk of concurrency related problems when a skill is distributed to (via linking) and hit by multiple users? Or is it intended for something else?
How does one resolve this erroneous behavior?
What is the relationship between users and skills and why is the state for a skill shared by several users is not in synch? How can I trigger a reset and re-synchronization of the skill's state across all users that consume that skill. What makes it go out of synch?
Related
What is the best way to restrict the scope of a connected app to a set of objects? My current solution is to use the Manage user data via APIs scope but that still grants more access than required.
A solution I see frequently is to create a user with a restricted profile and connect with that user but then you lose context of actions made by users in the connected app so this solution doesn't work
Tricky, you typically don't. (consider posting on https://salesforce.stackexchange.com/, there might be a clever way I didn't think of).
You can flip the connected app from "all users can self authorise" to "admin-approved users are preauthorised" and then allow only certain profiles / permission sets to use the app. But the bulk of it is "just" enabling the connection via API and cutting it to say Chatter only or OpenId identifiers. And that's already an improvement compared to SOAP APIs where you don't have scopes and the app can completely impersonate the user, do everything they can do in UI.
Profiles/permission sets/sharing rules are "the" way even in not immediately obvious situations like Lighting Connect Salesforce to Salesforce or Named Credentials access to another org.
If you can't restrict the visibility with profiles and access to all tables user can see is not acceptable...
you could create series of Apex classes exposing certain queries, updates etc and grant profile access to these classes - but without full api access? You could even let them pass any SOQL (evil) but use with sharing, WITH SECURITY_ENFORCED, stripInaccessible + custom restriction on tables before returning results
you could look into https://developer.salesforce.com/docs/atlas.en-us.238.0.apexref.meta/apexref/apex_class_Auth_ConnectedAppPlugin.htm although I suspect it's run only on connect, not on every request. So at best you could deny access if user has right to see some sensitive data, not great
if there are few objects you need to block updates if done via app - Quiddity might be the way to go. Throw error in a trigger if action started from REST context?
give the Transaction Security trailhead a go. If it looks promising (there's way to check "application" and "queried entities" according to this) - might be a solution. You'll likely have to cough up $ though, last time I checked the cool bits of event monitoring & transaction security were hidden behind an extra paid addon (standalone or bundled with platform encryption and Field Audit Track into Salesforce Shield solution)
2 logins? dedicated user for querying stuff but inserts/updates running as your end user?
I am trying to implement a hardware busy light to show my Microsoft Teams presence so that my family to not enter the room I have the office while I am in a meeting. I am looking to implement something similar to:
https://www.eliostruyf.com/diy-building-busy-light-show-microsoft-teams-presence
https://blog.jongallant.com/2014/12/beakn-v0-1-diy-lync-status-light/ (older acticle - similar idea).
The only problem I have with this setup is that I cannot get the MS Teams status.
The best way to go is by using MS Graph Presence API but my problem is that this is a company account and I don't have (and there is no way I could have) and app in the main subscription granted with the required scope: Presence.Read.
So I tried different ideas but none worked in the end:
check local running processes
check if MS Teams exposes any local API
check if there is a CLI available
This seems a simple idea, I mean, I see the status right there now while I am typing this message, I could as well do an app that gets a screenshot of the taskbar and extract the status from the icon, but is that really the only option I have?
I think I found something interesting for you.
Go to
C:\Users\user\AppData\Roaming\Microsoft\Teams
you'll find a file called logs.txt
In this file you see if your current state changed
(current state: Available -> DoNotDisturb)
I would write a script with php or VB (depends on your skills) that read that logs.txt file like every minute and check for the last "current state" line.
What those posts are doing (certainly the first one, I didn't check the 2nd one) is calling the Microsoft Graph, which has a "presence" endpoint to get a user's status. There's actually even a specific "/me" endpoint, to get your own personal preference (less access rights needed). See more about this here: https://learn.microsoft.com/en-us/graph/api/presence-get?view=graph-rest-1.0&tabs=http
In order for this to work, as you've mentioned, you do need to have an Azure AD App registration. However, importantly, this will only require "delegated" permission (i.e. only permission from the single user, you, to access just data for that single user, you). As a result, you can use "delegated" and not "Application" permissions, which means that it does -not- require Admin consent for the tenant.
It -does- require and Azure Add Application though, at the risk of stating the obvious. While you don't have tenant admin rights, you need to see if you have Azure rights, just to create an application (you might have this anyway as a developer in your org). If you don't even have this, you can sign up for an M365 Developer account, and use that tenant. Importantly - the application does't have to be in the same tenant. If it's not, it's just a simple multi-tenant app, like any 3rd party Azure AD-backed application is.
I wrote an app script which provides a web UI for data entry into a team calendar. I published it using G-Suite super admin account and added it as Trusted App under Security/API Permissions. "Trust domain owned apps" is checked under "Internal App Settings".
When a G-Suite user in our organization tries to access the app, he sees
"The developer of ShiftSchedulingApp, admin#_our_organization_.org, needs your permission to access your data on Google."
Those brave enough to click "Review Permissions" are taken to the next message:
"ShiftSchedulingApp wants to access your Google Account. See, edit, share, and permanently delete all the calendars you can access using Google Calendar"
Of course nobody wants to risk losing all the calendars on their Google Account and this is where it ends.
How do I get rid of this misleading message? It's not Google account, it's their organization account on G-Suite. It's not all their calendars, it's the shared team calendar only. It's adding data, not permanently deleting calendars. It's published by their administrator in their G-Suite, not an unknown 3rd party.
I spent days trying to make this message go away but no luck. App must be executed as an accessing user and not as publishing user because their user ID determines what shifts they can fill on a calendar.
I'd appreciate any hints pointing me the right direction.
I experimented with variations of the two-app approach as suggested.
The app which provides the UI needs to read the calendar to display available shifts - so I can't get away from the user authorization prompt.
Another variation I tried was having one app do everything and run as me, and another do nothing but return Session.getActiveUser(). I tried calling the 2nd one from the 1st one on the client side via XMLHttpRequest. It would be ideal for my needs - but I hit CORS error as apps URL is script.google.com but it actually gets redirected to script.googleusercontent.com. There doesn't seem to be a way to set CORS in Google App Script.
Although I was not able to find a way to avoid prompting users for authorization when executing the app as accessing user, it turns out my reasons for doing that were based on a false premise.
I chose to publish app as accessing user because I thought that's the only way to get accessing user Id - which is true for non-G Suite accounts.
However, when app is published by a G Suite account, the app can get accessing user ids within the same G Suite domain even when it's set to execute as publishing user.
Thanks Niek and TheMaster for your help!
If you just need user ID, why do you ask for all those permissions?
Possible Solutions:
2 web-apps- One running as you and another as user accessing (with only profile) permission. The second one will be the actual web interface and POST necessary information to the first one with privileges. OR
Implement your own web-app Google-sign in1
Use the least permissive2 scope3
the last couple of days I implemented the autodiscovery/auth flow for UCWA against Skype for Business Online and AzureAD. When I'm done and having the URL to the application directory (+ the OAuth2 Credentials) I save those into our internal system. So later on I want to create online meetings with this data. The URL to the applications directory looks like this: https:\/\/webpoolam42e10.infra.lync.com\/ucwa\/oauth\/v1\/applications\/101331226048\/onlineMeetings\/myOnlineMeetings
If I do this within the first minutes of retrieving the data it works just fine. But later on it seems, that the application directory is gone. I'm getting this response:
body":"{\"code\":\"NotFound\",\"
subcode\":\"ApplicationNotFound\",\"message\":\"An error occurred. Please retry. If the problem persists, contact your support team.\"}
Status Code is 404.
Later on I even tend to get 401 errors that mean unauthorized.
I suspect the application server going away and only being temporarily available. I got a refresh token and a valid access token, so this wont be a problem. I've got no clue what is going on there and wasnt able to find help in the docs. So maybe one of you got any advice - I'd be really thankful!
Side-Info:
I'm doing all this in PHP and I only have user-interaction at the initial authentication. I save the refresh token and all other things I need, so that my server-side application can use the authorization in long term.
Reporting here part of my reply to another question:
Keeping a UCWA App always online:
If you need to achieve that, you need to understand and implement correctly the concepts explained here me Dashboard, especially at Reporting activity section:
call reportMyActivity every 4 minutes max.
maintain an active P-GET with the Events Channel
handle possible timeouts on the Events Channel
handle possible DELETE events (on the Events Channel) the server can send for the application, for which you'll have to regenerate your app Application dashboard
reporting app's activity, and keeping a valid open P-GET with Events Channel are both very important!
I'm wondering when login timeouts are being used, specifically when using same session (same browser session). On a number of sites I have completed recently I have added 60 minute timeouts and they seem to be causing problems, such as users are not able to fill out larger forms (like a resume submission--people don't think of copying their resume from another program or saving part way through). On one site, I have implemented a div/popup forcing the user to enter their password to continue in the current session, without having to login again.
But on other sites, such as Facebook, it seems you are never logged out as long as you are using the same browser window, even without "remembering" your password.
The main reason I usually use timeouts is to ensure the data is secure, such that another party can't sit down at the computer a few hours later and use the system as the original user.
I'm wondering how you decide when a site should time out users because of inactivity?
I'm thinking the answer would be language agnostic.
IMO, they're valid when:
security is critical (ie. banking)
the likelihood of seat-swapping is
high (ie. public terminals)
Regardless, there may be instances like your resume system, where you want people on public terminals to be able to carry out an act that may leave them inactive for longer than your desired or necessary timeout.
I suppose you just have to handle that in a smart fashion - either figure out a way they can get the data in quicker (which would be ace, spending an hour filling out a form is not fun - can they just upload a file?), or ensuring they can continue without any data loss after being prompted to log in again.
Even though 60 minutes seems like a long time to fill out a single form (perhaps the forms should be divided into multiple pages?), you can probably use SlidingExpiration to solve the problem where your users get logged out even though the browser session is alive.
I think the timeout for an auth cookie is a Security level decision. If your site is SSL secured, you would probably have minimal timeout values (user session would expire within a matter of minutes). On the other hand, for sites with non-critical security, you could set a medium timeout value.
When I sign on to online banking, for example, it asks me whether or not I am using a "public terminal": and if I say yes then it enforces stricter security, or if no then laxer.